A lot of cyber security discussion lately is centred around the actions and identities of a range of Advanced Persistent Threats (APTs). You may have found yourself wondering just what these threats are, what differentiates them from the more bogstandard kinds of threat that you are used to and who they pose the most risk to.
As the name may suggest, the key elements that differentiate an APT from a regular cyber attacker are the level of technical ability, financial backing and the duration of an attack. If a regular cyber attack is akin to a smash-and-grab mugging, an APT attack is more like something out of Mission: Impossible. The term itself was seemingly introduced in 2006 by the US Air Force, and potentially the most famous example of an APT is the Stuxnet worm that attacked Iranian nuclear centrifuges in 2010, and which was attributed to the US and Israel.
This attribution provides another insight into the danger posed by an APT. Many, although not all, APTs are believed to be backed by nation states—usually China, Russia, Iran, the US or North Korea—and so may have access to the full weight of those countries’ state security apparatus, or at the very least near-limitless funding. This affiliation is sometimes reflected in the APT’s chosen targets or their behaviour. For example, the location of the group FireEye call APT28 has been narrowed down to Russia through analysis of compile timestamps on their malware, which all fell within working hours consistent with a Russian time zone.
One aspect of APT research that can add to confusion is the use of multiple different naming conventions for them. For example, FireEye calls each group it identifies ‘APT’, with a number after it, whilst CrowdStrike use names like Fancy Bear and Deep Panda. There are a number of reasons for this lack of standardisation, most crucial of which is that the APT groups themselves (and the governments that are believed to back them) are unlikely to contact the threat researchers to clarify their operational setup. As such, a lot of classification is done through educated guesswork, often based off of analysis of different networks—think of the parable of the three blind men feeling different parts of an elephant and describing entirely different animals.
Okay, after all this you might be thinking one of two things. Either you are wondering how you can possibly protect yourself against these powerful, nation-state-backed threat actors, or you’re feeling a lot less concerned—why would China possibly bother attacking you? If you fall into the first camp, the answer is that, if you fall within the crosshairs of a truly determined attacker of this level of technical ability, you probably can’t protect yourself. What you can do is make sure you have the means to log any intrusion for later analysis (your own government may have an interest in this) and the means to recover rapidly. Also, insurance. If you’re in the latter camp, then we’ve covered why this can still affect you previously.