Blog

Advanced Persistent Threat (APT) Groups: What They Are and Where They Are Found

A collection of Flashpoint’s coverage of Advanced Persistent Threat groups and nation-state hackers.

October 27, 2022

What are Advanced Persistent Threats?

An Advanced Persistent Threat (APT) is a malicious actor who possesses extraordinary skill and resources—enabling them to infiltrate and exfiltrate an organizations’ network. APTs use a variety of techniques, tactics, and tools—such as highly-targeted social engineering attacks, ransomware, vulnerability exploits, and zero-days to accomplish their illicit objectives.

While some threat actors work alone, multiple government authorities such as the Cybersecurity and Infrastructure Security Agency (CISA) have linked attacks to APT groups—with some having ties to specific nation-states who use them to further their country’s interests.

How do Advanced Persistent Threat groups operate?

APT groups, as well as those sponsored by a nation-state, often aim to gain undetected access to a network and then remain silently persistent, establish a backdoor, and/or steal data, as opposed to causing damage. Once inside the target network, APTs leverage malware to achieve their directives, which may include acquiring and exfiltrating data.

Where are APTs located?

Here is a collection of Flashpoint’s coverage of known APT groups and other state-sponsored hacking groups, sorted by country of suspected origin:

Russia: Fancy Bear, GRU, FSB, Conti, and more

Conti Ransomware: The History Behind One of the World’s Most Aggressive RaaS Groups

Led by Russian-based threat actors, the Conti ransomware variant was first observed in or around February 2020, and the collective quickly became one of the most active groups in the ransomware space.

Read More >>


Killnet: Inside the World’s Most Prominent Pro-Kremlin Hacktivist Collective

Killnet has established itself as a high-visibility force within the realm of digital warfare. Known as one of the most active and ambitious pro-Kremlin hacktivist groups, Killnet’s volatility has intensified since the Russia’s invasion of Ukraine.


Killnet: Russian DDoS Groups Claims Attack on US Congress Website

The Russian hacktivist DDoS group “Killnet” claimed responsibility for an attack on the US Congress website. At the start of Russia’s invasion of Ukraine, Killnet declared their allegiance to the Russian government, and have since continued to threaten Western countries who support the Ukraine military.

Read More >>


Killnet, Kalingrad, and Lithuania’s Transport Standoff With Russia

Russian cyber collective Killnet took responsibility for DDoS attacks on the Lithuanian government and private institutions. Killnet has declared their allegiance to the Russian government in the Russian-Ukraine war.

Read More >>


Russia Is Cracking Down on Cybercrime. Here Are the Law Enforcement Bodies Leading the Way

Flashpoint found that the domains of multiple Russian-language illicit communities were seized by Department K, a division of the Ministry of Internal Affairs of the Russian Federation. Threat actors have long theorized that various cybercrime communities and groups have already been taken over by Russian law enforcement.

Read More >>


How Russia Is Isolating Its Own Cybercriminals

Russian cybercriminals have long dominated the threat landscape—aided by the Russian government who usually turns a blind eye to their dealings as long as their attacks target organizations outside of the country.

Read More >>


Russian APT and Ransomware Groups: Vulnerabilities and Threat Actors Who Exploit Them

Far before the Russian-Ukraine war, Ukrainian officials believed that they had already experienced multiple cyberattacks led by Russian APT groups. Although Russia has not officially claimed responsibility, Britain’s cybersecurity agency, the NCSC linked those attacks to Russia’s GRU military intelligence.

Read More >>


Assessing Threats to the Pyeongchang 2018 Winter Olympics

Olympic events have a long history of attracting cyber attacks, and Pyeongchang 2018 is no exception. Weeks leading up to the event, the Russian APT group “Fancy Bear” leaked emails and documents from Olympic-related agencies regarding anti-doping violations in an attempt to inflict reputational damage to participating countries.

Read More >>

China: CISA advisories and ties to the Chinese People’s Liberation Army

Analysis of CISA’s Advisory on Top CVEs Exploited By Chinese State-Sponsored Groups

On October 6, 2022, CISA released a joint advisory detailing the top twenty vulnerabilities being used by known Chinese APT groups and state-sponsored threat actors. Despite being mostly attributed to China, Flashpoint observed it is highly likely that they are being used by threat actors of other regions.

Read More >>


Hackers Are Still Exploiting Log4Shell Vulnerability, Warns CISA

CISA and the United States Coast Guard Cyber Command warned that nation-state hackers were still using the Log4Shell vulnerability to gain access to unpatched, internet-facing VMware Horizon and Unified Access Gateway servers.

Read More >>


China is Exploiting Network Providers and Devices, Says US Cybersecurity Advisory

CISA released an advisory detailing the commonly used CVE vulnerabilities and exploits used by Chinese state-sponsored cyber actors. Many of the CVEs are associated with network devices.

Read More >>


‘Great Cyber Power’ China and Its Influence Across APAC: 2021 Analysis and Timeline

In 2021, the Chinese government reigned in their domestic technology companies, aiming to become a great cyber power. Unsealed indictments describe Chinese nation-state actor activity—linking them to China’s civilian technology sector, using front companies to operate in the open.

Read More >>


China’s Hackers to Showcase Zero-Day Exploits at Tianfu Cup

The Chinese government forbade its country’s security researchers from competing in international hacking competitions, stating that the zero-day exploits of its citizens could “no longer be used strategically.”

Read More >>

Iran: MuddyWater and state-sponsored ransomware

Who’s Behind Iranian Cyber Threat Actor Group MuddyWater?

On January 12, 2022, US Cyber Command attributed the Iranian “MuddyWater” cyber threat group to Iran’s Ministry of Intelligence and Security (MOIS)—one of Iran’s premier intelligence organizations.

Read More >>


A Second Iranian State-Sponsored Ransomware Operation “Project Signal” Emerges

Flashpoint validated leaked documents indicating that Iran’s Islamic Revolutionary Guard Corps (IRGC) was operating a state-sponsored ransomware campaign through an Iranian contracting company.

Read More >>


Suspected Iranian Actors Pushing Domestic Extremists to Target US Politicians and Electoral Security Officials

Evidence perhaps shows that a disturbing online campaign under the slogan “Enemies of the People” was actually an elaborate disinformation effort carried out by hostile Iranian cyber actors.

Read More >>

North Korea: Specialized training and the Guardians Of Peace

Targeted Attacks Against South Korean Entities May Have Been as Early as November 2017

South Korea’s Computer Emergency Response Team released a notice regarding an Adobe Flash vulnerability—at least one South Korean security researcher has stated that they observed North Korean threat actors using it to exploit to target South Korean entities.

Read More >>


Threat Actor Groups of the Korean-language Underground

North Korean’s cyber capabilities have been closely overseen by the North Korean government—with Kim Jong II establishing a system of education institutions to provide specialized training in the STEM disciplines.

Read More >>


A Breakdown and Analysis of the December, 2014 Sony Hack

On November 25, a group calling itself GOP or The Guardians Of Peace hacked their way into Sony Pictures, leaving the Sony network crippled for days. After many days, North Korean threat actors were linked to the prolific data breach.

Read More >>

Track threat actor activity with Flashpoint

There are many more APT groups located throughout the world, but understanding their general tactics helps security teams protect their networks. Attackers will use tried-and-trued methods, linking together multiple techniques that can be replicated against most organizations. The Flashpoint Intelligence Platform contains detailed Finished Intelligence reports on many more known APT groups, as well as threat actor chatter. Sign up for a free trial today.

Begin your free trial today.