Analysis and Triage of Advanced Hacking Groups Targeting Western Countries Critical National Infrastructure: APT28, RED October, and Regin

  • Henry MwikiEmail author
  • Tooska Dargahi
  • Ali Dehghantanha
  • Kim-Kwang Raymond Choo
Part of the Advanced Sciences and Technologies for Security Applications book series (ASTSA)


Many organizations still rely on traditional methods to protect themselves against various cyber threats. This is effective when they deal with traditional threats, but it is less effective when it comes to Advanced Persistent Threat (APT) actors. APT attacks are carried by highly skilled (possibly state-sponsored) cyber criminal groups who have potentially unlimited time and resources.

This paper analyzes three specific APT groups targeting critical national infrastructure of western countries, namely: APT28, Red October, and Regin. Cyber Kill Chain (CKC) was used as the reference model to analyze these APT groups activities. We create a Defense Triage Process (DTP) as a novel combination of the Diamond Model of Intrusion Analysis, CKC, and 7D Model, to triage the attack vectors and potential targets for these three APT groups.

A comparative summary of these APT groups is presented, based on their attack impact and deployed technical mechanism. This paper also highlights the type of organization and vulnerabilities that are attractive to these APT groups and proposes mitigation actions.


Critical national infrastructure Advanced persistent attack APT APT28 Red October Regin 


  1. 1.
    Walker-Roberts S, Hammoudeh M, Dehghantanha A (2018) A systematic review of the availability and efficacy of countermeasures to internal threats in healthcare critical infrastructure. IEEE Access 1–1Google Scholar
  2. 2.
    HaddadPajouh H, Dehghantanha A, Khayami R, Choo KKR (2017) A deep recurrent neural network based approach for internet of things Malware threat hunting, future generation computer system. Futur Gener Comput Syst 85:88–96CrossRefGoogle Scholar
  3. 3.
    Ussath M, Jaeger D, Cheng F, Meinel C (2016) Advanced persistent threats: behind the scenes. In: 2016 Annual Conference on Information Science and Systems (CISS), pp 181–186Google Scholar
  4. 4.
    Azmoodeh A, Dehghantanha A, Choo K-KR (2018) Robust malware detection for internet of (Battlefield) things devices using deep Eigenspace learning. IEEE Trans Sustain Comput 1–1Google Scholar
  5. 5.
    Min M, Xiao L, Xie C, Hajimirsadeghi M, Mandayam NB (2017) Defense against advanced persistent threats: a Colonel Blotto game approach. In: 2017 IEEE international conference on communications (ICC), pp 1–6Google Scholar
  6. 6.
    Hopkins M, Dehghantanha A (2015) Exploit kits: the production line of the cybercrime economy? In: 2015 second international conference on Information Security and Cyber Forensics (InfoSec), pp 23–27Google Scholar
  7. 7.
    Conti M, Dehghantanha A, Franke K, Watson S (2017) Internet of things security and forensics: challenges and opportunities. Futur Gener Comput Syst 78:544–546CrossRefGoogle Scholar
  8. 8.
    Pajouh HH, Dehghantanha A, Khayami R, Choo K-KR (2017) Intelligent OS X malware threat detection with code inspection. J Comput Virol Hacking Tech 14:213–223CrossRefGoogle Scholar
  9. 9.
    Haughey H, Epiphaniou G, Al-Khateeb H, Dehghantanha A (2018) Adaptive traffic fingerprinting for darknet threat intelligence, vol 70Google Scholar
  10. 10.
    Homayoun S, Dehghantanha A, Ahmadzadeh M, Hashemi S, Khayami R (2017) Know abnormal, find evil: frequent pattern mining for Ransomware threat hunting and intelligence. In: IEEE transactions on emerging topics in computingGoogle Scholar
  11. 11.
    Azmoodeh A, Dehghantanha A, Conti M, Choo K-KR (2017) Detecting crypto-ransomware in IoT networks based on energy consumption footprint. J Ambient Intell Humaniz Comput 9:1–12Google Scholar
  12. 12.
    Kiwia D, Dehghantanha A, Choo K-KR, Slaughter J (2017) A cyber kill chain based taxonomy of banking Trojans for evolutionary computational intelligence. J Comput Sci 27:394–409CrossRefGoogle Scholar
  13. 13.
    Conti M, Dargahi T, Dehghantanha A (2018) Cyber threat intelligence: challenges and opportunities. Springer, Cham, pp 1–6CrossRefGoogle Scholar
  14. 14.
    Lemay A, Calvet J, Menet F, Fernandez JM (2018) Survey of publicly available reports on advanced persistent threat actors. Comput Secur 72:26–59CrossRefGoogle Scholar
  15. 15.
    FireEye (2014) FireEye releases report on Cyber Espionage Group with possible ties to Russian GovernmentGoogle Scholar
  16. 16.
    FireEye (2014) APT28: a window into Russia’s cyber espionage operations?Google Scholar
  17. 17.
    FireEye (2017) APT28: at the center of the stormGoogle Scholar
  18. 18.
    Symantec (2015) Regin: top-tier espionage tool enables stealthy surveillance symantec security responseGoogle Scholar
  19. 19.
    Kaspersky Lab (2014) The regin platform nation-state ownage of GSM networksGoogle Scholar
  20. 20.
    Chavez R, Kranich W, Casella A (2015) Red October and its reincarnation. Bost. Univ. | CS558 Netw. SecurGoogle Scholar
  21. 21.
    Kaspersky Lab (2013) Red October: an advanced cyber-espionage campaign targeting diplomatic and government institutionsGoogle Scholar
  22. 22.
    Sager T (2014) Killing advanced threats in their tracks: an intelligent approach to attack prevention. SANS Institute InfoSec Reading. RoomGoogle Scholar
  23. 23.
    Homayoun S, Ahmadzadeh M, Hashemi S, Dehghantanha A, Khayami R (2018) BoTShark: a deep learning approach for botnet traffic detection, vol 70Google Scholar
  24. 24.
    Hutchins EM, Cloppert MJ, Amin RM Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion Kill ChainsGoogle Scholar
  25. 25.
    Caltagirone S, Pendergast A, Org AP, Betz C, Org CB (2013) The diamond model of intrusion analysisGoogle Scholar
  26. 26.
    Shalaginov A, Banin S, Dehghantanha A, Franke K (2018) Machine learning aided static malware analysis: a survey and tutorial, vol 70Google Scholar
  27. 27.
    Pendergast A (2014) The diamond model for intrusion analysisGoogle Scholar
  28. 28.
    Caltagirone S (2013) The diamond model of intrusion analysis a summary why the diamond model mattersGoogle Scholar
  29. 29.
    Christopher L, Choo K-KR, Dehghantanha A (2016) Honeypots for employee information security awareness and education training: a conceptual EASY training modelGoogle Scholar
  30. 30.
    Microsoft (2015) Microsoft security intelligence report volume 19Google Scholar
  31. 31.
    FBI (2016) GRIZZLY STEPPE – Russian malicious cyber activityGoogle Scholar
  32. 32.
    Benchea R, Vatamanu C, Maximciuc A, Luncasu V (2015) APT28 under the scope: a journey into exfiltrating intelligence and government informationGoogle Scholar
  33. 33.
    Weedon J, Fireeye JW (2015) Beyond ‘Cyber War’: Russia’s use of strategic cyber espionage and information operations in UkraineGoogle Scholar
  34. 34.
    Ostrowski M, Pietrzyk T (2014) APT28 Cybergroup activityGoogle Scholar
  35. 35.
    Crowdstrike (2016) Bears in the midst: intrusion into the democratic national committeeGoogle Scholar
  36. 36.
    ESET (2016) En route with SednitGoogle Scholar
  37. 37.
    Bitdefender TA, Botezatu B (2017) Dissecting the APT28Google Scholar
  38. 38.
    Mehta N, Leonard B, Huntley S (2014) Peering into the aquarium: analysis of a sophisticated multi-stage malware familyGoogle Scholar
  39. 39.
    K. Pierre T (2017) APT28 racing to exploit CVE-2017-11292 flash vulnerability before patches are deployedGoogle Scholar
  40. 40.
    Pirozzi A, Farina A, Martire L (2017) Malware analysis report: APT28 – hospitality malwareGoogle Scholar
  41. 41.
    Kaspersky Lab (2015) Sofacy APT hits high profile targets with updated toolsetGoogle Scholar
  42. 42.
    T. Micro Incorporated (2017) Two years of pawn storm: examining an increasingly relevant threatGoogle Scholar
  43. 43.
    Smith L, Read B (2017) APT28 targets hospitality sector, presents threat to travelersGoogle Scholar
  44. 44.
    Falcone R (2016) Technical walkthrough: office test persistence method used in recent Sofacy attacksGoogle Scholar
  45. 45.
    Falcone R (2017) XAgentOSX: Sofacy’s XAgent macOS toolGoogle Scholar
  46. 46.
    Hong K-F, Chen C-C, Chiu Y-T, Chou K-S (2015) Ctracer: uncover C&C in advanced persistent threats based on scalable framework for enterprise log data. In: 2015 IEEE international congress on big data, pp 551–558Google Scholar
  47. 47.
    Lee B, Falcone R (2016) New Sofacy attacks against US Government AgencyGoogle Scholar
  48. 48.
    Kaspersky Lab (2015) APTs: a review and some likely prospectsGoogle Scholar
  49. 49.
    Teto A (2014) Operation ‘Red October’: and it is cyber espionageGoogle Scholar
  50. 50.
    GReAT (2013) “Red October” diplomatic cyber attacks investigationGoogle Scholar
  51. 51.
    Kaspersky Lab (2013) Kaspersky lab identifies operation ‘Red October,’ an advanced cyber-espionage campaign targeting diplomatic and government institutions worldwideGoogle Scholar
  52. 52.
    Symantec (2015) Protect your IT infrastructure from zero-day attacks and new vulnerabilitiesGoogle Scholar
  53. 53.
    Kaspersky Lab (2014) Regin APT attacks among the most sophisticated ever analyzedGoogle Scholar
  54. 54.
    Schwartz MJ (2015) Regin espionage malware: a closer lookGoogle Scholar
  55. 55.
    Winstanley A (2014) Is Israel behind the ‘Regin’ cyber-threat?Google Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Henry Mwiki
    • 1
    Email author
  • Tooska Dargahi
    • 1
  • Ali Dehghantanha
    • 2
  • Kim-Kwang Raymond Choo
    • 3
  1. 1.Department of Computer ScienceUniversity of SalfordManchesterUK
  2. 2.School of Computer ScienceUniversity of GuelphGuelphCanada
  3. 3.Department of Information Systems and Cyber SecurityUniversity of Texas at San AntonioSan AntonioUSA

Personalised recommendations