Advanced Persistent Threats (APTs), the cyberspace domain's proxy for hybrid warfare

•  APTs, espionage tactics and large-scale cyber-attacks

In the cyberspace domain we can find a multitude of dangers, and on this occasion we are going to deal with Advanced Persistent Threats (APTs). These threats stand out for their use of highly sophisticated software and the professionalism they require. One of the most remarkable points of APTs is related to those who execute and carry out these actions. They are characterised as organised groups, usually backed by governmental organisations to achieve political, economic, strategic or operational objectives through cyber-espionage or cyber-attacks.

The ways in which these groups work are difficult to detect due to the complexity of their tools. Despite the partial anonymity offered by cyberspace, profiles of these groups are actively sought in order to catalogue and attribute actions to them. The problem with investigating these attacks is that there is a dead end when looking for a specific person, so in order to create traceability and a record, it is studied through the Tactics, Techniques and Procedures (TTP) used by these hostile groups, which help to know what we are dealing with and what tools they use when operating in cyberspace.

APTs are different in nature from other types of attackers, these are not based on a quick in-and-out attack as their actions are performed to persist hidden in the attacked network, infect as many devices as possible and perform data extractions in such a way that their activities are undetectable. Therefore, procedures implemented by FFW typically consist of three distinct and scalable phases; infiltration phase, expansion phase and extraction phase.

In the infiltration phase, these groups look for ways to find backdoors (programming code sequences that run inside an infected console to remotely grant administrator and control permissions to an attacker) or backdoors through system vulnerabilities, phishing tactics (a type of cyber-attack that uses social engineering methods to try to trick users through fraudulent emails or notifications that mimic real sites or messages to steal data or grant permissions), advanced or even through the use of external or removable devices, physical infiltrations can also occur.

The expansion phase is characterised by the fact that it works like a computer worm, these are self-replicating viruses that spread through the affected networks, but in a more complex way due to the security that contaminated networks usually have, although the objective is the same, to expand in the network and self-replicate in the systems of the same.

In the extraction phase, files of interest to these groups are usually stored in advance on a device in the infected network, critical content is stored and, when deemed appropriate for the parameters of the infiltrator's operation, it is sent to these groups' own devices. To avoid detection, these transmissions are often accompanied by white noise attacks such as denial-of-service (DDoS) attacks to allow the extraction to go undetected.

Knowing what they are and how they work, we might ask what targets APT groups possess. As mentioned above, the targets are usually government administrations, institutions or companies related to a country's defence and critical infrastructure. The actions taken against these targets are usually cyber-espionage or cyber-attacks, but we also find large-scale economic cybercrime, in search of self-financing.

There are several groups dedicated to carrying out ATP attacks, the best known of which include:

ATP28 (Fancy Bear): This hostile group is allegedly linked to the Russian military unit of the Main Centre for Special Services of the Main Intelligence Directorate. This group has conducted targeted activities against the Ukrainian side in the conflict between the Russian Federation and Ukraine in order to obtain key information and thus try to give an advantage to the Russian side.

APT MustangPanda: It is a cyber actor based in China, its operations are registered in three main focuses, Europe, Australia and Japan. Within Europe, Spain has been the target of several attacks carried out by this group, and the CNI considers this group to be one of the major threats to national cyberspace.

ATP34 (OILRIG): is an Iranian group that has been operating in the cyberspace arena for at least eight years. They are focused on campaigning activities related to energy resources, oil, gas and financial resources against Iran's close rivals, such as the Middle East and Israel. Their power of influence can be very high due to the strategic importance of their targets.

Finally, it is important to mention the problem that these groups pose not only at the cyberspace level, but also the difficulty we have in giving them an identity and responsibility. Attribution is also complicated as cyber attacks can be considered a direct attack internationally. This places the state receiving an attack of this nature in a complex situation, as such an attack could be considered a declaration of war (taking into account its severity and impact). The constantly evolving cyberspace domain requires special legislation to properly classify the actions that take place within it. As in all areas related to defense, knowing the enemy is essential.