Advanced persistent threat explained
An advanced persistent threat (APT) is a stealthy threat actor, typically a state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period.[1] [2] In recent times, the term may also refer to non-state-sponsored groups conducting large-scale targeted intrusions for specific goals.[3]
Such threat actors' motivations are typically political or economic.[4] Every major business sector has recorded instances of cyberattacks by advanced actors with specific goals, whether to steal, spy, or disrupt. These targeted sectors include government, defense, financial services, legal services, industrial, telecoms, consumer goods and many more.[5] [6] [7] Some groups utilize traditional espionage vectors, including social engineering, human intelligence and infiltration to gain access to a physical location to enable network attacks. The purpose of these attacks is to install custom malware (malicious software).[8]
APT attacks on mobile devices have also become a legitimate concern, since attackers are able to penetrate into cloud and mobile infrastructure to eavesdrop, steal, and tamper with data.[9]
The median "dwell-time", the time an APT attack goes undetected, differs widely between regions. FireEye reported the mean dwell-time for 2018 in the Americas as 71 days, EMEA as 177 days, and APAC as 204 days. Such a long dwell-time allows attackers a significant amount of time to go through the attack cycle, propagate, and achieve their objectives.
Definition
Definitions of precisely what an APT is can vary, but can be summarized by their named requirements below:
- Advanced – Operators behind the threat have a full spectrum of intelligence-gathering techniques at their disposal. These may include commercial and open source computer intrusion technologies and techniques, but may also extend to include the intelligence apparatus of a state. While individual components of the attack may not be considered particularly "advanced" (e.g. malware components generated from commonly available do-it-yourself malware construction kits, or the use of easily procured exploit materials), their operators can typically access and develop more advanced tools as required. They often combine multiple targeting methods, tools, and techniques in order to reach and compromise their target and maintain access to it. Operators may also demonstrate a deliberate focus on operational security that differentiates them from "less advanced" threats.[10] [11]
- Persistent – Operators have specific objectives, rather than opportunistically seeking information for financial or other gain. This distinction implies that the attackers are guided by external entities. The targeting is conducted through continuous monitoring and interaction in order to achieve the defined objectives. It does not mean a barrage of constant attacks and malware updates. In fact, a "low-and-slow" approach is usually more successful. If the operator loses access to their target they usually will reattempt access, and most often, successfully. One of the operator's goals is to maintain long-term access to the target, in contrast to threats who only need access to execute a specific task.[12]
- Threat – APTs are a threat because they have both capability and intent. APT attacks are executed by coordinated human actions, rather than by mindless and automated pieces of code. The operators have a specific objective and are skilled, motivated, organized and well funded. Actors are not limited to state sponsored groups.
History and targets
Warnings against targeted, socially-engineered emails dropping trojans to exfiltrate sensitive information were published by UK and US CERT organisations in 2005. This method was used throughout the early 1990s and does not in itself constitute an APT. The term "advanced persistent threat" has been cited as originating from the United States Air Force in 2006[13] with Colonel Greg Rattray cited as the individual who coined the term.[14]
The Stuxnet computer worm, which targeted the computer hardware of Iran's nuclear program, is one example of an APT attack. In this case, the Iranian government might consider the Stuxnet creators to be an advanced persistent threat.[15]
Within the computer security community, and increasingly within the media, the term is almost always used in reference to a long-term pattern of sophisticated computer network exploitation aimed at governments, companies, and political activists, and by extension, also to ascribe the A, P and T attributes to the groups behind these attacks.[16] Advanced persistent threat (APT) as a term may be shifting focus to computer-based hacking due to the rising number of occurrences. PC World reported an 81 percent increase from 2010 to 2011 of particularly advanced targeted computer attacks.[17]
Actors in many countries have used cyberspace as a means to gather intelligence on individuals and groups of individuals of interest.[18] [19] [20] The United States Cyber Command is tasked with coordinating the US military's offensive and defensive cyber operations.[21]
Numerous sources have alleged that some APT groups are affiliated with, or are agents of, governments of sovereign states.[22] [23] [24] Businesses holding a large quantity of personally identifiable information are at high risk of being targeted by advanced persistent threats, including:[25]
A Bell Canada study provided deep research into the anatomy of APTs and uncovered widespread presence in Canadian government and critical infrastructure. Attribution was established to Chinese and Russian actors.[28]
Life cycle
Actors behind advanced persistent threats create a growing and changing risk to organizations' financial assets, intellectual property, and reputation[29] by following a continuous process or kill chain:
- Target specific organizations for a singular objective
- Attempt to gain a foothold in the environment (common tactics include spear phishing emails)
- Use the compromised systems as access into the target network
- Deploy additional tools that help fulfill the attack objective
- Cover tracks to maintain access for future initiatives
The global landscape of APT's from all sources is sometimes referred to in the singular as "the" APT, as are references to the actor behind a specific incident or series of incidents, but the definition of APT includes both actor and method.[30]
In 2013, Mandiant presented results of their research on alleged Chinese attacks using APT method between 2004 and 2013[31] that followed similar lifecycle:
- Initial compromiseperformed by use of social engineering and spear phishing, over email, using zero-day viruses. Another popular infection method was planting malware on a website that the victim's employees will be likely to visit.[32]
- Establish footholdplant remote administration software in victim's network, create net backdoors and tunnels allowing stealth access to its infrastructure.
- Escalate privilegesuse exploits and password cracking to acquire administrator privileges over victim's computer and possibly expand it to Windows domain administrator accounts.
- Internal reconnaissancecollect information on surrounding infrastructure, trust relationships, Windows domain structure.
- Move laterallyexpand control to other workstations, servers and infrastructure elements and perform data harvesting on them.
- Maintain presenceensure continued control over access channels and credentials acquired in previous steps.
- Complete missionexfiltrate stolen data from victim's network.
In incidents analysed by Mandiant, the average period over which the attackers controlled the victim's network was one year, with longest – almost five years. The infiltrations were allegedly performed by Shanghai-based Unit 61398 of People's Liberation Army. Chinese officials have denied any involvement in these attacks.[33]
Previous reports from Secdev had previously discovered and implicated Chinese actors.[34]
Mitigation strategies
There are tens of millions of malware variations,[35] which makes it extremely challenging to protect organizations from APT. While APT activities are stealthy and hard to detect, the command and control network traffic associated with APT can be detected at the network layer level with sophisticated methods. Deep log analyses and log correlation from various sources is of limited usefulness in detecting APT activities. It is challenging to separate noises from legitimate traffic. Traditional security technology and methods have been ineffective in detecting or mitigating APTs.[36] Active cyber defense has yielded greater efficacy in detecting and prosecuting APTs (find, fix, finish) when applying cyber threat intelligence to hunt and adversary pursuit activities.[37] [38] Human-Introduced Cyber Vulnerabilities (HICV) are a weak cyber link that are neither well understood nor mitigated, constituting a significant attack vector.[39]
APT groups
China
Since Xi Jinping became General Secretary of the Chinese Communist Party in 2012, the Ministry of State Security gained more responsibility over cyberespionage vis-à-vis the People's Liberation Army, and currently oversees various APT groups.[40] According to security researcher Timo Steffens, "the APT landscape in China is run in a 'whole country' approach, leveraging skills from universities, individual, and private and public sectors".[41]
Iran
North Korea
Russia
Türkiye
United States
Uzbekistan
Vietnam
Naming
Multiple organizations may assign different names to the same actor. As separate researchers could each have their own varying assessments of an APT group, companies such as CrowdStrike, Kaspersky, Mandiant, and Microsoft, among others, have their own internal naming schemes.[75] Names between different organizations may refer to overlapping but ultimately different groups, based on various data gathered.
CrowdStrike assigns animals by nation-state or other category, such as "Kitten" for Iran and "Spider" for groups focused on cybercrime.[76] Other companies have named groups based on this system Rampant Kitten, for instance, was named by Check Point rather than CrowdStrike.[77]
Dragos bases its names for APT groups on minerals.[75]
Mandiant assigns numbered acronyms in three categories, APT, FIN, and UNC, resulting in APT names like FIN7. Other companies using a similar system include Proofpoint (TA) and IBM (ITG and Hive).[75]
Microsoft used to assign names from the periodic table, often stylized in all-caps (e.g. POTASSIUM); in April 2023, Microsoft changed its naming schema to use weather-based names (e.g. Volt Typhoon).[78]
See also
External links
- Lists of APT groups
Notes and References
- Web site: What Is an Advanced Persistent Threat (APT)?. www.kaspersky.com. 2019-08-11. 22 March 2021. https://web.archive.org/web/20210322014919/https://www.kaspersky.com/resource-center/definitions/advanced-persistent-threats. live.
- Web site: What Is an Advanced Persistent Threat (APT)?. Cisco. en. 2019-08-11. 22 March 2021. https://web.archive.org/web/20210322014938/https://www.cisco.com/c/en/us/products/security/advanced-persistent-threat.html. live.
- News: What is an Advanced Persistent Threat (APT)?. Maloney. Sarah. 2018-11-09. en. 7 April 2019. https://web.archive.org/web/20190407232257/https://www.cybereason.com/blog/advanced-persistent-threat-apt. live.
- Book: Cole., Eric. Advanced Persistent Threat: Understanding the Danger and How to Protect Your Organization. 2013. Syngress. 939843912.
- Web site: M-Trends Cyber Security Trends. FireEye. en. 2019-08-11. 21 September 2021. https://web.archive.org/web/20210921133050/https://www.fireeye.com/current-threats/annual-threat-report/mtrends.html. live.
- Web site: Cyber Threats to the Financial Services and Insurance Industries. FireEye. https://web.archive.org/web/20190811091624/https://www.fireeye.com/content/dam/fireeye-www/solutions/pdfs/ib-finance.pdf. 11 August 2019.
- Web site: Cyber Threats to the Retail and Consumer Goods Industry. FireEye. https://web.archive.org/web/20190811091947/https://www.fireeye.com/content/dam/fireeye-www/global/en/solutions/pdfs/ib-retail-consumer.pdf. 11 August 2019.
- Web site: Advanced Persistent Threats: A Symantec Perspective. Symantec. https://web.archive.org/web/20180508161501/https://www.symantec.com/content/en/us/enterprise/white_papers/b-advanced_persistent_threats_WP_21215957.en-us.pdf. 8 May 2018.
- Au . Man Ho . 2018 . Privacy-preserving personal data operation on mobile cloud—Chances and challenges over advanced persistent threat . Future Generation Computer Systems . 79 . 337–349. 10.1016/j.future.2017.06.021 .
- Web site: Advanced Persistent Threats (APTs). IT Governance. 11 August 2019. 11 August 2019. https://web.archive.org/web/20190811090856/https://www.itgovernance.co.uk/advanced-persistent-threats-apt. live.
- Web site: Advanced persistent Threat Awareness. TrendMicro Inc. 11 August 2019. 10 June 2016. https://web.archive.org/web/20160610083125/http://www.trendmicro.co.uk/media/misc/apt-survey-report-en.pdf. live.
- Web site: Explained: Advanced Persistent Threat (APT). 2016-07-26. Malwarebytes Labs. en-US. 2019-08-11. 9 May 2019. https://web.archive.org/web/20190509114627/https://blog.malwarebytes.com/101/2016/07/explained-advanced-persistent-threat-apt/. live.
- Web site: Assessing Outbound Traffic to Uncover Advanced Persistent Threat. https://web.archive.org/web/20130626233122/https://www.sans.edu/student-files/projects/JWP-Binde-McRee-OConnor.pdf . 2013-06-26 . SANS Technology Institute. 2013-04-14.
- Web site: Introducing Forrester's Cyber Threat Intelligence Research. Forrester Research. 2014-04-14. https://web.archive.org/web/20140415054512/http://blogs.forrester.com/rick_holland/13-02-14-introducing_forresters_cyber_threat_intelligence_research. 2014-04-15.
- Beim. Jared. 2018. Enforcing a Prohibition on International Espionage. Chicago Journal of International Law. 18. 647–672. . subscription. 18 January 2023. 22 May 2021. https://web.archive.org/web/20210522173236/https://www.proquest.com/docview/2012381493. live.
- Web site: Advanced Persistent Threats: Learn the ABCs of APTs - Part A. SecureWorks. 23 January 2017. 7 April 2019. https://web.archive.org/web/20190407232258/https://www.secureworks.com/blog/advanced-persistent-threats-apt-a. live.
- Web site: Olavsrud . Thor . Targeted Attacks Increased, Became More Diverse in 2011 . April 30, 2012 . . 14 April 2021 . 14 April 2021 . https://web.archive.org/web/20210414115711/https://www.cio.com/article/2396583/targeted-attacks-increased--became-more-diverse-in-2011.html . dead .
- Web site: An Evolving Crisis. BusinessWeek. April 10, 2008. 2010-01-20. https://web.archive.org/web/20100110120647/http://www.businessweek.com/magazine/content/08_16/b4080032220668.htm. 10 January 2010 .
- Web site: The New E-spionage Threat . BusinessWeek . April 10, 2008 . 2011-03-19 . https://web.archive.org/web/20110418080952/http://www.businessweek.com/magazine/content/08_16/b4080032218430.htm . 18 April 2011 .
- Web site: Google Under Attack: The High Cost of Doing Business in China . Marcel . Rosenbach . Thomas . Schulz . Wieland . Wagner . Der Spiegel . 2010-01-19 . 2010-01-20 . https://web.archive.org/web/20100121005238/http://www.spiegel.de/international/world/0%2C1518%2C672742%2C00.html . 21 January 2010 . live .
- Web site: Commander Discusses a Decade of DOD Cyber Power. 2020-08-28. U.S. DEPARTMENT OF DEFENSE. en-US. 19 September 2020. https://web.archive.org/web/20200919001557/https://www.defense.gov/Explore/News/Article/Article/2193130/commander-discusses-a-decade-of-dod-cyber-power/. live.
- News: Under Cyberthreat: Defense Contractors . Bloomberg.com . BusinessWeek . July 6, 2009 . 2010-01-20 . https://web.archive.org/web/20100111174243/http://www.businessweek.com/technology/content/jul2009/tc2009076_873512.htm . 11 January 2010 . live .
- Web site: Understanding the Advanced Persistent Threat. Tom Parker. February 4, 2010. 2010-02-04. 18 February 2010. https://web.archive.org/web/20100218143530/http://tominfosec.blogspot.com/2010/02/understanding-apt.html. live.
- Web site: Advanced Persistent Threat (or Informationized Force Operations). Usenix, Michael K. Daly. November 4, 2009. 2009-11-04. 11 May 2021. https://web.archive.org/web/20210511075023/https://www.usenix.org/legacy/event/lisa09/tech/slides/daly.pdf. live.
- Web site: Anatomy of an Advanced Persistent Threat (APT). Dell SecureWorks. 2012-05-21. 5 March 2016. https://web.archive.org/web/20160305025719/https://www.secureworks.com/resources/sb-advanced-threat-protection-with-dell-secureworks.
- Book: Cybersecurity: Current Writings on Threats and Protection . McFarland . Joaquin Jay III . Gonzalez . Roger L. . Kemp . 978-1-4766-7440-7 . 69 . 2019-01-16 .
- Web site: Ingerman . Bret . Catherine . Yang . Top-Ten IT Issues, 2011 . May 31, 2011 . Educause Review . 14 April 2021 . 14 April 2021 . https://web.archive.org/web/20210414115711/https://er.educause.edu/articles/2011/5/topten-it-issues-2011 . live .
- Web site: The Dark Space Project: Defence R&D Canada – Centre for Security Science Contractor Report DRDC CSS CR 2013-007 . Dave . McMahon . Rafal . Rohozinski . publications.gc.ca . 2021-04-01 . 2016-11-05 . https://web.archive.org/web/20161105035412/http://publications.gc.ca/collections/collection_2016/rddc-drdc/D68-3-007-2013-eng.pdf . live .
- Web site: Outmaneuvering Advanced and Evasive Malware Threats. Secureworks. Secureworks Insights. 24 February 2016. 7 April 2019. https://web.archive.org/web/20190407232258/https://www.secureworks.com/resources/wp-outmaneuvering-advanced-and-evasive-malware-threats.
- Web site: APT (Advanced Persistent Threat) Group . 9 April 2015 . 15 January 2019 . EMAGCOMSECURITY . 15 January 2019 . https://web.archive.org/web/20190115234441/https://emagcomsecurity.wordpress.com/2015/04/09/apt-advanced-persistent-threat-group/ . live .
- Web site: APT1: Exposing One of China's Cyber Espionage Units . 2013 . Mandiant . 19 February 2013 . 2 February 2015 . https://web.archive.org/web/20150202015751/http://intelreport.mandiant.com/ .
- Web site: 2021-06-08 . What are MITRE ATT&CK initial access techniques . 2023-10-13 . GitGuardian - Automated Secrets Detection . en . 29 November 2023 . https://web.archive.org/web/20231129204105/https://blog.gitguardian.com/inital-access-techniques/ . live .
- Web site: China says U.S. hacking accusations lack technical proof . Ben . Blanchard . 2013-02-19 . Reuters . 14 April 2021 . 14 April 2021 . https://web.archive.org/web/20210414115709/https://www.reuters.com/article/us-china-hacking-idUSBRE91I06120130220 . live .
- Web site: Tracking GhostNet: investigating a cyber espionage network. Deibert, R.. Rohozinski, R.. Manchanda, A.. Villeneuve, N.. Walton, G. The Munk Centre for International Studies, University of Toronto. 28 March 2009. 27 December 2023. 27 December 2023. https://web.archive.org/web/20231227155852/https://ora.ox.ac.uk/objects/uuid:6d1260fd-b8ee-4a11-8a5f-e7708d543651. live.
- Book: GSEC GIAC Security Essentials Certification All . McGraw Hill Professional, 2013 . RicMessier . 978-0-07-182091-2 . xxv . en . 2013-10-30 .
- Web site: Anatomy of an APT (Advanced Persistent Threat) Attack. 2020-11-14. FireEye. en. 7 November 2020. https://web.archive.org/web/20201107220618/https://www.fireeye.com/current-threats/anatomy-of-a-cyber-attack.html. live.
- Web site: 2015-02-18. Threat Intelligence in an Active Cyber Defense (Part 1). 2021-03-10. Recorded Future. en-US. 20 June 2021. https://web.archive.org/web/20210620155903/https://www.recordedfuture.com/active-cyber-defense-part-1/. live.
- Web site: 2015-02-24. Threat Intelligence in an Active Cyber Defense (Part 2). 2021-03-10. Recorded Future. en-US. 27 February 2021. https://web.archive.org/web/20210227120734/https://www.recordedfuture.com/active-cyber-defense-part-2/. live.
- Web site: A Context-Centred Research Approach to Phishing and Operational Technology in Industrial Control Systems Journal of Information Warfare. 2021-07-31. www.jinfowar.com. 31 July 2021. https://web.archive.org/web/20210731235144/https://www.jinfowar.com/journal/volume-18-issue-4/context-centred-research-approach-phishing-operational-technology-industrial-control-systems. live.
- News: Mozur. Paul. Buckley. Chris. 2021-08-26. Spies for Hire: China's New Breed of Hackers Blends Espionage and Entrepreneurship. en-US. The New York Times. 2021-08-27. 0362-4331. 27 August 2021. https://web.archive.org/web/20210827003547/https://www.nytimes.com/2021/08/26/technology/china-hackers.html. live.
- Web site: Stone . Jeff . Foreign spies use front companies to disguise their hacking, borrowing an old camouflage tactic . October 5, 2020 . cyberscoop.com . Cyberscoop . 11 October 2020 . 22 March 2021 . https://web.archive.org/web/20210322014903/https://www.cyberscoop.com/chinese-iranian-hackers-front-companies/ . live .
- Web site: Buckeye: Espionage Outfit Used Equation Group Tools Prior to Shadow Brokers Leak. 2019-05-07. Symantec. live. https://archive.today/20190507054409/https://www.symantec.com/blogs/threat-intelligence/buckeye-windows-zero-day-exploit. 2019-05-07. 2019-07-23.
- News: May 2015 . APT17: Hiding in Plain Sight - FireEye and Microsoft Expose Obfuscation Tactic . . 21 March 2021 . 24 November 2023 . https://web.archive.org/web/20231124143647/https://www2.fireeye.com/rs/fireye/images/APT17_Report.pdf . dead .
- Web site: August 16, 2023 . China-Based Threat Actors . U.S. Department of Health and Human Services Office of Information Security . 29 April 2024 . 29 December 2023 . https://web.archive.org/web/20231229092112/https://www.hhs.gov/sites/default/files/china-based-threat-actor-profiles-tlpclear.pdf . live .
- Web site: van Dantzig . Maarten . Schamper . Erik . 2019-12-19 . Wocao APT20 . https://web.archive.org/web/20210322014904/https://resources.fox-it.com/rs/170-CAK-271/images/201912_Report_Operation_Wocao.pdf . 22 March 2021 . 23 December 2019 . fox-it.com . NCC Group.
- Web site: Vijayan . Jai . December 19, 2019 . China-Based Cyber Espionage Group Targeting Orgs in 10 Countries . 12 January 2020 . www.darkreading.com . Dark Reading . 7 May 2021 . https://web.archive.org/web/20210507025313/https://www.darkreading.com/attacks-breaches/china-based-cyber-espionage-group-targeting-orgs-in-10-countries/d/d-id/1336676 . live .
- Web site: Lyngaas . Sean . 10 August 2021 . Chinese hackers posed as Iranians to breach Israeli targets, FireEye says . 15 August 2021 . www.cyberscoop.com . 29 November 2023 . https://web.archive.org/web/20231129204248/https://cyberscoop.com/china-israel-iran-fireeye-hacking/ . live .
- Web site: 2024-03-19 . Treasury Sanctions China-Linked Hackers for Targeting U.S. Critical Infrastructure . 2024-03-25 . . en . 25 March 2024 . https://web.archive.org/web/20240325174521/https://home.treasury.gov/news/press-releases/jy2205 . live .
- Web site: Lyngaas . Sean . October 16, 2020 . Google offers details on Chinese hacking group that targeted Biden campaign . 16 October 2020 . Cyberscoop . 7 May 2021 . https://web.archive.org/web/20210507025313/https://www.cyberscoop.com/biden-chinese-hacking-google-security-russia/ . live .
- Web site: Hui . Sylvia . 2024-03-25 . US and UK announce sanctions over China-linked hacks on election watchdog and lawmakers . 2024-03-25 . . en . 25 March 2024 . https://web.archive.org/web/20240325131113/https://apnews.com/article/uk-china-cyberattacks-parliament-election-770e7b00454b63ad424000feecddd0c1 . live .
- Web site: Lyngaas . Sean . February 12, 2019 . Right country, wrong group? Researchers say it wasn't APT10 that hacked Norwegian software firm . 16 October 2020 . www.cyberscoop.com . Cyberscoop . 7 May 2021 . https://web.archive.org/web/20210507025345/https://www.cyberscoop.com/apt10-apt31-recorded-future-rapid7-china/ . live .
- Web site: Naraine . Ryan . 2021-03-02 . Microsoft: Multiple Exchange Server Zero-Days Under Attack by Chinese Hacking Group . 2021-03-03 . securityweek.com . Wired Business Media . English . 6 July 2023 . https://web.archive.org/web/20230706202313/https://www.securityweek.com/microsoft-4-exchange-server-zero-days-under-attack-chinese-apt-group/ . live .
- Web site: Burt . Tom . 2021-03-02 . New nation-state cyberattacks . 2021-03-03 . blogs.microsoft.com . Microsoft . English . 2 March 2021 . https://web.archive.org/web/20210302211855/https://blogs.microsoft.com/on-the-issues/2021/03/02/new-nation-state-cyberattacks/ . live .
- News: Gatlan . Sergiu . 2021-07-19 . US and allies officially accuse China of Microsoft Exchange attacks . Bleeping Computer . 25 March 2024 . 25 March 2024 . https://web.archive.org/web/20240325215840/https://www.bleepingcomputer.com/news/security/us-and-allies-officially-accuse-china-of-microsoft-exchange-attacks/ . live .
- Web site: 2019-10-16 . Double Dragon APT41, a dual espionage and cyber crime operation . dead . https://web.archive.org/web/20210507025313/https://content.fireeye.com/apt-41/rpt-apt41/ . 7 May 2021 . 2020-04-14 . FireEye.
- Web site: May 17, 2020 . Bureau names ransomware culprits . 22 May 2020 . www.taipeitimes.com . Taipei Times . 22 March 2021 . https://web.archive.org/web/20210322015319/https://www.taipeitimes.com/News/taiwan/archives/2020/05/17/2003736564 . live .
- Web site: Tartare . Mathieu . Smolár . Martin . 21 May 2020 . No "Game over" for the Winnti Group . 22 May 2020 . www.welivesecurity.com . We Live Security . 22 March 2021 . https://web.archive.org/web/20210322015317/https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/ . live .
- Greenberg . Andy . August 6, 2020 . Chinese Hackers Have Pillaged Taiwan's Semiconductor Industry . 7 August 2020 . Wired . 22 March 2021 . https://web.archive.org/web/20210322015355/https://www.wired.com/story/chinese-hackers-taiwan-semiconductor-industry-skeleton-key/ . live .
- Web site: 'LightBasin' hackers spent 5 years hiding on telco networks . 2021-10-20 . 2022-04-08 . . Nichols . Shaun . 29 November 2023 . https://web.archive.org/web/20231129204219/https://www.techtarget.com/searchsecurity/news/252508413/LightBasin-hackers-spent-5-years-hiding-on-telco-networks . live .
- Web site: LightBasin hacking group breaches 13 global telecoms in two years . 2021-10-19 . 2022-04-08 . . Ilascu . Ionut . 24 July 2023 . https://web.archive.org/web/20230724084013/https://www.bleepingcomputer.com/news/security/lightbasin-hacking-group-breaches-13-global-telecoms-in-two-years/ . live .
- News: Sabin . Sam . October 26, 2022 . New pro-China disinformation campaign targets 2022 elections: Report . . October 27, 2022 . 26 October 2022 . https://web.archive.org/web/20221026182732/https://www.axios.com/2022/10/26/disinformation-campaign-midterms-china-dragonbridge-mandiant . live .
- Web site: Chen . Joey . Tropic Trooper's Back: USBferry Attack Targets Air-gapped Environments . blog.trendmicro.com . 12 May 2020 . Trend Micro . 16 May 2020 . 22 March 2021 . https://web.archive.org/web/20210322015323/https://www.trendmicro.com/en_us/research/20/e/tropic-troopers-back-usbferry-attack-targets-air-gapped-environments.html . live .
- Web site: Cimpanu . Catalin . Hackers target the air-gapped networks of the Taiwanese and Philippine military . . 16 May 2020 . 22 March 2021 . https://web.archive.org/web/20210322015315/https://www.zdnet.com/article/hackers-target-the-air-gapped-networks-of-the-taiwanese-and-philippine-military/ . live .
- Web site: Intelligence . Microsoft Threat . 2023-05-24 . Volt Typhoon targets US critical infrastructure with living-off-the-land techniques . 2023-05-26 . Microsoft Security Blog . en-US . 17 January 2024 . https://web.archive.org/web/20240117093138/https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/ . live .
- Web site: Montalbano. Elizabeth. Pioneer Kitten APT Sells Corporate Network Access. Threat Post. September 1, 2020. 3 September 2020. 22 March 2021. https://web.archive.org/web/20210322015301/https://threatpost.com/pioneer-kitten-apt-sells-corporate-network-access/158833/. live.
- Web site: APT39, ITG07, Chafer, Remix Kitten, Group G0087 MITRE ATT&CK® . 2022-12-30 . attack.mitre.org . 30 December 2022 . https://web.archive.org/web/20221230215710/https://attack.mitre.org/groups/G0087/ . live .
- Web site: 2020 . Crowdstrike Global Threat Report 2020 . 2020-12-30 . crowdstrike.com. https://web.archive.org/web/20200314121317/https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf. 2020-03-14. live.
- Web site: Microsoft discloses new details on Russian hacker group Gamaredon. Kyle Alspach. VentureBeat. 4 February 2022. 22 March 2022. 6 February 2022. https://web.archive.org/web/20220206082258/https://venturebeat.com/2022/02/04/microsoft-discloses-new-details-on-russian-hacker-group-gamaredon/. live.
- Web site: Adversary: Venomous Bear - Threat Actor . 2022-03-22 . Crowdstrike Adversary Universe . en-US.
- Web site: PROMETHIUM extends global reach with StrongPity3 APT. Warren Mercer. Paul Rascagneres. Vitor Ventura. Cisco. 29 June 2020. 22 March 2022. 22 March 2022. https://web.archive.org/web/20220322224729/https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html. live.
- Web site: Equation: The Death Star of Malware Galaxy. 2015-02-16. 2019-07-23. 2019-07-11. live. https://web.archive.org/web/20190711082936/https://securelist.com/equation-the-death-star-of-malware-galaxy/68750/. Kaspersky Lab.
- Web site: Gallagher . Sean . Kaspersky finds Uzbekistan hacking op… because group used Kaspersky AV . arstechnica.com . 3 October 2019 . Ars Technica . 5 October 2019 . 22 March 2021 . https://web.archive.org/web/20210322015356/https://arstechnica.com/information-technology/2019/10/kaspersky-finds-uzbekistan-hacking-opbecause-they-used-kaspersky-av/ . live .
- Web site: Panda . Ankit . Offensive Cyber Capabilities and Public Health Intelligence: Vietnam, APT32, and COVID-19 . thediplomat.com . The Diplomat . 29 April 2020 . 22 March 2021 . https://web.archive.org/web/20210322015324/https://thediplomat.com/2020/04/offensive-cyber-capabilities-and-public-health-intelligence-vietnam-apt32-and-covid-19/ . live .
- News: Lined up in the sights of Vietnamese hackers . Hakan . Tanriverdi . Max . Zierer . Ann-Kathrin . Wetter . Kai . Biermann . Thi Do . Nguyen . . October 8, 2020 . Verena . Nierle . Robert . Schöffel . Lisa . Wreschniok . In Bui's case the traces lead to a group presumably acting on behalf of the Vietnamese state. Experts have many names for this group: APT 32 and Ocean Lotus are best known. In conversations with a dozen of information security specialists, they all agreed that this is a Vietnamese group spying, in particular, on its own compatriots. . 11 October 2020 . 22 March 2021 . https://web.archive.org/web/20210322015304/https://web.br.de/interaktiv/ocean-lotus/en/ . live .
- Web site: BushidoToken . Threat Group Naming Schemes In Cyber Threat Intelligence . 20 May 2022 . Curated Intelligence . 21 January 2024 . 8 December 2023 . https://web.archive.org/web/20231208025624/https://www.curatedintel.org/2022/05/threat-group-naming-schemes-in-cyber.html . live .
- Web site: CrowdStrike 2023 Global Threat Report . CrowdStrike . 21 January 2024 . 26 March 2024 . https://web.archive.org/web/20240326233326/https://iitd.com.ua/wp-content/uploads/2023/03/crowdstrike2023globalthreatreport.pdf . live .
- Web site: Rampant Kitten . Thailand Electronic Transactions Development Agency . 21 January 2024 . 29 November 2022 . https://web.archive.org/web/20221129105244/https://apt.etda.or.th/cgi-bin/showcard.cgi?g=Rampant%20Kitten . live .
- Web site: Lambert . John . Microsoft shifts to a new threat actor naming taxonomy . Microsoft . 21 January 2024 . April 18, 2023 . 22 January 2024 . https://web.archive.org/web/20240122164844/https://www.microsoft.com/en-us/security/blog/2023/04/18/microsoft-shifts-to-a-new-threat-actor-naming-taxonomy/ . live .