Advanced Persistent Threat

Advanced Persistent Threat ( APT ; German  "advanced persistent threat" ) is a commonly in the field of cyber threat term (cyber attack) used for a complex, targeted and effective attack on critical IT infrastructures and confidential data by public authorities, wholesale and medium-sized companies in all industries, which, due to their technological edge, represent potential victims or can serve as a stepping stone towards such victims.

In the course of such an attack, the attackers proceed in a very targeted manner and, if necessary, take on just as much effort in order to penetrate the local IT infrastructure of the victim after the first intrusion into a computer . The aim of an APT is to remain able to act for as long as possible in order to spy out sensitive information over a longer period of time (Internet espionage) or to otherwise cause damage. This is achieved by two approaches: Either a very aggressive spread, which simply overwhelms the victim, or a particularly cautious approach in order to give the victim very little concrete information about the activity. A combination of both approaches is a special form.

It is typical of classic APT attacks that the perpetrators invest a lot of time and manual labor and prefer tools that are only suitable for individual, specific tasks. Due to the high damage potential, the detection and analysis of these attacks are essential, but they are very difficult. Only the collection, analysis and correlation of security information from different sources can provide clues for detection.

APT attacks are always subordinate to a specific target; for the client an acceptable benefit (e.g. in the form of financial gain) must arise from the fulfillment of the order. The resulting techniques, which are necessary to make the attacks scalable and economical, usually represent the weak points on the basis of which the attack can be recognized and prevented.

Watering down the term

Originally “APT” was only used as a cover name for a certain form of digital industrial or economic espionage. B. used by security software vendors for any more advanced attack method.

A neutral alternative is the term “Targeted Attacks” or targeted attack or spying attempts. "Digital" or "IT remote espionage" is rarely used.

Differentiation from conventional attacks

In contrast to conventional attacks with the help of malware , in which the selection of victims is not limited, the attack is only carried out on a specific victim or at least on a very limited number of victims. A large number of techniques and tactics are also used instead of a single piece of malware. The functions that are used to make a profit in the typical malware of the criminal underground (manipulation of online banking, collection of access data from online shops, making data inaccessible as a basis for blackmail) are usually missing in the tools used in APT attacks. This is also reflected in the procedure - the data that could be sold in the underground trade are not collected by the perpetrators and are ignored. Instead of access data to online shops, the perpetrators search for and collect access data to other systems in the victim network in order to expand their access and ultimately to be able to access the data corresponding to the procurement order.

In particular, the victim is probed before an intended attack and the malware used for the attack is adapted as optimally as possible to the intended use, which is not done with conventional attacks. The fact that modern IT networks, regardless of their purpose, are extremely similar in terms of the technologies used, as well as their operation and maintenance, considerably reduces the exploratory effort. Many APT groups have long periods of time - typically years - to use techniques that have been shown to be successful in attacking a few targets.

Other infection vectors are e.g. B. infected media and social engineering . Individuals, such as individual hackers , are generally not referred to as APT, as they rarely have greater resources and the necessary techniques.

In some cases, APT attacks could be traced back to organizations that work very similarly to "conventional" IT service providers. Software developers write the required malware or any required programs; there are specialists for individual platforms (Windows, Linux). The latter in turn train the workers who do day-to-day business. Administrators, in turn, maintain the Internet infrastructure that the company needs for attacks; In addition to the normal failure safety requirement, there is only one other requirement, namely that there is no connection to the company that third parties can easily understand. In order to pay salaries and maintain contact with the respective clients, the company in turn needs people to take care of these administrative tasks, etc. Outsourcing is also used, e.g. For example, malware is bought from appropriate distributors so that the “company” can concentrate exclusively on fulfilling orders or obtaining information.

Definitions

Advanced

Differentiation from conventional attacks with malware targeting indefinite, non-specific numbers of victims. An APT, on the other hand, takes place on certain, selected victims, persons or institutions with advanced technology and tactics.

Persistent (German: permanent)

Differentiation from conventional attacks with the restriction on smuggling the malware onto just one computer. APT, on the other hand, uses the first infected computer only as a stepping stone into the local network of the IT structure concerned, until the main goal, e.g. B. a computer with research data, for long spying or sabotaging is achieved.

Threat (German: Threat)

Self-explanatory - APT poses a threat to compromised systems.

Group designation

In connection with specific attacks, the suspected attackers are sorted according to procedure or suspected origin and marked as APT for later recognition . So far, the following have come into public awareness:

• APT1 according to a report published in 2013 by the American security company Mandiant , attacks on the USA and other English-speaking countries have been carried out by the alleged Chinese espionage unit APT1 since 2006.
• APT10 launched a series of attacks on selected targets in the UK in early 2017 and is assigned to the People's Republic of China .
• APT28 , a group also known as Fancy Bear or Sofacy Group , which is assigned to the Russian Federation and is said to be responsible, among other things, for hacker attacks on the German Bundestag , the DNC , and various targets in connection with the war in Ukraine .
• APT29 , a group also known as Cozy Bear , which is assigned to the Russian Federation and which, among other things, broke into the computer system of the DNC in the run-up to the American presidential elections in 2016 and is said to have leaked the captured material to Wikileaks .
• APT34 , a 2018/2019 operation initially attributed to Iran according to GCHQ and NSA assessments . The software and technical infrastructure were later taken over by hackers from the Turla group , which is attributed to the FSB of the Russian Federation. The Turla operation was able to steal data from systems that the Iranians had previously infected with spy software. In addition, Turla's own software was modeled on the Iranian software in order to conceal its origin.

1. ↑ Advanced Persistent Threat - overview ceilers-news.de - accessed on March 19, 2013
2. ↑ APT - Defense from the inside against attacks from the outside ca.com - accessed on March 19, 2013
3. ↑ Google Under Attack - The High Cost of Doing Business in China spiegel.de - accessed on March 19, 2013
4. ↑ Fraunhofer FOKUS Competence Center Public IT: The ÖFIT trend sonar in IT security - Advanced Persistent Threat Detection and Analysis. April 2016, accessed May 30, 2016 . 
5. ↑ ISACA Survey on Internet Security - Every fifth company is exposed to APT attacks info-point-security.com - accessed on March 19, 2013
6. ^ "UK firms targeted by China-based 'systematic' global hacking operation" The Telegraph, April 4, 2017
7. ^ ^{A b} Thomas Rid: "All Signs Point to Russia Being Behind the DNC Hack" vice.com from July 25, 2016
8. ↑ Sam Thielman: "DNC email leak: Russian hackers Cozy Bear and Fancy Bear behind breach" The Guardian of July 26, 2016
9. ↑ "Hacking the hackers: Russian group 'hijacked' Iran spy operation" aljazeera.com of October 21, 2019
10. ^ "NSA and GCHQ: Russian hackers hijacked Iranian hacker infrastructure" Heise.de of October 21, 2019