What is Advanced Persistent Threat (APT) ?
APT is a stealthy threat actor who uses range of techniques to gain unauthorized access to a specific target system or network and remain undetected for an extended period of time while maintaining the access to carry out the intended malicious activities for specific goal. Threat actor (a.k.a malicious actor) refers to an individual or a group that engages in cyber related malicious activities and each has different skills and resources. An APT is typically a nation state or state-sponsored group, or it can also be a cybercriminal group that is highly skilled and well-funded. It attacks organizations with objective either to steal sensitive information or intellectual property, disrupt critical infrastructure, or cause other forms of damage (For example, a successful ransomware attack can cause business interruption, brand reputation damage and financial loss to an organization). Attack by an APT can involves multiple stages, including reconnaissance, intrude targeted system or network to gain foothold, and subsequent exploitation. In addition, it may use a variety of techniques and tactics like social engineering, phishing, malicious software, system or network vulnerability exploits to evade detection and maintain persistent access.
Why is it important for organizations to know APTs ?
There are many APTs and attacks by them are increasingly becoming more common, and the damage caused by successful attacks continue to increase. By understanding the APTs known to target their industries or sectors, organizations can prioritize their efforts to develop defense strategies against them. According to Sun Tzu's "The Art of War", it is important to know your enemy because the more information that you have about your enemy, the better prepared you will be to defeat them. The knowledge includes understanding the enemy's tactics and motivations. It recommended gathering intelligence to understand the enemy and on the flip side, it also emphasized the importance of understanding one's own strengths and weaknesses in relation to the enemy. To put the "The Art of War" philosophy in the context of defending against APTs, organizations can make use of cyber threat intelligence (CTI) to understand the APTs that target their industries. Information that CTI can provide about an APT includes, motivation, observed targeted industries, observed targeted countries and tools/malwares used. In terms of understanding oneself, an organization can see if there exist any vulnerability in their network or system environment that APTs can exploit, and if security controls are in place to detect and block the tools/malwares used by the APTs. For this article, the focus is on the Aviation/Aerospace industry related APTs.
Data Analysis
Besides paid CTI, open source intelligence (OSINT) can also be used to understand APTs though they may or may not be as updated as the paid ones. The data used to generate this article are from the following 3 OSINT sources.
Thailand's Electronic Transactions Development Agency portal (ETDA) [1]
APT map created by Mr "Andrea Cristald" using data sources from MITRE, the APT Groups and Operations google sheet and Thaicert (APTMap) [2].
APT Groups and Operations google sheet (APTGrpOps) [3]
Python codes [4][5][6] were written to scrap, aggregate and process the data from the above mentioned 3 sources in March 2023 for visualization in Tableau. There are 43 APTs that target the Aviation/Aerospace industry, and the rest of the general insights are as follows:
1.) Aviation/Aerospace are among the top 10 industries/sectors targeted by APTs based on data from ETDA.
2.) Majority of the APTs targeting the Aviation/Aerospace industry is attributed to China, Iran and Russia.
3.) Majority of the APTs targeting the Aviation/Aerospace industry is State-Sponsored.
4.) Majority of the APTs targeting the Aviation/Aerospace industry is for the objective of Information Theft and Espionage.
5.) The top 10 countries targeted by APTs in the Aviation/Aerospace industry are as shown below.
6.) The top 10 tools/malwares used by APTs in targeting the Aviation/Aerospace industry are mainly use for post installation activities in a cyber kill chain [7].
7.) Based on available information about the APTs from MITRE ATTACK [8], the top 10 techniques used by the APTs in targeting the Aviation/Aerospace industry are largely used for post installation activities in a cyber kill chain [7] which is consistent with the top 10 tools/malwares observed.
Conclusion
This is the first analysis of the Aviation/Aerospace cyber threat landscape based on APTs targeting the industry using readily available open source data. Stay tune for more analyses using different sources of information such as news reported aviation related cyber incidents and publicly available cyber threat intelligence reports. In addition, the details of the APTs may be published in another channel in a later date. Thanks for reading this article and hope you find the information useful.
References
[4] https://github.com/cyberanalyst86/Combine-Etda-and-APTMap (Python code used to combine ETDA and APTMap data.)
[5]https://github.com/cyberanalyst86/APT-Groups-and-Operations---Google-Drive (Python code to process excel downloaded from APT Groups and Operations Google Sheet.)
[6] https://github.com/cyberanalyst86/combine_etda_aptmap_aptgrpops (Python code to combine ETDA , APTMap and APTGrpOps.)
Comments