At FireEye, we’ve studied advanced persistent threat (APT) groups for fifteen years and published our annual M-Trends report for 10 of those now. In M-Trends, we have covered a variety of topics including attacker dwell times, attack trends, and offensive and defensive trends. Of all the industry measures, our global median dwell time statistic is one of the most anticipated. The dwell time statistic is important because it reflects the speed at which attacks within victim environments are identified. Swift identification of an attacker’s presence is critical to preventing an attacker for accomplishing their mission, whether it be data theft, disruption, or something else. Swift identification also reduces the cost of an investigation by contributing to reduce scope and breadth of attacker activity. The median global dwell time for the period from October 1, 2017, to September 30, 2018, continued its year over year decline reaching an all-time low of 78 days. This reduction in dwell time is evidence that organizations are continuing to improve their detection capabilities. That said, having an attacker in an environment for more than two months means there is room for improvement.
APT groups are typically those threat actors who receive direction and support from nation states, with objectives that traditionally include data theft, reconnaissance, disruption or destruction. These groups operate very similarly to other threat actors such as cyber criminals, but they are distinct in that they tend to adapt to defenses and may maintain a presence on systems for months or even years.
In an age where data breaches and ransomware attacks make up the bulk of cyber coverage by major media, advanced persistent threats fall under the radar more than they should. That doesn’t mean that APT groups are forgotten, however. Far from it.
In 2018, FireEye promoted four threat groups to APT groups. In order to avoid complex naming mechanics and confusion, we simply refer to these groups as: APT37, APT38, APT39 and APT40. More extensive details on these groups can be found in our 2019 Mandiant M-Trends report, released today. Here is an abridged summary.
APT40 is a China-nexus espionage actor and the latest group to be promoted to APT – in fact, we just released the details today – the first full day of RSA Conference 2019. APT40 has operated in support of China’s overall defense and naval modernization effort since at least January 2013, targeting verticals including the maritime, aviation, engineering, chemical, R&D, government and technology industries.
Operating since at least late-2014, APT39 is an Iranian espionage group that has primarily targeted the telecommunications sector. Other targets include the travel industry and supporting IT firms, and also the high-tech industry. This targeting suggests intent to perform monitoring, tracking or surveillance operations against specific individuals, to collect proprietary or customer data for commercial or operational purposes that serve strategic requirements related to national priorities, or to create additional accesses and vectors to facilitate future campaigns.
APT37 and APT38 are both believed to be operating in support of North Korea, however they are not necessarily connected to each other. We assess APT37 has been carrying out covert intelligence gathering in support of North Korea's strategic military, political and economic interests since at least 2012. Meanwhile, APT38 is a financially motivated group linked to North Korean cyber espionage operators that has attempted to steal hundreds of millions of dollars from financial institutions since 2015.
Sophisticated actors operating to further a nation’s interests will never go away. This is why advanced persistent threats will continue to be something we discuss in some way, shape or form in every M-Trends report. As threat actors continue to evolve and change, we expect that other nations will follow suit, potentially ushering in a new age of cyber operations.
Contributor: FireEye, Inc