Understanding the distinction between APTs and other cyber threat actors

In the wild west cyber landscape, there are different kinds of threat actors, such as ransomware groups, hacktivists, and scammers.

However, among these are Advanced Persistent Threats (APTs), which have garnered significant attention due to their highly organized, sophisticated, and targeted nature. However, their notoriety often clouds the factors that make them unique and what separates them from the other threat actors.

APTs represent a sophisticated and long-term approach to cyber-attacks, typically orchestrated by well-resourced state-sponsored groups, criminal organizations, or hacktivist collectives. People often get confused with the idea that it's a group, but it's actually in a grey area between a group and a type of campaign or attack.

Consider a fictional, legally sanctioned military team named CatPeople as an example: CatPeople's commander has three major orders for the foreseeable future:

1.     Attack and disable an Iranian nuclear weapons facility's digital infrastructure.

2.     Monitor a Russian APT's actions

3.     Steal cryptocurrency from a list of bad actors.

These tasks may all fall under the responsibility of CatPeople's commander, but the public will likely never know that, or of the bulk of the work CatPeople do. We, non-APT individuals and researchers, can only attribute actions and tooling to APTs. As a result, unless a researcher observed similarities between operations, they could wrongly be identified as non-APT or coming from another APT. Furthermore, work completed by the same group does not mean that it is done by the same people internally or the same tooling.

APTs distinguish themselves through their primary objectives: maintaining long-term access to compromised systems, exfiltrating sensitive data, and often remaining undetected for extended periods.

Additionally, they employ multiple attack vectors, such as spear-phishing, zero-day exploits, and watering hole attacks, to compromise high-value targets, including government agencies, corporations, and critical infrastructure. Typically, their primary goal is to steal information rather than cause damage.

·       Advanced Techniques: APTs leverage advanced tools, zero-day vulnerabilities, and complex malware to breach defenses and establish persistent access.

·       Long-Term Focus: APTs aim to maintain a prolonged presence within the compromised network, enabling continuous data exfiltration, lateral movement, and further exploitation.

·       Specific Targets: APTs typically target high-profile entities, such as government organizations, military installations, research institutions, or multinational corporations, aiming to steal sensitive information or disrupt critical operations.

·       Coordinated Operations: APTs operate with significant resources, employing skilled hackers, intelligence analysts, and other specialized personnel, often backed by nation-states or powerful criminal syndicates.

There are a lot of names for APTs out there, like Fancy Bear, Lazarus Group, APT 41, and the Equation Group, to name a few, and sometimes we may see that researchers or organizations will each give the same APT a different name.

APTs are typically very secretive and don't like revealing their identities, so researchers rather focus on their tactics and techniques to try and classify them. For example, WithSecure researchers recently published a report on what was largely thought to be the handywork of the Lazarus group. The APT page of Wikipedia has a comprehensive list of known groups by country, which is in and of itself an indication of how APTs are grouped for public understanding.

In addition, it is more difficult to understand who is responsible when factoring in private organizations and cooperation agreements. Consider Stuxnet (the “first known cyberweapon”), for example. Although neither country has openly admitted responsibility, the worm is widely understood to be a cyberweapon built jointly by the United States and Israel in a collaborative effort known as "Operation Olympic Games".

Protecting a network or an organization from an APT requires a more holistic and proactive approach compared to dealing with other threats. It includes implementing strong security and monitoring controls. Activities that can help mitigate vulnerabilities to APTs include monitoring for suspicious activity, conducting regular security assessments, penetration testing and addressing known vulnerabilities. 

Organizations also need to have a clear incident response plan in place to quickly detect, contain and mitigate APT attacks. In contrast, dealing with other threats like ransomware, gangs, or hacktivists may require, e.g. more emphasis on preventative measures such as endpoint protection and secure backups. Lastly, APTs frequently take advantage of the human factor, finding weaknesses in the systems surrounding their targets. Therefore, education is the greatest preventative measure that can be taken on a mass scale to help to mitigate these APT threats.