The document discusses several real-world advanced persistent threat (APT) attacks throughout history, including the first known cyber espionage incident called "The Cuckoo's Egg" in 1986, the Stuxnet cyber weapon used against Iran's nuclear facilities in 2010, and Operation Aurora which targeted major corporations like Google and Adobe in 2009. It defines APTs as targeted, advanced, persistent attacks usually carried out by well-funded nation-state groups, and outlines the common goals, phases, actors, and challenges of attributing APTs. The document concludes by providing further resources on APT reports, frameworks, and demonstrating attack techniques using Metasploit and Armitage.

1. Advanced Persistent Threats
By Japneet Singh

2. Agenda
• Few interesting real APT attacks
• What’s an APT, what are the goals?
• Attack Phases
• Actors and attribution
• Why there’s no end to it (yet!)
• Further resources
• Demo using Metasploit + Armitage

3. The cuckoo’s egg
• 1st known incident of cyber espionage
• First observed intrusion in 1986 at Berkeley Lab
• Espionage of confidential military documents
• Culminated with arrests in Germany in 1990
• Alleged involvement of KGB

4. Stuxnet
• 1st known cyber weapon
• Uncovered in 2010
• Destroyed nuclear centrifuges in Natanz, Iran
• Alleged involvement of APT group(s) in
Israel and US
• Abused 4 0days in single attack!

5. Gh0stNet
• Widespread political espionage
• Discovered in 2009
• Compromised systems in 100+ countries
• Close to 30% systems belong to
diplomatic, political, economic, and
military targets
• Alleged involvement of APT group(s) in
China

6. Operation Aurora
• Aimed at multiple big corporations
including Google, Adobe, etc.
• Primary goal was to gain access to and
modify source code repositories at these
companies
• Widespread industrial espionage
• Alleged involvement of APT group(s) in
China
• Abused an IE 0day

7. Few recent APTs
• DNC email leak (2016)
• Bangladesh Bank cyber heist (2016)
• Olympic Destroyer (2018)
• Ukraine power outage (2015)
• Saudi Oil and Gas plant disruption (2017)

8. What’s an APT
• Targeted attack (Not every targeted attack is APT)
• Advanced
• Tools customized for target/campaign
• Deception and trickery
• Persistent
• Low and slow
• Hard to eradicate
• Well funded and staffed
• 0days, spearphising, rootkits, etc.
• Mostly involve nation state level groups

9. Goals
• Industrial and military Espionage
• Destruction
• Demonstration of power
• Financial motives
• Hacktivism

10. Attack Phases

11. APT actors and attribution
• There are real humans behind APTs
• Multiple groups can be
attributed to single country
• Attribution is a hard problem
• Pyramid of pain

12. Why there’s no end to it (yet!)
• Democracy of internet
• Lack of deterrence
• It’s an Arms Race!

13. Further resources
• Past APT reports https://github.com/kbandla/APTnotes
New location https://github.com/aptnotes/data
• ATT&CK framework, threats, actors etc. https://attack.mitre.org/
• Lockheed martin Kill chain
• The cuckoo’s egg: Tracking a Spy Through the Maze of Computer
Espionage
• Countdown to Zero Day: Stuxnet and the Launch of the World's First
Digital Weapon
• Pyramid of pain (in Attribution)

14. Demo
• Metasploit
• Armitage
• Simulating Attack phases