During the past years, there has been a lot of public reporting on APT activity of group with Russia and China nexus. However, it has been observed that more and more countries have developed such advanced capabilities and their activity is captured and reported by the vendors and mainstream media.
FireEye’s list of sophisticated actors and naming conventions looks like this:
- APT0-27, 30/31 = China (APT0 was a very short lived one)
- APT28/29 = Russia
- APT32 = Vietnam
- APT33/34/35 = Iran
- APT36 = Pakistan
- APT37 = North Korea
Moreover, Christopher Glyer from FireEye reports the below APT trends:
- China nexus APT activity first observed in 2005. Notable shift in 2009 targeting commercial victims. Peak activity in US 2010-15 with significant decline post US/China cyber agreement.
- Russia nexus APT activity first observed in 2014. Peak activity in 2014-16 while there was a downtick in 2017.
- Iran nexus APT activity first observed in 2014. Significant uptick in activity starting 2016.
Based on Kaspersky’s APT Trends report Q1 2018, three new actors that were found all of which are focused in the Asia region. Moreover, it is reported that some of the most heavily tracked groups, especially those that are Russian-speaking, did not show any remarkable activity during Q1 2018. The apparent low activity of these groups could be related to some kind of internal reorganization, however this is purely speculative.
Finally, there is limited reporting on APT activity coming from actors with FiveEyes nexus. An interesting report is Kaspersky’s Slingshot report that, according to public reporting, represented a U.S. military program run out of Joint Special Operations Command (JSOC).