The cyber espionage “investigations” has become popular within the information security industry and resulted in easy marketing opportunities of research reports about Advanced Persistent Threats along with headlines of “nation-state attack”. Apart from the purpose of APT research report marketing, the term “APT” itself got generalized for the sake of convenience. However, this was done at the expense of accuracy and greater understanding. Today the term APT is widely used throughout the IT security circles to describe any attack that seems to specifically target individual organizations or has thought to be notably technical in nature regardless of whether the attack was actually advanced or persistent. Using an abstract term such as APT can create the impression that all such attacks are technically sophisticated, advanced, persistent, and malware driven. Some in the industry have begun to define APT as malware. According to Juan Andrés Guerrero-Saade, “the terms ‘APT’, ‘targeted attack’, ‘nation-state sponsored’, and even ‘Cyberespionage’ are inaccurate and misinterpret the object of study, which is to say an espionage operation partially carried out with the use of malware” [1].
The following examples are provided in order to illustrate common inaccuracies associated with the term APT:
- Persistent attacks that are not advanced due to lack of advanced tactics and techniques. An example of such a case is El Machete [2].
- Attacks that are widely distributed, but intended for a specific target which is achieved by compromising a wide range of services but only infecting selectively chosen victims. An example of such a case is Darkhotel components [3].
- Targeted attacks with the intention of reaching a wider audience such as Regin’s [4] use of legitimate institutions as domestic network proxies or Duqu’s [5] utilitarian targeting for digital certificates.
The provided examples show that the classification of an APT as nation-state sponsored adversary, regardless of its sophistication and merely based on the type of sensitive information pursued or targets, which happen to be of interest for a certain nation-state, is inaccurate. Premature interpretations suggesting that only nation-states are interested in political documents ignore the monetary value of political and military secrets. Institutions that might have overlapping interests with a nation state include: political opposition, private consulting, political analysts, financial speculators, adversarial nation-states, to name a few.
Finally, focus on the malware deployment and capabilities or the information stealing tactics of APT groups might strengthen the conviction that the group is interested in a specific type of data. However, this does not clarify whether the recipient of the exfiltrated data is a nation-state or an institution with overlapping interests. Therefore, it should not be assumed that every APT group or attack is associated with a sponsorship or a direct interest of a nation-state.