Security Art Work

Now you have some tips, evidence-based, for your APT talks (don’t forget to use these tips together with Sun Tzu’s “Art of War” quotes); with some more time, you can get to more stupid or interesting conclusions about threat groups activities, interests and origins. And exploiting other datasets (MITRE ATT&CK, here we go!) We can expand those conclusions.

Some key data we can conclude after this little analysis of data:

• It seems clear that Russia plays in the APT Champions League. It’s the most active country in all kind of threat activities, from sabotage to espionage or financial gain.
• The threat group leader is also a Russian one: Turla, operating from almost a quarter century -in this case we can confirm it’s still active- and with targets from a long list of countries and sectors.
• The most loved by analysts threat group is also a Russian one: APT28. Maybe for this reason is the threat group with more synonyms.
• The number of threat actors with CNA capabilities has increased during last years, once again with Russia leading the ranking.
• Apart from classical players, two actors have been particularly actives in the last years: Iran and North Korea.
• It should be interesting to identify a parameter for threat groups, something like “last time seen”, in order to calculate the years a group has been active.
• Using different, vendor-dependent names, for the same threat actor is a little chaos when analyzing data. In this sense, a good effort is MISP’s UUID for each group (https://github.com/MISP/misp-galaxy/blob/main/clusters/threat-actor.json#L2434), as @adulau noted.
• With some imagination and gnuplot you can have your own APT Magic Quadrant for marketing purposes.
• Disclaimer: this is just a simple blog post, not a scientific paper, so don’t expect non questionable sentences here!
• And the most important conclusion: AWK is your friend. Remember:

Once we have answered some silly & simple questions, it’s time to wonder more complex ones, so let’s imagine…

Are CNA threat actors increasing their activities during last years?

In the simple questions, we have concluded that sabotage and destruction motivations are not the most common among threat groups. But we are interested in these ones. Let’s see them among time:

for i in `grep "Sabotage and destruction" [0-9]*.txt|awk -F: '{print $1}'`; do grep \"meta\",\"date\"\] $i|awk '{print $2}'|sed 's/\"//g';done|awk '{a[$0]++}END{for(k in a){print k,a[k]}}’ >years.cna

Plotting the results, we have:

gnuplot> set boxwidth 0.5

gnuplot> set boxwidth 0.5

gnuplot> set xtics 1

gnuplot> set ytics 1

gnuplot> set yrange [0:5]

gnuplot> plot 'years.cna' with boxes

Since 2012, the number of these threat actors has increased significantly: 9 out of 14 groups in the last eight years, so we can say it’s a growing trend. Out of curiosity , the oldest group with CNA capabilities is dated in 2001. Can you guess its name? Yeah… Equation Group.

Once we have processed the gathered information we can start our analysis trying to ask the silly and simple questions that many times we wonder. Let’s go. 

Which are the groups with more synonyms?

The silliest question I always wonder is why we use so many names for the same actor. Which one is the group with more names? Let’s see:

$ for i in [0-9]*.txt; do c=`grep synonyms\", $i|grep -vi operation|wc -l `; echo $c $i;done |sort -n|tail -1

18 233.txt

$

The result is “233.txt”, which corresponds to APT 28, with 18 synonyms; the second one in the ranking, with 16 names, is Turla. Casually, both of them are from Russia (we’ll see later some curiosities about Russia).

Apart from that, a personal opinion: 18 names for the same group! Definitely, once again, we need a standard for threat actor names. This can be your first sentence when giving a talk about APT: where is an ISO committee when it’s needed?

Which groups are from my country?

Well, outside well known actors… how many groups are from my country? Spanish ISO 3166-1 country code is ES, so let’s look for Spanish threat actors with a simple command, as well as threat actors from other relevant countries

$ grep \"country\" [0-9]*.txt|grep -w ES

$ grep \"country\" [0-9]*.txt|grep -w DE

$ grep \"country\" *.txt|grep -w IL

183.txt:["values",183,"meta","country"]	“US,IL"

$

No identified groups from Spain… well, I’m sure this has a technical explanation: Spanish groups are so stealth that they are difficult to discover, and their OPSEC is so strong that, in case of being discovered, attribution is impossible. For sure! But what about Germany? Where is your Project Rahab now? And what about Israel, with only a sad starring together with US? Yes, it’s Stuxnet, but only a single starring… I hope you are as good as Spanish groups: nobody can discover you, and attribution is impossible :) Another sentence for your APT talks: in the group of most stealth countries we can find Germany, Israel… or Spain.

When attending to talks about APT -or when giving them- sometimes you hear sentences like “most threat actors are focused on information theft” or “Russia is one of the most active actors in APT landscape”. But, where do all those sentences come from? We have spent a whole night exploiting APT data for fun and (no) profit, in order to provide you with some curiosities, facts, data… you can use from now in your APT talks!! :)

Since 2019 the folks at ThaiCERT publish the free PDF book “Threat Group Cards: A Threat Actor Encyclopedia” and they have an online portal (https://apt.thaicert.or.th/cgi-bin/aptgroups.cgi) with all the information regarding APT groups acquired from public sources. In this portal, apart from browsing threat groups and their tools, they present some statistics about threat groups activities (source countries, target countries and sectors, most used tools…). Most of these threat groups are considered APT (at the time of this writing, 250 out of 329, with last database change done 20 October 2020).

But what happens when you need specific statistics or correlations? You can download a JSON file and exploit it yourself:

$ curl -o out.json https://apt.thaicert.or.th/cgi-bin/getmisp.cgi?o=g