While most actions by governments around the world are fairly benevolent, or at the very least well intentioned, there is a much darker side to some officially sanctioned activities. For most nation states, covert advanced persistent threat (APT) groups are an equally valuable tool that operate in the shadows, stealing data, disrupting operations, or destroying the infrastructure of targeted enemies.
According to Netscout's most recent Threat Intelligence Report, these groups are on the rise. The ATLAS Security Engineering & Response Team (ASERT), which is an elite group of engineers and researchers who represent the best in information security, has been actively tracking approximately 35 APT groups worldwide. And what they have found is that activity from these groups is accelerating, as they continually add additional facets of cyber espionage to their toolkit, adding methods and targeting new victims.
While major APT group sponsors, such as the governments of China, Russia, Iran, and North Korea garner the most attention, many other countries sponsor their own groups. ASERT is aware of approximately 163 groups across 29 countries.
What Are APT Groups Trying to Accomplish?
“When it comes to state sponsored cyberattacks, these efforts are typically driven by the strategic needs of that particular government,” explained Jill Sopko, a senior security researcher on ASERT. “It’s important to remember than in many of the countries where these groups operate, the government, economy and religious institutions are not necessarily separate entities. Centralized leadership may be subject to far less scrutiny or accountability, which leaves them free to employ any tools available to pursue national objectives.”
The goals of APT groups vary widely but fall into a broad set of buckets. Attacks may include:
- Geopolitical interests - Governments with concerns involving neighboring countries commonly use APT groups to monitor and/or infiltrate nearby nations in order to gain intelligence around economic or military activities, intentions, or strategies.
- Intellectual property theft – Attacks by APT groups often have the primary objective of stealing intellectual property to help advance the economic or military goals of the host nation. Stealing proprietary technology can save billions of dollars in research and development costs, giving the offending country a competitive advantage in the marketplace or helping to close a gap in military preparedness. By stealing another country or business’s confidential communications, the APT group can give their government an upper hand in negotiations, or in a merger or acquisition conversation.
- Disinformation campaigns – As evidenced by recent interference in free elections across the world, APT groups are increasingly using cyber activities as a tool to sow disinformation to influence the voting population in targeted nations. This is generally done to sway voters in favor of a candidate that would be less adversarial and more ideologically aligned with the cause of the host nation.
- Disruption and destruction - APT groups may also engage in destructive acts such as actively taking out communication systems, industrialized control systems, and public utilities. These can also include economically motivated attacks. For some nation states, they hope that simply demonstrating they have the power to wreak havoc over another nation will be a sufficient threat to deter actions from an enemy or rival.
Global Vigilance is Increasing
“The good news is that from a global perspective, visibility into these APT groups is getting better,” concluded Sopko. “Due to greater cooperation of data ops worldwide, we are seeing the entire spectrum of APT activity. And as a result, countries and businesses are taking these security threats far more seriously. We are seeing more and more organizations looking at supply chain risk and that’s a win for the good guys.”
While threats are on the rise, so too is work to track and identify them. The infosec community is coming together to share observed tactics, techniques, and procedures (TTPs) and increasing the collective body of knowledge. This type of threat intelligence and cooperation will absolutely be imperative in order to mitigate the growing threats.
David Pitlik is a long-time technology and business writer and frequent contributor to NETSCOUT’s blog.