Class of 2018 Advanced Persistent Threat (APT) Round-Up


Class of 2018 Advanced Persistent Threat (APT) Round-Up: Detect ‘19 Series

After you have watched this Webinar, please feel free to contact us with any questions you may have at


RORY GOULD: Thank you, everybody, for coming on.

I know it wasn't particularly easy, given it's early after the party last night.

So I do appreciate that.

But anyway, my name's Rory.

I'm a threat research analyst with Anomali.

And I'm here, really, to give a yearly roundup of APT activity through 2018.

It won't be too heavy, high level.

So don't worry.

It's all good.

A little background about me.

My name is Rory.

Threat research analyst [INAUDIBLE] on my research team, sort of specialize in OSINT and HUMINT, is what I prefer to do.

And background is sort of security, counterterrorism, counter-extremism, and political science.

But anyway, moving forward, here are the attack motivations from 2017 versus 2018.

Sort of laid out.

If you guys can't see them at the back, it's cybercrime, cyber espionage, hacktivism, followed by cyber warfare.

You can see across the two years that the motivation remain broadly the same-- the same positions as well.

Charting in the same positions, that is rather-- but they do change in values.

There is an increase of around 4 and 1/2 percent to cybercrime, at the expense of the other three.

So jumping from 77 to But what's probably more noticeable is-- how do I do this point thing?


There was a 41% increase in events across the two years.

I mean, it's almost doubling of events.

But these maybe aren't rock solid numbers because they only count what's being detected.

They're not counting what nobody saw or what nobody noticed or what is still in people's systems that they haven't noticed.

So it's similar to the stats of reported crimes.

But it doesn't give an indication of increased activity at the very least anyway.

Moving on, attack by type.

This is across Obviously, malware, it was number one.

Not really a massive surprise because that is kind of what APTs are known for.

The social network bots did surprise me, though, that it came out quite late at quite low at 0.8%.

So it'll be interesting to see if that changes next year, given it's the US election year and the insinuations of the previous election.

So it is worth noting, though, that these attack factors do all sort of feed into each other.

Malware will lead into account jacking.

Accoint jacking will lead into DDOS, et cetera, et cetera.

But I have to thank Paolo from HACKMAGEDDON because he was able to get these good statistics.

Also moving into distribution of targets, this one's really awkward to read, which I apologize.

Individuals came out number one, then followed by sort of industries, public, men defense, social security.

They were the top three.

So individuals were the top by a wide margin.

Maybe not the most valuable targets in and of themselves, but I suppose quantity is a quality in and of itself.

Individuals don't require specific targeting.

It's almost like cast a wide net and see what gets called kind of idea, which would be in line with the aims of financial gain being the largest motivator.

More important targets, such as infrastructure, are less targeted, which are arguably more valuable and have massive potential be destructive.

But then, this would correlate with the previous assertion that cyber warfare was given a lower priority than financial gain, as it came number-- I mean, it came number four.

So it really was very low priority.

And given that there've been no-- not many, rather, overt attempts to seriously disrupt infrastructure, they could be seen as attempts to probe for possible future exploitation as opposed to current.

But we'll move forward, give a brief overview of APT activity by each country.

Going first for North Korea.

Much like the regime itself, North Korea's offensive operations tend to be wildly unpredictable.

They cast a very wide net, including, but are not limited to, espionage, destructive attacks, and bank costs.

Favorite North Korean targets include South Korea, US, Japan, Vietnam, Middle East, government entities, cryptocurrency, banks, academics, corporations, media, and enemies to the people-- so, really, anyone and everything.

As foreign as their capabilities, North Korean capabilities appear to be very well-developed and very well invested in.

Southern intelligence agency would allege that there might be around 6,000 cyber soldiers and three government bureaus actively involved in, cyber operations will call it, the state security department and will oversee the internal monitoring.

It is likely that a lot of these APTs were developed and first tried out on the internal population, which is why they work so well.

The reconnaissance general bureau, also known as Unit 586, is allegedly responsible for Hidden Cobra Lazarus.

Although that might also be Bureau 121, so it all gets very confusing, and the attribution becomes a total mess because it's APTs.

But anyway, the final government department is the third floor, also known as Office 39, which is believed to begin to branch into APT activity for financial gain.

It used to be more of a traditional money laundering entity.

So they're getting with the times.

Perhaps unsurprising, given that the big returns that can come from this kind of activity.

As far as the North Koreans are concerned, they've been left with no option due to the sanctions.

So it's only to write.

Legal sanctions were worth noting, obviously, from North Korea for this year because it's the geopolitical implications for it.

The US indicted Pak Jin Hyok, this guy over here, for participating in the Sony attacks, the WannaCry attacks, and attacking the Bank of Bangladesh.

In February 23rd, the US issued further sanctions against the DPRK, focusing on ships, actually, that are used to transport and basically layer money across with China.

And then the US, later in the year, further sanctioned three DPRK government officials who contributed to the countrie's censorship activities.

This is a map of geopolitical events tagged in blue and North Korea and APT activity highlighted in red.

There weren't too many lining up this year.

Might it possibly because a lot of the geopolitical events were inter Korean summits and summits, obviously, with the United States for the first time.

So the North Koreans didn't want to make too much of a mess, arguably.

Donald Trump meeting doesn't come around too often, so they didn't want to rock the boat too much.

So they didn't target the US.

They didn't really target the west.

They obviously still continue to target South Korea heavily because they don't really care.

They're happy to do that.

The other, probably, more noteworthy attack was, obviously, during the Winter Olympics that were held in South Korea that year-- the Olympic Destroyer attack.

It was in North Korea.

No, probably not.

But importantly, it was made to look like North Korea.

But I'll get into that a bit later, actually.

APT 37 did target an Olympic funding manager using shutter speed malware.

But I don't think that really-- that doesn't really come into play compared to Olympic Destroyer.

Moving on to China, China had a very busy year.

Arguably one the more prolific due to the methods that have been, again, tested on its own populace.

So they've had years of experience testing APT sort of methodology and TTPs.

China's continues expansion of intrusion activity with the re-emergence of several dormant espionage teams, maybe APT 10, apt 20, that have been very quiet for years.

So they've decided to sort of reorganize and come back in a big way.

Arguably, this is possibly due to the restraint that characterized the Obama years-- fairly good relationship.

That's kind of over now.

Everything's moving away from that.

And the Chinese APTs have begin to actively target Western entities again with larger and more complex and extensive campaigns.

The campaigns tend to particularly straddle the line between strategic military and financially motivated.

Belt and Road Initiative-- arguably one of the largest drivers for APT activity for China across 2018.

If you don't know, it's a multitrillion dollar multinational project.

And it's a major catalyst for China's economic activity.

Essentially, they're building roads all over Europe, Africa, and Asia to connect for whatever motivations.

I suppose the more important thing to note about it is that there may be economic reasons for it, but it's almost more of a national pride venture, national security as well.

But it's pride for China to be able to build this kind of infrastructure and bring it all over the world despite accusations of neo colonialism from the rest of the world and countries actively dropping out of it.

But because it's so important, China does not want to and will refuse to lose face over it.

So they began to actively target other countries that may be-- like Vietnam-- that haven't made it too easy for them.

Or they're targeting Western infrastructure companies, building companies, technology companies for anything that could be relevant to this, stealing intellectual property, which will then appear in China very shortly.

APT 40, actually, specifically was appeared to have been tasked with collecting business intelligence to further their ability to out this road.

Another important thing that the Chinese APT did this year was they began to realign and reorganize themselves and shifting to specific targeting.

APT 15, for example, began to shift towards social media.

It allowed for an adjustment of malware and TTPs.

And according to some sources, individual actors were actually reorganized themselves and deployed into new operational teams or were reassigned due to internal restructuring.

That was according to [INAUDIBLE]..

I do have to have to say.

But there was, in general, a move away from intellectual property theft and more moved towards strategic-- an espionage schemes in an attempt to support intelligence building and their wider geopolitical goals.

There was a significant ramp up of activity across 2018, though.

Another big one, Russia's APT groups.

They've made significant advances in the past few years from quiet beginnings to hyper aggressive campaigns that will target anyone and anything.

The list is incredibly extensive.

Russian APTs have always been deployed to support the nation's larger offensive and defensive aims, particularly geopolitical and strategic military.

They like to focus on political turmoil in Eastern Europe, NATO, and Ukrainian matters in the past few years.

So Russians favorite targets are always defense, energy, foreign affairs, government law enforcement, media, NATO, and Winter Olympics?

Question mark.

Russia's always preferred to cast an increasingly-- I'm sorry-- Russia prefers to cast an increasingly wide net.

They'd like to target as much as they can, as many as they can, wherever the hell they can.

Unsurprisingly, Ukraine this year proved to be a very popular target.

This is used to augment Russia's own activity in the Crimea during that time.

Sandworm, in particular, was used to target several verticals to make this easier.

But these attacks ramped up in the latter part of the year.

Interestingly, the first half was very quiet.

But then around sort of the second quarter or starting at the second quarter-- around the second half of the year, maybe June, July, August, there was a big push in Ukraine and Poland, which kind of signaled a larger push in Ukraine militarily at the same time.

Another one for that year was the targeting of the Winter Olympics again.

There's some speculation, maybe it was Russia.

But I will discuss this a bit more later.

But Russians were accused because, obviously, they were not allowed to participate-- no national flag, maybe only a few members.

So maybe it would have been in their interests to do it.

There was an increase of destructive attacks by Russia, however, which was not something that had been seen previously.

Due to political considerations, the Sergei and Skripal poisoning in the UK.

As soon as this was announced, the APT 20 had began targeting a UK anti-doping agency, trying to access drug testing data.

And also the Ministry of Foreign Affairs in the UK was targeted by Sofacy.

Another event, Olympics, I've just mentioned.

APT 28 targeted emails from the Olympic committee.

They targeted the US Olympic committee through third party emails-- spearfishing, of course.

NATO was targeted by GameFish, specifically Romanian diplomats.

It was a few other entities.

But the main one was Romanian diplomats.

The APT 29 also targeted the State Department and a few other US entities.

Ukraine was targeted by VPNFilter and infected half a million voters globally.

But there was a significant increase in Ukraine.

It would make you wonder if the global infection was to sort of cover what was going on.

But there was a much, much, much higher density in Ukraine.

Around this time, the US also indicted 12 GRU intelligence officers who were compromising information-- sorry, he had allegedly compromised information during the democratic election two years previously.

So it was a wrong slide that shouldn't have been in there.

However, another one, Iran continues to leverage cyber espionage propaganda and attacks to support its security priorities, influence events, and foreign-- maybe most importantly, foreign perceptions.

And then their view-- this is also to counter threats from the United States in the region-- Saudi Arabia, Israel.

Iran has also used its capabilities directly against the United States rather brazenly.

Fast development of Iran's cyber capabilities has meant that a number of organizations actually have been created or have been developed or sort of fell into the cyber work or the various subdivisions.

And their activity is carried out on behalf of the Supreme leader, the Supreme National Security Council.

The most prominent of these intelligence services would appear to be the Ministry of Intelligence and Security, which also works very closely with the revolutionary guards who are allegedly heavily involved in APT work.

Targeting, again-- I mean, it's the same for any APTs.

They will target, generally, whatever and whoever they can.

But they do prefer to target Iranian critics at home and abroad corporations, NGOs, universities, academic institutions, intellectual property theft, Western countries heavily involved with NATO-- Germany, Israel, Saudi Arabia, Middle Eastern countries.

They do have a very large focus or regional focus on the Middle East and will hit all major sectors, which was a figure of speech until last week.

Again, geopolitical in the blue and the green are the targets.

It doesn't really appear to match up too much.

However, I think we're [INAUDIBLE]..


As soon as the Iranian currency hit the lowest, the campaigns began to start all over again once the US placed more sanctions on Iran.

There was a new [INAUDIBLE] campaign began.

Yes, sorry, it was after-- after the US dropped out of the nuclear agreement, that's when the currency hit, which is when the attacks started happening over again.

The US government is actually taking more of a name and shame approach against the Iranian identities that it had previously.

And, perhaps, in contrast maybe to the Chinese and the Russian, it indicted for Iranians of-- the indicted for Iranians during September 2018 for hacking into American organizations, which doesn't always happen.

But I do think it's important to talk about Olympic Destroyer, which I keep mentioning, because it was a very important attack.

And it highlights, really, why attribution is becoming so increasingly difficult, especially in the APT world.

It is so murky.

But I'm assuming everybody knows what happened in the Olympic Destroyer.

It was during the Winter Olympics in Pyeongchang in South Korea during 2018.

Before the event, the servers were attacked, the official website was taken down, and the Wi-Fi at the stadium was affected as well.

It appeared to be a network worm.

There were three domains that were used as launch pads, which subsequently pushed the malware out through the Windows Network shares.

Suspicion immediately fell on North Korea.

Because why wouldn't it?

It's a South Korean event.

It's global.

It's public.

It would make them look like trash.

So everybody starts thinking, oh, North Koreans at it again.

But then it was the Kaspersky Labs, I believe, they began to dissect the malware itself and find, hold on.

There were some very key identifying factors that they found within the code.

So as they looked deeper into the code, there were so many inconsistencies.

And it began to look like a false flag, funnily enough.

So suspicion immediately then fell to the Russians because of the code basically matched some Sofacy code that had been found in previous malware and also given that the Russians were stupid-- it doesn't matter.

Basically the suspicion began to then fall to the Russians who, as I said, weren't allowed to compete.

And it did begin to match their-- suspicions obviously began to follow the Russians.

Only a few athletes allowed to compete.

It makes them look bad.

It makes them look a bit silly.

However, there was even more code overlap with the Chinese affiliated groups-- APT 3, APT 10, APT 12.

So does anybody really know who did it?

Not really so much.

I mean, adversaries are becoming increasingly invested.

And they're realizing how important it is to put effort into mimicking other countries and also APT or other APT groups.

So it's undoubtedly these false flag sort of hostile attacks will continue to rise and probably cause larger scale geopolitical issues amongst everybody involved.

But yeah, that's basically my APT roundup of 2018.

Thank you very much, everybody, for sitting through.

About Detect LIVE

We believe that threat intelligence holds the promise of allowing organizations to better manage risk and develop resilience. Detect LIVE, brought to you by Anomali, is a virtual event series that provides a platform for security executives, practitioners, and researchers to share insights and experiences related to threat visibility, detection, and response.