Abstract
Many organizations still rely on traditional methods to protect themselves against various cyber threats. This is effective when they deal with traditional threats, but it is less effective when it comes to Advanced Persistent Threat (APT) actors. APT attacks are carried by highly skilled (possibly state-sponsored) cyber criminal groups who have potentially unlimited time and resources.
This paper analyzes three specific APT groups targeting critical national infrastructure of western countries, namely: APT28, Red October, and Regin. Cyber Kill Chain (CKC) was used as the reference model to analyze these APT groups activities. We create a Defense Triage Process (DTP) as a novel combination of the Diamond Model of Intrusion Analysis, CKC, and 7D Model, to triage the attack vectors and potential targets for these three APT groups.
A comparative summary of these APT groups is presented, based on their attack impact and deployed technical mechanism. This paper also highlights the type of organization and vulnerabilities that are attractive to these APT groups and proposes mitigation actions.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Walker-Roberts S, Hammoudeh M, Dehghantanha A (2018) A systematic review of the availability and efficacy of countermeasures to internal threats in healthcare critical infrastructure. IEEE Access 1–1
HaddadPajouh H, Dehghantanha A, Khayami R, Choo KKR (2017) A deep recurrent neural network based approach for internet of things Malware threat hunting, future generation computer system. Futur Gener Comput Syst 85:88–96
Ussath M, Jaeger D, Cheng F, Meinel C (2016) Advanced persistent threats: behind the scenes. In: 2016 Annual Conference on Information Science and Systems (CISS), pp 181–186
Azmoodeh A, Dehghantanha A, Choo K-KR (2018) Robust malware detection for internet of (Battlefield) things devices using deep Eigenspace learning. IEEE Trans Sustain Comput 1–1
Min M, Xiao L, Xie C, Hajimirsadeghi M, Mandayam NB (2017) Defense against advanced persistent threats: a Colonel Blotto game approach. In: 2017 IEEE international conference on communications (ICC), pp 1–6
Hopkins M, Dehghantanha A (2015) Exploit kits: the production line of the cybercrime economy? In: 2015 second international conference on Information Security and Cyber Forensics (InfoSec), pp 23–27
Conti M, Dehghantanha A, Franke K, Watson S (2017) Internet of things security and forensics: challenges and opportunities. Futur Gener Comput Syst 78:544–546
Pajouh HH, Dehghantanha A, Khayami R, Choo K-KR (2017) Intelligent OS X malware threat detection with code inspection. J Comput Virol Hacking Tech 14:213–223
Haughey H, Epiphaniou G, Al-Khateeb H, Dehghantanha A (2018) Adaptive traffic fingerprinting for darknet threat intelligence, vol 70
Homayoun S, Dehghantanha A, Ahmadzadeh M, Hashemi S, Khayami R (2017) Know abnormal, find evil: frequent pattern mining for Ransomware threat hunting and intelligence. In: IEEE transactions on emerging topics in computing
Azmoodeh A, Dehghantanha A, Conti M, Choo K-KR (2017) Detecting crypto-ransomware in IoT networks based on energy consumption footprint. J Ambient Intell Humaniz Comput 9:1–12
Kiwia D, Dehghantanha A, Choo K-KR, Slaughter J (2017) A cyber kill chain based taxonomy of banking Trojans for evolutionary computational intelligence. J Comput Sci 27:394–409
Conti M, Dargahi T, Dehghantanha A (2018) Cyber threat intelligence: challenges and opportunities. Springer, Cham, pp 1–6
Lemay A, Calvet J, Menet F, Fernandez JM (2018) Survey of publicly available reports on advanced persistent threat actors. Comput Secur 72:26–59
FireEye (2014) FireEye releases report on Cyber Espionage Group with possible ties to Russian Government
FireEye (2014) APT28: a window into Russia’s cyber espionage operations?
FireEye (2017) APT28: at the center of the storm
Symantec (2015) Regin: top-tier espionage tool enables stealthy surveillance symantec security response
Kaspersky Lab (2014) The regin platform nation-state ownage of GSM networks
Chavez R, Kranich W, Casella A (2015) Red October and its reincarnation. Bost. Univ. | CS558 Netw. Secur
Kaspersky Lab (2013) Red October: an advanced cyber-espionage campaign targeting diplomatic and government institutions
Sager T (2014) Killing advanced threats in their tracks: an intelligent approach to attack prevention. SANS Institute InfoSec Reading. Room
Homayoun S, Ahmadzadeh M, Hashemi S, Dehghantanha A, Khayami R (2018) BoTShark: a deep learning approach for botnet traffic detection, vol 70
Hutchins EM, Cloppert MJ, Amin RM Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion Kill Chains
Caltagirone S, Pendergast A, Org AP, Betz C, Org CB (2013) The diamond model of intrusion analysis
Shalaginov A, Banin S, Dehghantanha A, Franke K (2018) Machine learning aided static malware analysis: a survey and tutorial, vol 70
Pendergast A (2014) The diamond model for intrusion analysis
Caltagirone S (2013) The diamond model of intrusion analysis a summary why the diamond model matters
Christopher L, Choo K-KR, Dehghantanha A (2016) Honeypots for employee information security awareness and education training: a conceptual EASY training model
Microsoft (2015) Microsoft security intelligence report volume 19
FBI (2016) GRIZZLY STEPPE – Russian malicious cyber activity
Benchea R, Vatamanu C, Maximciuc A, Luncasu V (2015) APT28 under the scope: a journey into exfiltrating intelligence and government information
Weedon J, Fireeye JW (2015) Beyond ‘Cyber War’: Russia’s use of strategic cyber espionage and information operations in Ukraine
Ostrowski M, Pietrzyk T (2014) APT28 Cybergroup activity
Crowdstrike (2016) Bears in the midst: intrusion into the democratic national committee
ESET (2016) En route with Sednit
Bitdefender TA, Botezatu B (2017) Dissecting the APT28
Mehta N, Leonard B, Huntley S (2014) Peering into the aquarium: analysis of a sophisticated multi-stage malware family
K. Pierre T (2017) APT28 racing to exploit CVE-2017-11292 flash vulnerability before patches are deployed
Pirozzi A, Farina A, Martire L (2017) Malware analysis report: APT28 – hospitality malware
Kaspersky Lab (2015) Sofacy APT hits high profile targets with updated toolset
T. Micro Incorporated (2017) Two years of pawn storm: examining an increasingly relevant threat
Smith L, Read B (2017) APT28 targets hospitality sector, presents threat to travelers
Falcone R (2016) Technical walkthrough: office test persistence method used in recent Sofacy attacks
Falcone R (2017) XAgentOSX: Sofacy’s XAgent macOS tool
Hong K-F, Chen C-C, Chiu Y-T, Chou K-S (2015) Ctracer: uncover C&C in advanced persistent threats based on scalable framework for enterprise log data. In: 2015 IEEE international congress on big data, pp 551–558
Lee B, Falcone R (2016) New Sofacy attacks against US Government Agency
Kaspersky Lab (2015) APTs: a review and some likely prospects
Teto A (2014) Operation ‘Red October’: and it is cyber espionage
GReAT (2013) “Red October” diplomatic cyber attacks investigation
Kaspersky Lab (2013) Kaspersky lab identifies operation ‘Red October,’ an advanced cyber-espionage campaign targeting diplomatic and government institutions worldwide
Symantec (2015) Protect your IT infrastructure from zero-day attacks and new vulnerabilities
Kaspersky Lab (2014) Regin APT attacks among the most sophisticated ever analyzed
Schwartz MJ (2015) Regin espionage malware: a closer look
Winstanley A (2014) Is Israel behind the ‘Regin’ cyber-threat?
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this chapter
Cite this chapter
Mwiki, H., Dargahi, T., Dehghantanha, A., Choo, KK.R. (2019). Analysis and Triage of Advanced Hacking Groups Targeting Western Countries Critical National Infrastructure: APT28, RED October, and Regin. In: Gritzalis, D., Theocharidou, M., Stergiopoulos, G. (eds) Critical Infrastructure Security and Resilience. Advanced Sciences and Technologies for Security Applications. Springer, Cham. https://doi.org/10.1007/978-3-030-00024-0_12
Download citation
DOI: https://doi.org/10.1007/978-3-030-00024-0_12
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-00023-3
Online ISBN: 978-3-030-00024-0
eBook Packages: Computer ScienceComputer Science (R0)