Graphic

The advance in APTs: ones to watch in 2019

Promotion of a hostile actor to APT status occurs when we have robust evidence of a TEMP group’s (named as a result of sufficient or consistent TTP reporting) sponsoring nation, target profile, attack motivations and independence from existing groups. Last year, we labelled four new attackers as APTs.

The word ‘persistent’ applies to a group’s attack on a target, but one could also use it to describe its very existence and determination to survive and flourish. Certain that the four new groups will grow in both their breadth and sophistication in 2019, here’s a brief profile of each.

APT37

APT37

Suspected attribution: North Korea

Promoted to APT: February 2018

APT37 (‘Reaper) has been targeting mainly South Korean public and private sector targets, it is thought since 2012. In 2017 it expanded its operations into Japan, Vietnam and the Middle East, focusing on a range of industries including chemicals, electronics, manufacturing, aerospace, automotive, and healthcare.

We believe the group’s primary mission to be covert intelligence gathering in support of North Korea's strategic military, political and economic interests. Last July, we uncovered a reunification-themed email to multiple recipients, that possessed a weaponized HWP (Hangul Word Processor) attachment that seemed to have been used against South Korean government agencies.

We predict: APT37 will be leveraged in previously unfamiliar roles and regions, especially as economic pressure continues to mount on the regime.

Read the report
Advance in APTs - Map APT37
APT38

APT38

Suspected attribution: North Korea

Promoted to APT: October 2018

APT38 is a financially motivated group linked to North Korean cyber espionage operators, renowned for its attempts to steal hundreds of millions of dollars from financial institutions in support of the Pyongyang regime since 2015. Its sophisticated attacks typically feature long planning and an extended presence in victim environments before any money is stolen. It is expert in mixed operating systems and uses custom developed tools. Increasingly, it uses destructive malware to evade detection.

We predict: APT38 operations will continue to persist as North Korea’s currency continues to deteriorate, using new TTPs to evade more advanced security techniques put in place by its financial institution targets.

Read the report
Advance in APTs - Map APT38
APT39

APT39

Suspected attribution: Iran

Promoted to APT: December 2018

FireEye Intelligence has tracked cyber espionage group APT39 since November 2014. Its targeting scope is global, but activities are concentrated in the Middle East, particularly telecoms companies and travel and IT firms in their ecosystem. Targeting may also extend to transportation and government entities in Israel and Kuwait.

The group’s focus on these industries suggests an intent to conduct monitoring, tracking or surveillance against specific individuals, collect proprietary or customer data for commercial or operational purposes aligned to national priorities, or create additional accesses and vectors to facilitate future campaigns. We believe that geopolitical data collection is a further objective.

We predict: APT39 will further its mission is to collect personal information in support of Iran's national security priorities.

Advance in APTs - Map APT39
APT40

APT40

Suspected attribution: China

Promoted to APT: December 2018

Cyber espionage group APT40 (‘Periscope’) typically targets Southeast Asian countries strategically important to China’s ‘Belt and Road Initiative’. Since at least January 2013, it has conducted campaigns against maritime, defense, aviation, chemicals, research/education, government, and technology organizations. It steals large amounts of information specific to government-sponsored projects, including proposals, meetings, financial data, shipping information, plans and drawings and raw data.

We predict: With the ability to leverage a massive library of tools and agility to shift operations to new targets as required, we anticipate its operations will continue through at least the near- and medium-term.

Advance in APTs - Map APT40

Read the full M-Trends 2019 report

Download