Skip to main content
SpringerLink
Log in

Analysis and Triage of Advanced Hacking Groups Targeting Western Countries Critical National Infrastructure: APT28, RED October, and Regin

  • Chapter
  • First Online:
Critical Infrastructure Security and Resilience

Abstract

Many organizations still rely on traditional methods to protect themselves against various cyber threats. This is effective when they deal with traditional threats, but it is less effective when it comes to Advanced Persistent Threat (APT) actors. APT attacks are carried by highly skilled (possibly state-sponsored) cyber criminal groups who have potentially unlimited time and resources.

This paper analyzes three specific APT groups targeting critical national infrastructure of western countries, namely: APT28, Red October, and Regin. Cyber Kill Chain (CKC) was used as the reference model to analyze these APT groups activities. We create a Defense Triage Process (DTP) as a novel combination of the Diamond Model of Intrusion Analysis, CKC, and 7D Model, to triage the attack vectors and potential targets for these three APT groups.

A comparative summary of these APT groups is presented, based on their attack impact and deployed technical mechanism. This paper also highlights the type of organization and vulnerabilities that are attractive to these APT groups and proposes mitigation actions.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 129.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Hardcover Book
USD 169.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Walker-Roberts S, Hammoudeh M, Dehghantanha A (2018) A systematic review of the availability and efficacy of countermeasures to internal threats in healthcare critical infrastructure. IEEE Access 1–1

    Google Scholar 

  2. HaddadPajouh H, Dehghantanha A, Khayami R, Choo KKR (2017) A deep recurrent neural network based approach for internet of things Malware threat hunting, future generation computer system. Futur Gener Comput Syst 85:88–96

    Article  Google Scholar 

  3. Ussath M, Jaeger D, Cheng F, Meinel C (2016) Advanced persistent threats: behind the scenes. In: 2016 Annual Conference on Information Science and Systems (CISS), pp 181–186

    Google Scholar 

  4. Azmoodeh A, Dehghantanha A, Choo K-KR (2018) Robust malware detection for internet of (Battlefield) things devices using deep Eigenspace learning. IEEE Trans Sustain Comput 1–1

    Google Scholar 

  5. Min M, Xiao L, Xie C, Hajimirsadeghi M, Mandayam NB (2017) Defense against advanced persistent threats: a Colonel Blotto game approach. In: 2017 IEEE international conference on communications (ICC), pp 1–6

    Google Scholar 

  6. Hopkins M, Dehghantanha A (2015) Exploit kits: the production line of the cybercrime economy? In: 2015 second international conference on Information Security and Cyber Forensics (InfoSec), pp 23–27

    Google Scholar 

  7. Conti M, Dehghantanha A, Franke K, Watson S (2017) Internet of things security and forensics: challenges and opportunities. Futur Gener Comput Syst 78:544–546

    Article  Google Scholar 

  8. Pajouh HH, Dehghantanha A, Khayami R, Choo K-KR (2017) Intelligent OS X malware threat detection with code inspection. J Comput Virol Hacking Tech 14:213–223

    Article  Google Scholar 

  9. Haughey H, Epiphaniou G, Al-Khateeb H, Dehghantanha A (2018) Adaptive traffic fingerprinting for darknet threat intelligence, vol 70

    Google Scholar 

  10. Homayoun S, Dehghantanha A, Ahmadzadeh M, Hashemi S, Khayami R (2017) Know abnormal, find evil: frequent pattern mining for Ransomware threat hunting and intelligence. In: IEEE transactions on emerging topics in computing

    Google Scholar 

  11. Azmoodeh A, Dehghantanha A, Conti M, Choo K-KR (2017) Detecting crypto-ransomware in IoT networks based on energy consumption footprint. J Ambient Intell Humaniz Comput 9:1–12

    Google Scholar 

  12. Kiwia D, Dehghantanha A, Choo K-KR, Slaughter J (2017) A cyber kill chain based taxonomy of banking Trojans for evolutionary computational intelligence. J Comput Sci 27:394–409

    Article  Google Scholar 

  13. Conti M, Dargahi T, Dehghantanha A (2018) Cyber threat intelligence: challenges and opportunities. Springer, Cham, pp 1–6

    Book  Google Scholar 

  14. Lemay A, Calvet J, Menet F, Fernandez JM (2018) Survey of publicly available reports on advanced persistent threat actors. Comput Secur 72:26–59

    Article  Google Scholar 

  15. FireEye (2014) FireEye releases report on Cyber Espionage Group with possible ties to Russian Government

    Google Scholar 

  16. FireEye (2014) APT28: a window into Russia’s cyber espionage operations?

    Google Scholar 

  17. FireEye (2017) APT28: at the center of the storm

    Google Scholar 

  18. Symantec (2015) Regin: top-tier espionage tool enables stealthy surveillance symantec security response

    Google Scholar 

  19. Kaspersky Lab (2014) The regin platform nation-state ownage of GSM networks

    Google Scholar 

  20. Chavez R, Kranich W, Casella A (2015) Red October and its reincarnation. Bost. Univ. | CS558 Netw. Secur

    Google Scholar 

  21. Kaspersky Lab (2013) Red October: an advanced cyber-espionage campaign targeting diplomatic and government institutions

    Google Scholar 

  22. Sager T (2014) Killing advanced threats in their tracks: an intelligent approach to attack prevention. SANS Institute InfoSec Reading. Room

    Google Scholar 

  23. Homayoun S, Ahmadzadeh M, Hashemi S, Dehghantanha A, Khayami R (2018) BoTShark: a deep learning approach for botnet traffic detection, vol 70

    Google Scholar 

  24. Hutchins EM, Cloppert MJ, Amin RM Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion Kill Chains

    Google Scholar 

  25. Caltagirone S, Pendergast A, Org AP, Betz C, Org CB (2013) The diamond model of intrusion analysis

    Google Scholar 

  26. Shalaginov A, Banin S, Dehghantanha A, Franke K (2018) Machine learning aided static malware analysis: a survey and tutorial, vol 70

    Google Scholar 

  27. Pendergast A (2014) The diamond model for intrusion analysis

    Google Scholar 

  28. Caltagirone S (2013) The diamond model of intrusion analysis a summary why the diamond model matters

    Google Scholar 

  29. Christopher L, Choo K-KR, Dehghantanha A (2016) Honeypots for employee information security awareness and education training: a conceptual EASY training model

    Google Scholar 

  30. Microsoft (2015) Microsoft security intelligence report volume 19

    Google Scholar 

  31. FBI (2016) GRIZZLY STEPPE – Russian malicious cyber activity

    Google Scholar 

  32. Benchea R, Vatamanu C, Maximciuc A, Luncasu V (2015) APT28 under the scope: a journey into exfiltrating intelligence and government information

    Google Scholar 

  33. Weedon J, Fireeye JW (2015) Beyond ‘Cyber War’: Russia’s use of strategic cyber espionage and information operations in Ukraine

    Google Scholar 

  34. Ostrowski M, Pietrzyk T (2014) APT28 Cybergroup activity

    Google Scholar 

  35. Crowdstrike (2016) Bears in the midst: intrusion into the democratic national committee

    Google Scholar 

  36. ESET (2016) En route with Sednit

    Google Scholar 

  37. Bitdefender TA, Botezatu B (2017) Dissecting the APT28

    Google Scholar 

  38. Mehta N, Leonard B, Huntley S (2014) Peering into the aquarium: analysis of a sophisticated multi-stage malware family

    Google Scholar 

  39. K. Pierre T (2017) APT28 racing to exploit CVE-2017-11292 flash vulnerability before patches are deployed

    Google Scholar 

  40. Pirozzi A, Farina A, Martire L (2017) Malware analysis report: APT28 – hospitality malware

    Google Scholar 

  41. Kaspersky Lab (2015) Sofacy APT hits high profile targets with updated toolset

    Google Scholar 

  42. T. Micro Incorporated (2017) Two years of pawn storm: examining an increasingly relevant threat

    Google Scholar 

  43. Smith L, Read B (2017) APT28 targets hospitality sector, presents threat to travelers

    Google Scholar 

  44. Falcone R (2016) Technical walkthrough: office test persistence method used in recent Sofacy attacks

    Google Scholar 

  45. Falcone R (2017) XAgentOSX: Sofacy’s XAgent macOS tool

    Google Scholar 

  46. Hong K-F, Chen C-C, Chiu Y-T, Chou K-S (2015) Ctracer: uncover C&C in advanced persistent threats based on scalable framework for enterprise log data. In: 2015 IEEE international congress on big data, pp 551–558

    Google Scholar 

  47. Lee B, Falcone R (2016) New Sofacy attacks against US Government Agency

    Google Scholar 

  48. Kaspersky Lab (2015) APTs: a review and some likely prospects

    Google Scholar 

  49. Teto A (2014) Operation ‘Red October’: and it is cyber espionage

    Google Scholar 

  50. GReAT (2013) “Red October” diplomatic cyber attacks investigation

    Google Scholar 

  51. Kaspersky Lab (2013) Kaspersky lab identifies operation ‘Red October,’ an advanced cyber-espionage campaign targeting diplomatic and government institutions worldwide

    Google Scholar 

  52. Symantec (2015) Protect your IT infrastructure from zero-day attacks and new vulnerabilities

    Google Scholar 

  53. Kaspersky Lab (2014) Regin APT attacks among the most sophisticated ever analyzed

    Google Scholar 

  54. Schwartz MJ (2015) Regin espionage malware: a closer look

    Google Scholar 

  55. Winstanley A (2014) Is Israel behind the ‘Regin’ cyber-threat?

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science, University of Salford, Manchester, UK

    Henry Mwiki & Tooska Dargahi

  2. School of Computer Science, University of Guelph, Guelph, ON, Canada

    Ali Dehghantanha

  3. Department of Information Systems and Cyber Security, University of Texas at San Antonio, San Antonio, TX, USA

    Kim-Kwang Raymond Choo

Authors
  1. Henry Mwiki
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Tooska Dargahi
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Ali Dehghantanha
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Kim-Kwang Raymond Choo
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Henry Mwiki .

Editor information

Editors and Affiliations

  1. Department of Informatics, Athens University of Economics and Business, Athens, Greece

    Dimitris Gritzalis

  2. Directorate E. Space, Security and Migration European Commission – Joint Research Centre, Ispra, Italy

    Marianthi Theocharidou

  3. Department of Informatics, Athens University of Economics and Business, Athens, Greece

    George Stergiopoulos

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this chapter

Check for updates. Verify currency and authenticity via CrossMark

Cite this chapter

Mwiki, H., Dargahi, T., Dehghantanha, A., Choo, KK.R. (2019). Analysis and Triage of Advanced Hacking Groups Targeting Western Countries Critical National Infrastructure: APT28, RED October, and Regin. In: Gritzalis, D., Theocharidou, M., Stergiopoulos, G. (eds) Critical Infrastructure Security and Resilience. Advanced Sciences and Technologies for Security Applications. Springer, Cham. https://doi.org/10.1007/978-3-030-00024-0_12

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-00024-0_12

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-00023-3

  • Online ISBN: 978-3-030-00024-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation