On reported APT trends

During the past years, there has been a lot of public reporting on APT activity of group with Russia and China nexus. However, it has been observed that more and more countries have developed such advanced capabilities and their activity is captured and reported by the vendors and mainstream media.

FireEye’s list of sophisticated actors and naming conventions looks like this:

  • APT0-27, 30/31 = China (APT0 was a very short lived one)
  • APT28/29 = Russia
  • APT32 = Vietnam
  • APT33/34/35 = Iran
  • APT36 = Pakistan
  • APT37 = North Korea

Moreover, Christopher Glyer from FireEye reports the below APT trends:

  • China nexus APT activity first observed in 2005. Notable shift in 2009 targeting commercial victims. Peak activity in US 2010-15 with significant decline post US/China cyber agreement.
  • Russia nexus APT activity first observed in 2014. Peak activity in 2014-16 while there was a downtick in 2017.
  • Iran nexus APT activity first observed in 2014. Significant uptick in activity starting 2016.

Based on Kaspersky’s APT Trends report Q1 2018, three new actors that were found all of which are focused in the Asia region. Moreover, it is reported that some of the most heavily tracked groups, especially those that are Russian-speaking, did not show any remarkable activity during Q1 2018. The apparent low activity of these groups could be related to some kind of internal reorganization, however this is purely speculative.

Finally, there is limited reporting on APT activity coming from actors with FiveEyes nexus. An interesting report is Kaspersky’s Slingshot report that, according to public reporting, represented a U.S. military program run out of Joint Special Operations Command (JSOC).



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.