Almost every quarter, someone publishes major research focusing on campaigns or incidents that involve Asian APT groups. These campaigns and incidents target various organizations from a multitude of industries. Likewise, the geographic location of victims is not limited to just one region. This type of research normally contains detailed information about the tools used by APT actors, the vulnerabilities that they exploit and sometimes even a specific attribution. Despite the large number of these types of reports, companies often remain unprepared to face these kinds of attackers. With the advanced tools and techniques used by threat actors today, cybersecurity professionals require not only high-level expertise and extensive experience, but also the infrastructure supplemented by well-organized asset management and vulnerability management processes, network segmentation, fine-tuned audits, and intelligently configured data security tools. In most cases, an unprepared infrastructure is the primary factor enabling Asian APT groups to conduct successful attacks.
In this report, we share the most valuable intelligence that we gathered on Asian APT groups. Over the course of our work, we noticed that these groups attacked the greatest number of countries and industries. Most importantly, our analysis of hundreds of attacks revealed a similar pattern among various groups. They achieve specific objectives at various stages of the Cyber Kill Chain using a common but limited number of techniques encountered by security professionals all over the world. Unfortunately, security teams often have difficulty detecting these attacks in their own infrastructure.
We created this report to provide the cybersecurity community with the best-prepared intelligence data to effectively counteract Asian APT groups. This report will be the most helpful to the following:
This material can serve as a library of knowledge on the main approaches used by Asian APT groups when they hack an infrastructure. The report also contains detailed information on the attackers' tactics, techniques and procedures (TTPs) based on the MITRE ATT&CK methodology.
This report consists of six main sections:
* Main description. Technical details on how the specific technique works.
* Examples of procedures. Example implementations of this technique that we detected in attacks by Asian APT groups.
* Data on the approaches employed to detect the described technique, and the EventIDs of events in various monitoring agents used to detect the specific threat.
* SIGMA rules. List of SIGMA rules relevant to this technique. The actual SIGMA rules can be found in the Appendix: SIGMA.
Download the full version of the Modern Asian APT groups' tactics, techniques and procedures report (English, PDF)