Analysis of APT Actors Targeting IoT and Big Data Systems: Shell_Crew, NetTraveler, ProjectSauron, CopyKittens, Volatile Cedar and Transparent Tribe as a Case Study

  • Paul J. Taylor
  • Tooska Dargahi
  • Ali DehghantanhaEmail author


Advanced Persistent Threats (APTs) can repeatedly threaten individuals, organisations and national targets, utilising varying tactics and methods to achieve their objectives. This study looks at six such threat groups, namely Shell_Crew, NetTraveler, ProjectSauron, CopyKittens, Volatile Cedar and Transparent Tribe, examines the methods used by each to traverse the cyber kill chain and highlights the array of capabilities that could be employed by adversary targets. Consideration for mitigation and active defence was then made with a view to preventing the effectiveness of the malicious campaigns. The study found that despite the complex nature of some adversaries, often straightforward methods could be employed at various levels in a networked environment to detract from the ability presented by some of the known threats.


Advanced persistent threat APT CKC Cyber kill chain IoT Big data 


  1. 1.
    M. Hopkins and A. Dehghantanha, “Exploit Kits: The production line of the Cybercrime economy?,” in 2015 2nd International Conference on Information Security and Cyber Forensics, InfoSec 2015, 2016.Google Scholar
  2. 2.
    S. Homayoun, A. Dehghantanha, M. Ahmadzadeh, S. Hashemi, and R. Khayami, “Know Abnormal, Find Evil: Frequent Pattern Mining for Ransomware Threat Hunting and Intelligence,” IEEE Trans. Emerg. Top. Comput., 2017.Google Scholar
  3. 3.
    S. Walker-Roberts, M. Hammoudeh, and A. Dehghantanha, “A Systematic Review of the Availability and Efficacy of Countermeasures to Internal Threats in Healthcare Critical Infrastructure,” IEEE Access, 2018.Google Scholar
  4. 4.
    H. Haddad Pajouh, R. Javidan, R. Khayami, D. Ali, and K.-K. R. Choo, “A Two-layer Dimension Reduction and Two-tier Classification Model for Anomaly-Based Intrusion Detection in IoT Backbone Networks,” IEEE Trans. Emerg. Top. Comput., pp. 1–1, 2016.Google Scholar
  5. 5.
    N. Milosevic, A. Dehghantanha, and K.-K. R. Choo, “Machine learning aided Android malware classification,” Comput. Electr. Eng., vol. 61, 2017.Google Scholar
  6. 6.
    A. Azmoodeh, A. Dehghantanha, and K.-K. R. Choo, “Robust Malware Detection for Internet Of (Battlefield) Things Devices Using Deep Eigenspace Learning,” IEEE Trans. Sustain. Comput., pp. 1–1, 2018.Google Scholar
  7. 7.
    E. M. Hutchins, M. J. Cloppert, and R. M. Amin, “Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains.”Google Scholar
  8. 8.
    D. Kiwia, A. Dehghantanha, K.-K. R. Choo, and J. Slaughter, “A cyber kill chain based taxonomy of banking Trojans for evolutionary computational intelligence,” J. Comput. Sci., Nov. 2017.Google Scholar
  9. 9.
    H. Haddadpajouh, A. Dehghantanha, R. Khayami, and K.-K. R. Choo, “A Deep Recurrent Neural Network Based Approach for Internet of Things Malware Threat Hunting,” Futur. Gener. Comput. Syst., 2018.Google Scholar
  10. 10.
    S. Watson and A. Dehghantanha, “Digital forensics: the missing piece of the Internet of Things promise,” Comput. Fraud Secur., vol. 2016, no. 6, 2016.Google Scholar
  11. 11.
    M. Conti, A. Dehghantanha, K. Franke, and S. Watson, “Internet of Things Security and Forensics: Challenges and Opportunities,” Futur. Gener. Comput. Syst., Jul. 2017.Google Scholar
  12. 12.
    H. H. Pajouh, A. Dehghantanha, R. Khayami, and K.-K. R. Choo, “Intelligent OS X malware threat detection with code inspection,” J. Comput. Virol. Hacking Tech., 2017.Google Scholar
  13. 13.
    M. Petraityte, A. Dehghantanha, and G. Epiphaniou, “A Model for Android and iOS Applications Risk Calculation: CVSS Analysis and Enhancement Using Case-Control Studies,” 2018, pp. 219–237.Google Scholar
  14. 14.
    H. Haughey, G. Epiphaniou, H. Al-Khateeb, and A. Dehghantanha, Adaptive traffic fingerprinting for darknet threat intelligence, vol. 70. 2018.Google Scholar
  15. 15.
    S. Caltagirone, A. Pendergast, and C. Betz, “The Diamond Model of Intrusion Analysis,” Threat Connect, vol. 298, no. 0704, pp. 1–61, 2013.Google Scholar
  16. 16.
    A. Lemay, J. Calvet, F. Menet, and J. M. Fernandez, “Survey of publicly available reports on advanced persistent threat actors,” Comput. Secur., vol. 72, pp. 26–59, Jan. 2018.Google Scholar
  17. 17.
    EMC/RSA, “RSA Incident Response - Emerging Threat Profile: Shell Crew,” no. January, pp. 1–42, 2014.Google Scholar
  18. 18.
    Kaspersky, “The NetTraveler (aka ‘Travnet’),” 2004.Google Scholar
  19. 19.
    S. Response and S. Page, “Security Response Backdoor . Remsec indicators of compromise,” pp. 1–13, 2016.Google Scholar
  20. 20.
    Clearsky, “CopyKittens Attack Group,” Minerva Labs LTD Clear. Cyber Secur., no. Nov, pp. 1–23, 2015.Google Scholar
  21. 21.
    T. Intelligence, “Volatile cedar,” 2015.Google Scholar
  22. 22.
    B. K. Baumgartner, “Cedar DGA Infrastructure Statistics :,” pp. 2–6, 2015.Google Scholar
  23. 23.
    D. Huss, “Operation Transparent Tribe - Threat Insight,” 2016.Google Scholar
  24. 24.
    Y. H. Chang and Singh Sudeep, “APT Group Sends Spear Phishing Emails to Indian Government Officials « APT Group Sends Spear Phishing Emails to Indian Government Officials | FireEye Inc,” FireEye, 2016.Google Scholar
  25. 25.
    A. Cook, H. Janicke, R. Smith, and L. Maglaras, “The industrial control system cyber defence triage process,” Comput. Secur., vol. 70, pp. 467–481, Sep. 2017.Google Scholar
  26. 26.
    Global Research and Analysis Team, “The ProjectSauron APT,” Kaspersky Lab, vol. 02, pp. 1–23, 2016.Google Scholar
  27. 27.
    O. Osanaiye, H. Cai, K.-K. R. Choo, A. Dehghantanha, Z. Xu, and M. Dlodlo, “Ensemble-based multi-filter feature selection method for DDoS detection in cloud computing,” Eurasip J. Wirel. Commun. Netw., vol. 2016, no. 1, 2016.Google Scholar
  28. 28.
    A. Azmoodeh, A. Dehghantanha, M. Conti, and K.-K. R. Choo, “Detecting crypto-ransomware in IoT networks based on energy consumption footprint,” J. Ambient Intell. Humaniz. Comput., pp. 1–12, Aug. 2017.Google Scholar
  29. 29.
    A. Shalaginov, S. Banin, A. Dehghantanha, and K. Franke, Machine learning aided static malware analysis: A survey and tutorial, vol. 70. 2018.Google Scholar
  30. 30.
    O. M. K. Alhawi, J. Baldwin, and A. Dehghantanha, “Leveraging Machine Learning Techniques for Windows Ransomware Network Traffic Detection,” 2018, pp. 93–106.Google Scholar
  31. 31.
    S. Homayoun, M. Ahmadzadeh, S. Hashemi, A. Dehghantanha, and R. Khayami, “BoTShark: A Deep Learning Approach for Botnet Traffic Detection,” Springer, Cham, 2018, pp. 137–153.Google Scholar
  32. 32.
    J. Gill, I. Okere, H. HaddadPajouh, and A. Dehghantanha, Mobile forensics: A bibliometric analysis, vol. 70. 2018.Google Scholar
  33. 33.
    A. A. James Baldwin, Omar Alhawi, Simone Shaughnessy and A. Dehghantanha, Emerging from The Cloud: A Bibliometric Analysis of Cloud Forensics Studies. Cyber Threat Intelligence- Springer Book, 2017.Google Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Paul J. Taylor
    • 1
  • Tooska Dargahi
    • 2
  • Ali Dehghantanha
    • 3
    Email author
  1. 1.School of Computing, Science and Engineering, University of SalfordManchesterUK
  2. 2.Department of Computer Science, School of Computing, Science and EngineeringUniversity of SalfordManchesterUK
  3. 3.Cyber Science Lab, School of Computer Science, University of GuelphGuelphCanada

Personalised recommendations