Provisioning the external infrastructure for Cyberspace Operations. A spotlight on Russian APT groups

Abstract

Advanced threat actors conduncting operations in cyberspace require the utilization of external infrastructure. This referes to elements of infrastructure available on the Internet, situated outside the target’s own premises. The analysis of this infrastructure and the techniques employed to bring it to full operational capacity constitute a pivotal factor in characterizing threat actors and their operations. However, the majority of the existing scientific and technical literature found focuses on internal infrastructure elements, particularly on malware implants, as well as on the tactics and techniques employed by the threat actor within their victim’s infrastructure. In this work a comprehensive analysis of this external infrastructure and its provisioning techniques is presented. While our research has primarily concentrated on Russian APT groups and their operations, our findings are equally applicable to all advanced groups and operations. The outcomes of our study can greatly assist analysts in characterizing these groups and their operations, especially with regards to attribution efforts. Our proposal follows a logical structure that can be easy to expand and adapt, and it can be used to improve commonly accepted industry standards such as MITRE ATT&CK.

Keywords

• Advanced Persistent Threat
• APT
• Russia
• Infrastructure
• Tactics
• techniques and procedures
• Resource development
• MITRE ATT&CK

References

1. [1] R. Ross et al., SP 800-39. Managing information security risk: Organization, mission, and information system view. National Institute of Standards & Technology, 2011.
2. [2] P. Chen, L. Desmet, and C. Huygens, “A study on advanced persistent threats,” in Communications and Multimedia Security: 15th IFIP TC 6/TC 11 International Conference, CMS 2014, Aveiro, Portugal, September 25-26, 2014. Proceedings 15. Springer, 2014, pp. 63–72.
3. [3] J. Carr, Inside cyber warfare: Mapping the cyber underworld. O’Reilly Media, Inc., 2012.
4. [4] K. Giles, “Information Troops. a russian cyber command?” in 2011 3rd International Conference on Cyber Conflict. IEEE, 2011, pp. 1–16.
5. [5] M. Connell and S. Vogler, “Russia’s approach to cyber warfare,” [Online]. Available: https://www.cna.org/archive/ CNA Files/pdf/dop-2016-u-014231-1rev.pdf, Center for Naval Analyses, Tech. Rep., September 2016.
6. [6] V. Akimenko and K. Giles, “Russia’s cyber and information warfare,” Asia policy, vol. 15, no. 2, pp. 67–75, 2020.
7. [7] M. Grzegorzewski, “Russian cyber operations: The relationship between the state and cybercriminals,” in Historical and legal aspects of cyber attacks on critical infrastructure, D. Caleta and J. F. Powers, Eds. Ministry of Defense, Republic of Slovenia, 2020, pp. 53–64.
8. [8] R. Morgus, B. Fonseca, K. Green, and A. Crowther, “Are china and russia on the cyber offensive in latin america and the caribbean? a review of their cyber capabilities and the implications for the US and its partners in the region,” [Online]. Available: http://newamerica.org/cybersecurity-initiative/reports/russiachina- cyber-offensive-latam-caribbean/, Tech. Rep., July 2019.

9. [9] C. Cunningham, “A russian federation information warfare primer,” [Online]. Available: https://jsis.washington.edu/news/ a-russian-federation-information-warfare-primer/, Henry M. Jackson School of International Studies. Washington University, Tech. Rep., 2020.
10. [10] B. Lilly, Russian Information Warfare: Assault on Democracies in the Cyber Wild West. Naval Institute Press, 2022.
11. [11] V. Nagy, “The geostrategic stuggle in cyberspace between the united states, china, and russia,” Academic and Applied Research in Military and Public Management Science, vol. 11, no. 1, pp. 13–26, 2012.
12. [12] S. Jasper, Russian Cyber Operations: Coding the Boundaries of Conflict. Georgetown University Press, 2022.
13. [13] R. Thornton and M. Miron, “Winning future wars: Russian offensive cyber and its vital importance,” The Cyber Defense Review, vol. 7, no. 3, pp. 117–135, 2022.
14. [14] B. Lilly and J. Cheravitch, “The past, present, and future of russia’s cyber strategy and forces,” in 2020 12th International Conference on Cyber Conflict (CyCon), vol. 1300. IEEE, 2020, pp. 129–155.
15. [15] J. V. Brock and B. Zagaris, “Cybercrime, high-value art, and economic sanctions,” IELR, vol. 36, p. 315, 2020.
16. [16] T. Steffens, Attribution of Advanced Persistent Threats. Springer, 2020.
17. [17] “Threat Group Cards: A Threat Actor Encyclopedia,” [Online]. Available: https://apt.etda.or.th/cgi-bin/aptgroups.cgi, February 2023.
18. [18] A. Lemay, J. Calvet, F. Menet, and J. M. Fernandez, “Survey of publicly available reports on advanced persistent threat actors,” Computers & Security, vol. 72, pp. 26–59, 2018.
19. [19] F-Secure, “The dukes: 7 years of russian cyberespionage,” [Online]. Available: https://blog-assets.f-secure.com/wpcontent/ uploads/2020/03/18122307/F-Secure Dukes Whitepaper.pdf, F–Secure, Tech. Rep., September 2015.
20. [20] I. Thornton-Trump CD, “Russia: the cyber global protagonist,” EDPACS, vol. 65, no. 3, pp. 19–26, 2022.
21. [21] M. Pellegrino, “The threat of state-sponsored industrial espionage,” [Online]. Available: https://op.europa.eu/en/ publication-detail/-/publication/9de4b721-6256-43f0-b7df- 988e3c4c9451, Tech. Rep., June 2015.
22. [22] K. Hemsley and R. Fisher, “A history of cyber incidents and threats involving industrial control systems,” in Critical Infrastructure Protection XII: 12th IFIP WG 11.10 International Conference, ICCIP 2018, Arlington, VA, USA, March 12-14, 2018, Revised Selected Papers 12. Springer, 2018, pp. 215– 242. [23] J. E. Vinnem and I. B. Utne, “Risk from cyberattacks on autonomous ships,” in Safety and Reliability–Safe Societies in a Changing World. CRC Press, 2018, pp. 1485–1492.
23. [24] D. Kapur, T. Shloman, R. Venal, and J. Fokker, “Cyberattacks targeting ukraine increase 20–fold at end of 2022 fueled by russia-linked gamaredon activity,” Global Security Mag, 2023.
24. [25] M. Schwarz, M. Marx, and H. Federrath, “A structured analysis of information security incidents in the maritime sector,” arXiv preprint arXiv:2112.06545, 2021.
25. [26] S. Nate and L. Leca, “Cybersecurity and hybrid warfare challenges in the black sea region,” International Journal of Cyber Diplomacy, vol. 1, 2020.
26. [27] J. Juutilainen, “Cyber warfare: A part of the russo-ukrainian war in 2022,” Ph.D. dissertation, JAMK University of Applied Sciences, September 2022.
27. [28] Z. Hromcov´a and A. Chereanov, “Invisimole: the hidden part of the story. unearthing invisimole’s espionage toolset and strategic cooperations,” [Online]. Available: https://webassets. esetstatic.com/wls/2020/06/ESET InvisiMole.pdf, ESET, Tech. Rep., June 2020.
28. [29] J. A. Guerrero-Saade, C. Raiu, D. Moore, and T. Rid, “Penquin’s moonlit maze. the dawn of nation-state digital espionage,” [Online]. Available: https://media. kasperskycontenthub.com/wp-content/uploads/sites/43/2018/ 03/07180251/Penquins Moonlit Maze PDF eng.pdf, Tech. Rep., 2017.
29. [30] M. Faou, “Turla lightneuron. one email away from remote code execution,” [Online]. Available: https://www.welivesecurity. com/2019/05/07/turla-lightneuron-email-too-far/, ESET, Tech. Rep., May 2019.
30. [31] A. Drozhzhin, “Russian-speaking cyber spies exploit satellites,” [Online]. Available: https://www.kaspersky.com/blog/ turla-apt-exploiting-satellites/9771/, Kaspersky, Tech. Rep., September 2015.
31. [32] S. Tanase, “Satellite turla: Apt command and control in the sky,” [Online]. Available: https://securelist.com/satellite-turlaapt- command-and-control-in-the-sky/72081/, SecureList, Tech. Rep., September 2015.
32. [33] D. Housen-Couriel, “Cybersecurity threats to satellite communications: Towards a typology of state actor responses,” Acta Astronautica, vol. 128, pp. 409–415, 2016.
33. [34] A. Greenberg, Sandworm: A new era of cyberwar and the hunt for the Kremlin’s most dangerous hackers. Anchor, 2019.
34. [35] A. Carlsson and R. Gustavsson, “The art of war in the cyber world,” in 2017 4th International Scientific-Practical Conference Problems of Infocommunications. Science and Technology (PIC S&T). IEEE, 2017, pp. 42–44.
35. [36] E. Izycki and E. W. Vianna, “Critical infrastructure: A battlefield for cyber warfare?” in ICCWS 2021 16th International Conference on Cyber Warfare and Security. Academic Conferences Limited, 2021, p. 454.
36. [37] Y. Meijaard, P.-P. Meiler, and L. Allodi, “Modelling disruptive apts targeting critical infrastructure using military theory,” in 2021 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW). IEEE, 2021, pp. 178–190.
37. [38] L. Kharouni, F. Hacquebord, N. Huq, J. Gogolinski, F. Mercˆes, A. Remorin, and D. Otis, “Operation pawn storm: Using decoys to evade detection,” [Online]. Available: https://documents.trendmicro.com/assets/wp/wp-operationpawn- storm.pdf, Trendmicro, Tech. Rep., October 2014.
38. [39] FireEye, “Apt28: A window into russia’s cyber espionage operations,” [Online]. Available: https: //services.google.com/fh/files/misc/apt28-window-russiacyber- espionage-operations.pdf, FireEye, Tech. Rep., September 2014.
39. [40] ESET, “En route with sednit,” [Online]. Available: https://web-assets.esetstatic.com/wls/en/papers/whitepapers/ eset-sednit-full.pdf, ESET, Tech. Rep., October 2016.
40. [41] FireEye, “Apt28: at the center of the storm. russia strategically evolves its cyber operations,” [Online]. Available: https://www. https://mandiant.com/resources/reports/apt28-center-storm,%20FireEye,%20Tech.%20Rep.,%20January%202017
41. [42] N. Inkster, “Information warfare and the us presidential election,” Survival, vol. 58, no. 5, pp. 23–32, 2016.
42. [43] B. Jensen, B. Valeriano, and R. Maness, “Fancy bears and digital trolls: Cyber strategy with a russian twist,” Journal of Strategic Studies, vol. 42, no. 2, pp. 212–234, 2019.
43. [44] F. Intelligence, “TRITON attribution: Russian governmentowned lab most likely built custom intrusion tools for TRITON attackers,” [Online]. Available: https://cloud.google. com/blog/topics/threat-intelligence/triton-attribution-russiangovernment- owned-lab-most-likely-built-tools, Mandiant, Tech. Rep., October 2018.
44. [45] A. Di Pinto, Y. Dragoni, and A. Carcano, “Triton: The first ics cyber attack on safety instrument systems,” in Proc. Black Hat USA, vol. 2018, 2018, pp. 1–26.
45. [46] J. Slowik, “Zeroing in on Xenotime: Analysis of the entities responsible for the TRITON event,” in 2022 Virus Bulletin localhost, September 2022.
46. [47] J. A. Guerrero-Saade, “Draw me like one of your French APTs – expanding our descriptive palette for cyber threat actors,” in 2018 Virus Bulletin Conference, October 2018, pp. 1–20.
47. [48] Checkpoint, “Cloud Atlas targets entities in Russia and Belarus amid the ongoing war in Ukraine,” [Online]. Available: https://research.checkpoint.com/2022/cloud-atlastargets- entities-in-russia-and-belarus-amid-the-ongoing-warin- ukraine/, Checkpoint Research, Tech. Rep., December 2022.
48. [49] C. T. I. Team, “Who is ember bear?” [Online]. Available: https://www.crowdstrike.com/blog/who-is-ember-bear/, CrowdStrike, Tech. Rep., March 2022.
49. [50] J. Lelonek, “Analyzing russia’s conventional and cyber operations in ukraine,” Ph.D. dissertation, Utica University, 2022.
50. [51] B. E. Strom, J. A. Battaglia, M. S. Kemmerer, W. Kupersanin, D. P. Miller, C. Wampler, S. M. Whitley, and R. D. Wolf, “Finding cyber threats with ATT&CK™-based analytics,” [Online]. Available: https://apps.dtic.mil/sti/trecms/pdf/ AD1107945.pdf, MITRE Technical Report MTR170202. The MITRE Corporation, Tech. Rep., 2017.
51. [52] W. Xiong, E. Legrand, O. A˚ berg, and R. Lagerstro¨m, “Cyber security threat modeling based on the MITRE enterprise ATT&CK matrix,” Software and Systems Modeling, vol. 21, no. 1, pp. 157–177, 2022.
52. [53] R. Al-Shaer, J. M. Spring, and E. Christou, “Learning the associations of mitre att&ck adversarial techniques,” in 2020 IEEE Conference on Communications and Network Security (CNS). IEEE, 2020, pp. 1–9.
53. [54] T. Nelson and H. Kettani, “Open source powershell-written post exploitation frameworks used by cyber espionage groups,” in 2020 3rd International Conference on Information and Computer Technologies (ICICT). IEEE, 2020, pp. 451–456.
54. [55] R. Benito, “An automated post-exploitation model for offensive cyberspace operations,” Ph.D. dissertation, Monterey, CA; Naval Postgraduate School, 2022.
55. [56] I. Ghafir, V. Prenosil et al., “Advanced persistent threat attack detection: an overview,” International Journal of Advancements in Computer Networks and its Security, vol. 4, no. 4, p. 5054, December 2014.
56. [57] M. Ussath, D. Jaeger, F. Cheng, and C. Meinel, “Advanced persistent threats: Behind the scenes,” in 2016 Annual Conference on Information Science and Systems (CISS). IEEE, 2016, pp. 181–186.
57. [58] G. Wang, J. W. Stokes, C. Herley, and D. Felstead, “Detecting malicious landing pages in malware distribution networks,” in 2013 43rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). IEEE, 2013, pp. 1–11.
58. [59] M. Monte, Network Attacks and Exploitation. A Framework. John Wiley and sons, July 2015.
59. [60] ANSSI, “Phishing campaigns by the NOBELIUM intrusion set,” [Online]. Available: https://www.cert.ssi.gouv.fr/uploads/ CERTFR-2021-CTI-011.pdf, Agence Nationale de la S´ecurit´e des Syst`emes d’Information, Tech. Rep., December 2021.
60. [61] M. Dunwoody, A. Thompson, B. Withnell, J. Leathery, M. Matonis, and N. Carr, “Not so cozy: An uncomfortable examination of a suspected apt29 phishing campaign,” [Online]. Available: https://cloud.google.com/blog/ topics/threat-intelligence/not-so-cozy-an-uncomfortableexamination- of-a-suspected-apt29-phishing-campaign, FireEye, Tech. Rep., November 2018.
61. [62] M. T. I. Center, “New sophisticated email-based attack from NOBELIUM,” [Online]. Available: https://www.microsoft.com/en-us/security/blog/2021/05/ 27/new-sophisticated-email-based-attack-from-nobelium/, Microsoft Threat Intelligence Center, Tech. Rep., May 2021.
62. [63] D. of Homeland Security, “Enhanced analysis of grizzly steppe activity,” [Online]. Available: https: //www.cisa.gov/sites/default/files/publications/AR-17-20045 Enhanced Analysis of GRIZZLY STEPPE Activity.pdf, Department of Homeland Security, Tech. Rep., February 2017.
63. [64] R. Nafisi and A. Lelli, “GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence,” [Online]. Available: https://www.microsoft.com/enus/ security/blog/2021/03/04/goldmax-goldfinder-sibotanalyzing- nobelium-malware/, Microsoft Threat Intelligence Center, Tech. Rep., March 2021.
64. [65] J. Wolfram, S. Hawley, T. McLellan, N. Simonian, and A. Vejlby, “Trello from the other side: Tracking apt29 phishing campaigns,” [Online]. Available: https://cloud.google.com/blog/topics/threat-intelligence/ tracking-apt29-phishing-campaigns, Mandiant, Tech. Rep., April 2022.
65. [66] K. Baumgartner and C. Raiu, “The CozyDuke APT,” [Online]. Available: https://securelist.com/the-cozyduke-apt/ 69731/, Kaspersky, Tech. Rep., April 2015.
66. [67] L. Smith, J. Leathery, and B. Read, “New SUNSHUTTLE Second-Stage Backdoor Uncovered Targeting U.S.-Based Entity; Possible Connection to UNC2452,” [Online]. Available: https://www.mandiant.com/resources/blog/sunshuttle-secondstage- backdoor-targeting-us-based-entity, Mandiant, Tech. Rep., March 2021.
67. [68] E. Research, “Operation ghost: The dukes aren’t back – they never left,” [Online]. Available: https://www.welivesecurity. com/2019/10/17/operation-ghost-dukes-never-left/, ESET, Tech. Rep., October 2019.
68. [69] CISA, “MAR-10327841-1.v1 – SUNSHUTTLE,” [Online]. Available: https://www.cisa.gov/news-events/analysis-reports/ ar21-105a, Cybersecurity & Infrastructure Security Agency, Tech. Rep., April 2021.
69. [70] D. Alperovitch, “Bears in the Midst: Intrusion Into the Democratic National Committee,” [Online]. Available: https://www.crowdstrike.com/blog/bears-midst-intrusiondemocratic- national-committee/, CrowdStrike, Tech. Rep., June 2016.
70. [71] C. Intelligence, “Early bird catches the wormhole: Observations from the stellarparticle campaign,” [Online]. Available: https://www.crowdstrike.com/blog/observationsfrom- the-stellarparticle-campaign/, CrowdStrike, Tech. Rep., January 2022.
71. [72] D. Bienstock, M. Derr, J. Madeley, T. Mclellan, and C. Gardner, “Unc3524: Eye spy on your email,” [Online]. Available: https://cloud.google.com/blog/topics/threat-intelligence/ unc3524-eye-spy-email, FireEye, Tech. Rep., May 2022.
72. [73] FireEye, “Hammertoss: stealthy tactics define a Russian cyber threat group,” [Online]. Available: https://www.mandiant.com/resources/reports/hammertossstealthy- tactics-define-russian-cyber-threat-group, Fireeye, Tech. Rep., July 2015.
73. [74] P. W. Coopers, “How wellmess malware has been used to target covid-19 vaccines,” [Online]. Available: https://www.pwc.co.uk/issues/cyber-security-services/insights/ cleaning-up-after-wellmess.html, Price Waterhouse Coopers, Tech. Rep., July 2020.
74. [75] PwC, “Wellmess malware: analysis of its command and control (c2) server,” [Online]. Available: https://www.pwc.co.uk/issues/cyber-security-services/insights/ wellmess-analysis-command-control.html, Price Waterhouse Coopers, Tech. Rep., August 2020.
75. [76] K. I. CERT, “Energetic bear/crouching yeti: attacks on servers,” [Online]. Available: https://securelist.com/energeticbear- crouching-yeti/85345/, Kaspersky, Tech. Rep., April 2018.
76. [77] J. Hanrahan, “How adversaries use spear phishing to target engineering staff,” [Online]. Available: https://www.dragos.com/blog/how-adversaries-use-spearphishing- to-target-engineering-staff/, Dragos, Inc., Tech. Rep., October 2022.
77. [78] S. S. Response, “Dragonfly: Cyberespionage attacks against energy suppliers,” [Online]. Available: https: //icscsi.org/library/Documents/Cyber Events/Symantec%20- %20Security%20Response%20-%20Dragonfly%20v1.2.pdf, Symantec, Tech. Rep., July 2014.
78. [79] CISA, “Advanced persistent threat activity targeting energy and other critical infrastructure sectors,” [Online]. Available: https://www.cisa.gov/news-events/alerts/2017/10/ 20/advanced-persistent-threat-activity-targeting-energy-andother, Cybersecurity & Infrastructure Security Agency, Tech. Rep., March 2018.
79. [80] Cybersecurity and I. S. Agency, “Russian State-Sponsored Advanced Persistent Threat Actor Compromises US Government Targets,” [Online]. Available: https://www.cisa.gov/newsevents/ cybersecurity-advisories/aa20-296a, Cybersecurity & Infrastructure Security Agency, Tech. Rep., December 2020.
80. [81] J. Slowik, “The baffling Berserk Bear: a decade’s activity targeting critical infrastructure,” in 2021 Virus Bulletin localhost, October 2021.
81. [82] C. T. U. R. Team, “Mcmd malware analysis,” [Online]. Available: https://www.secureworks.com/research/mcmd-malwareanalysis, Secureworks, Tech. Rep., July 2019.
82. [83] T. H. Team, “Dragonfly: Western energy sector targeted by sophisticated attack group,” [Online]. Available: https://symantec-enterprise-blogs.security.com/blogs/threatintelligence/ dragonfly-energy-sector-cyber-attacks, Symantec, Tech. Rep., October 2017.
83. [84] H. N. S. Authority and C. L. M. I. Team, “Teamspy – obshie manevri. ispolzovat’ tolko s razreshenija s-a,” [Online]. Available: https://blog.crysys.hu/2013/03/teamspy/, Laboratory of Cryptography and System Security, Tech. Rep., March 2013.
84. [85] K. Livelli and J. Gross, “Energetic DragonFly DYMALLOY Bear 2.0,” [Online]. Available: https://blogs.blackberry.com/en/ 2018/03/energetic-dragonfly-dymalloy-bear-2-0, BlackBerry, Tech. Rep., March 2018.
85. [86] C. T. U. R. Team, “Own the router, own the traffic,” [Online]. Available: https://www.secureworks.com/blog/own-the-routerown- the-traffic, Secureworks, Tech. Rep., July 2019.
86. [87] A. Kasza and D. Reichel, “The gamaredon group toolset evolution,” [Online]. Available: https://unit42.paloaltonetworks. com/unit-42-title-gamaredon-group-toolset-evolution/, PaloAlto Networks, Tech. Rep., February 2017.
87. [88] Unit42, “Russia’s Gamaredon aka Primitive Bear APT Group Actively Targeting Ukraine,” [Online]. Available: https://unit42.paloaltonetworks.com/gamaredon-primitivebear- ukraine-update-2021/, PaloAlto Networks, Tech. Rep., February 2022.
88. [89] M. T. I. Center, “ACTINIUM targets Ukrainian organizations,” [Online]. Available: https://www.microsoft.com/enus/ security/blog/2022/02/04/actinium-targets-ukrainian-organizations/, Microsoft Threat Intelligence Center, Tech. Rep., February 2022.
89. [90] G. Mele, Y. Polozov, and T. Gould, “Primitive Bear (Gamaredon) Targets Ukraine with Timely Themes,” [Online]. Available: https://www.anomali.com/blog/primitive-beargamaredon- targets-ukraine-with-timely-themes, Anomali, Tech. Rep., April 2021.
90. [91] O. M. Erdogan, “Network footprints of gamaredon group,” [Online]. Available: https://blogs.cisco.com/security/networkfootprints- of-gamaredon-group, Cisco, Tech. Rep., May 2022.
91. [92] K. Hiroyuki and E. Maruyama, “Gamaredon apt group use covid-19 lure in campaigns,” [Online]. Available: https://www.trendmicro.com/fr fr/research/20/d/gamaredonapt- group-use-covid-19-lure-in-campaigns.html, Trendmicro, Tech. Rep., April 2020.
92. [93] C. UA, “Cert–ua 4434. cyber attack of the uac-0010 group (armageddon) on the state organizations of ukraine,” [Online]. Available: https://cert.gov.ua/article/39386, Computer Emergency Response Team of Ukraine, Tech. Rep., April 2022.
93. [94] J. Lewis, “Operation armageddon: Cyber espionage as a strategic component of russian modern warfare,” [Online]. Available: https://www. ecirtam.net/autoblogs/autoblogs/lamaredugoffrblog 6aa4265372739b936776738439d4ddb430f5fa2e/media/ 88e3da25.Operation Armageddon FINAL.pdf, LookingGlass, Tech. Rep., April 2015.
94. [95] C. UA, “Cert–ua 5134. cyberattacks of the uac-0010 group (armageddon): malicious programs gammaload, gammasteel,” [Online]. Available: https://cert.gov.ua/article/1229152, Computer Emergency Response Team of Ukraine, Tech. Rep., October 2022.
95. [96] U. 42, “Russia’s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine,” [Online]. Available: https://unit42.paloaltonetworks. com/trident-ursa/, PaloAlto Networks, Tech. Rep., December 2022.
96. [97] Y. T. Intelligence, “The Russian Shadow in Eastern Europe: Ukrainian MOD Campaign,” [Online]. Available: https://yoroi.company/en/research/the-russian-shadow-ineastern- europe-ukrainian-mod-campaign/, Yoroi, Tech. Rep., April 2019.
97. [98] I. Group, “Operation gamework: infrastructure overlaps found between bluealpha and iranian apts,” [Online]. Available: https://go.recordedfuture.com/hubfs/reports/cta- 2019-1212.pdf, Recorded Future, Tech. Rep., December 2019.
98. [99] T. H. Team, “Shuckworm continues cyber-espionage attacks against ukraine,” [Online]. Available: https://symantec-enterprise-blogs.security.com/blogs/threatintelligence/ shuckworm-gamaredon-espionage-ukraine, Symantec, Tech. Rep., January 2022.
99. [100] Z. Hromcov´a, “Invisimole: Surprisingly equipped spyware, undercover since 2013,” [Online]. Available: https://www.welivesecurity.com/2018/06/07/invisimoleequipped- spyware-undercover/, ESET, Tech. Rep., June 2018.
100. [101] Z. Hromcova, “Invisimole: First-class persistence through second-class exploits,” [Online]. Available: https://securitymea.com/tag/invisimole-first-class-persistencethrough- second-class-exploits/, ESET, Tech. Rep., September 2020.
101. [102] G. Research and A. Team, “The epic turla operation,” [Online]. Available: https://securelist.com/the-epic-turlaoperation/ 65545/, Kaspersky, Tech. Rep., August 2014.
102. [103] J. Wrolstad and B. Bengerik, “Pinpointing targets: exploiting web analytics to ensnare victims,” [Online]. Available: https://vulners.com/fireeye/FIREEYE: 1245EEC5103BC50641AB2958AAEFECDE, FireEye, Tech. Rep., November 2015.
103. [104] S. S. Response, “The waterbug attack group,” [Online]. Available: https://docs.broadcom.com/doc/waterbug-attack-group, Symantec, Tech. Rep., January 2016.
104. [105] J.-I. Boutin, “Turla’s watering hole campaign: An updated firefox extension abusing instagram,” [Online]. Available: https://www.welivesecurity.com/2017/06/06/turlas-wateringhole- campaign-updated-firefox-extension-abusing-instagram/, ESET, Tech. Rep., June 2017.
105. [106] G. Research and A. Team, “Shedding skin – turla’s fresh faces,” [Online]. Available: https://securelist.com/sheddingskin- turlas-fresh-faces/88069/, Kaspersky, Tech. Rep., October 2018.
106. [107] K. GReAT, “Turla renews its arsenal with Topinambour,” [Online]. Available: https://securelist.com/turla-renewsits- arsenal-with-topinambour/91687/, Kaspersky, Tech. Rep., July 2019.
107. [108] B. Leonard, “Update on cyber activity in Eastern Europe,” [Online]. Available: https://blog.google/threat-analysis-group/ update-on-cyber-activity-in-eastern-europe/, Google Threat Analysis Group, Tech. Rep., May 2023.
108. [109] S. Threat and D. R. Team, “TURLA’s new phishingbased reconnaissance campaign in Eastern Europe,” [Online]. Available: https://blog.sekoia.io/turla-new-phishingcampaign- eastern-europe/, Sekoia.IO, Tech. Rep., May 2022.
109. [110] M. Faou, “From agent.btz to comrat v4,” [Online]. Available: https://www.welivesecurity.com/2020/05/26/agentbtzcomratv4- ten-year-journey/, ESET, Tech. Rep., May 2020.
110. [111] I. Group, “Swallowing the snake’s tail: Tracking turla infrastructure,” [Online]. Available: https://go.recordedfuture.com/ hubfs/reports/cta-2020-0312.pdf, Recorded Future, Tech. Rep., March 2020.
111. [112] A. C. T. Intelligence, “Turla uses hyperstack, carbon, and kazuar to compromise government entity,” [Online]. Available: https://www.accenture.com/us-en/blogs/cyber-defense/turlabelugasturgeon- compromises-government-entity, Accenture, Tech. Rep., October 2020.
112. [113] H. Unterbrink, “Tinyturla - turla deploys new malware to keep a secret backdoor on victim machines,” [Online]. Available: https://blog.talosintelligence.com/tinyturla/,%20Cisco%20Talos%20Intelligence,%20Tech.%20Rep.,%20September%202021.
113. [114] M. Faou, “Turla crutch: Keeping the “back door” open,” [Online]. Available: https://www.welivesecurity.com/2020/12/ 02/turla-crutch-keeping-back-door-open/, ESET, Tech. Rep., December 2020.
114. [115] N. S. Agency and N. C. S. Centre, “Turla Group Exploits Iranian APT To Expand Coverage Of Victims,” [Online]. Available: https://www.ncsc.gov.uk/news/turla-group-exploits-iranapt- to-expand-coverage-of-victims, NSA/NCSC, Tech. Rep., October 2019.
115. [116] V. Mavroeidis, R. Hohimer, T. Casey, and A. Jesang, “Threat actor type inference and characterization within cyber threat intelligence,” in 2021 13th International Conference on Cyber Conflict (CyCon). IEEE, 2021, pp. 327–352.
116. [117] S. T. Intelligence, “Waterbug: Espionage group rolls out brand-new toolset in attacks against governments,” [Online]. Available: https://symantec-enterprise-blogs.security.com/ blogs/threat-intelligence/waterbug-espionage-governments, Symanteec, Tech. Rep., June 2019.
117. [118] E. Research, “Carbon paper: Peering into turla’s second stage backdoor,” [Online]. Available: https://www.welivesecurity.com/2017/03/30/carbon-paperpeering- turlas-second-stage-backdoor/, ESET, Tech. Rep., March 2017.
118. [119] B. Bartholomew, “Kopiluwak: A new javascript payload from turla,” [Online]. Available: https://securelist.com/kopiluwaka- new-javascript-payload-from-turla/77429/, Kaspersky, Tech. Rep., February 2017.
119. [120] D. Huss, “Turla apt actor refreshes kopiluwak javascript backdoor for use in g20-themed attack,” [Online]. Available: https://www.proofpoint.com/us/threat-insight/post/turla-aptactor- refreshes-kopiluwak-javascript-backdoor-use-g20- themed-attack, Proofpoint, Tech. Rep., August 2017.
120. [121] ESET, “Gazing at gazer. turla’s new second stage backdoor,” [Online]. Available: https://web-assets.esetstatic.com/ wls/2017/08/eset-gazer.pdf, ESET, Tech. Rep., August 2017.
121. [122] GovCERT.ch, “APT Case RUAG,” [Online]. Available: https://www.ncsc.admin.ch/dam/ncsc/en/dokumente/ dokumentation/fachberichte/technical%20report%20ruag. pdf.download.pdf/Report Ruag-Espionage-Case.pdf, GovCERT.ch, Tech. Rep., May 2016.
122. [123] K. Baumgartner and C. Raiu, “The ‘penquin’ turla,” [Online]. Available: https://securelist.com/the-penquin-turla-2/ 67962/, Kaspersky, Tech. Rep., December 2014.
123. [124] S. W. Brady, “United States vs. Yuriy Sergeyevich Andrienko et al.” [Online]. Available: https://storage.courtlistener.com/ recap/gov.uscourts.pawd.272394/gov.uscourts.pawd.272394.1. 0.pdf, US District Court. Western District of Pennsylvania, Tech. Rep., October 2020.
124. [125] G. Research and A. Team, “Olympicdestroyer is here to trick the industry,” [Online]. Available: https://securelist.com/olympicdestroyer-is-here-to-trickthe- industry/84295/, Kaspersky, Tech. Rep., March 2018.
125. [126] J. Slowik, “Centreon to exim and back: On the trail of sandworm,” [Online]. Available: https: //www.domaintools.com/resources/blog/centreon-to-eximand- back-on-the-trail-of-sandworm/, DomainTools, Tech. Rep., March 2021.
126. [127] G. Research and A. Team, “Hades, the actor behind olympic destroyer is still alive,” [Online]. Available: https://securelist. com/olympic-destroyer-is-still-alive/86169/, Kaspersky, Tech. Rep., June 2018.
127. [128] ANSSI, “Sandworm intrusion set campaign targeting centreon systems,” [Online]. Available: https://www.cert.ssi.gouv.fr/cti/ CERTFR-2021-CTI-005/, Agence Nationale de la S´ecurit´e des Syst`emes d’Information, Tech. Rep., January 2021.
128. [129] N. S. Agency, “Sandworm actors exploiting vulnerability in exim mail transfer agent,” [Online]. Available: https://media.defense.gov/2020/May/28/2002306626/-1/- 1/0/CSA-Sandworm-Actors-Exploiting-Vulnerability-in- Exim-Transfer-Agent-20200528.pdf, NSA, Tech. Rep., May 2020.
129. [130] N. C. S. Centre, “Cyclops blink. malware analysis report,” [Online]. Available: https://www.ncsc.gov.uk/files/Cyclops-Blink- Malware-Analysis-Report.pdf, National Cyber Security Centre, Tech. Rep., February 2022.
130. [131] K. Baumgartner and M. Garnaeva, “Be2 extraordinary plugins, siemens targeting, dev fails,” [Online]. Available: https://securelist.com/be2-extraordinary-plugins-siemenstargeting- dev-fails/68838/, Kaspersky, Tech. Rep., February 2015.
131. [132] A. Cherepanov, “Telebots are back: Supply-chain attacks against ukraine,” [Online]. Available: https://www.welivesecurity.com/2017/06/30/telebots-backsupply- chain-attacks-against-ukraine/, ESET, Tech. Rep., June 2017.
132. [133] S. Huntley, “An update on the threat landscape,” [Online]. Available: https://blog.google/threat-analysis-group/updatethreat- landscape-ukraine/, Google, Tech. Rep., March 2022.
133. [134] F. Hacquebord, “Pawn storm in 2019. a year of scanning and credential phishing on high-profile targets,” [Online]. Available: https://documents.trendmicro.com/assets/ white papers/wp-pawn-storm-in-2019.pdf, Trend Micro Research, Tech. Rep., March 2020.
134. [135] Microsoft, “Microsoft security intelligence report,” [Online]. Available: https://download.microsoft.com/download/E/8/B/ E8B5CEE5-9FF6-4419-B7BF-698D2604E2B2/Microsoft Security Intelligence Report Volume 20 English.pdf, Tech. Rep., November 2015.
135. [136] M. Elias, “Prime minister’s office compromised: Details of recent espionage campaign,” [Online]. Available: https://www.trellix.com/blogs/research/prime-ministersoffice- compromised/, Trellix, Tech. Rep., January 2022.
136. [137] C. Guarnieri, “Digital attack on german parliament: Investigative report on the hack of the left party infrastructure in bundestag,” [Online]. Available: https://netzpolitik.org/2015/digital-attack-on-germanparliament- investigative-report-on-the-hack-of-the-leftparty- infrastructure-in-bundestag/, Netzpolitik, Tech. Rep., June 2015.
137. [138] C. T. I. Team, “In the footsteps of the fancy bear: Powerpoint mouse-over event abused to deliver graphite implants,” [Online]. Available: https://www.duskrise.com/2022/09/23/inthe- footsteps-of-the-fancy-bear-powerpoint-mouse-overevent- abused-to-deliver-graphite-implants/, DuskRise, Tech. Rep., September 2022.
138. [139] Z. Bederna and T. Szadeczky, “Cyber espionage through botnets,” Security Journal, vol. 33, no. 1, pp. 43–62, 2020.
139. [140] Q. Wu, Q. Li, D. Guo, and X. Meng, “Exploring the vulnerability in the inference phase of advanced persistent threats,” International Journal of Distributed Sensor Networks, vol. 18, no. 3, 2022.
140. [141] Root9B, “APT28 targets financial markets,” [Online]. Available: https://github.com/jack8daniels2/threat- INTel/blob/master/2015/FSOFACY.pdf, Root9B, Tech. Rep., May 2015.
141. [142] R. Falcone and B. Lee, “New Sofacy Attacks Against US Government Agency,” [Online]. Available: https://unit42.paloaltonetworks.com/unit42-new-sofacyattacks- against-us-government-agency/, Unit42. PaloAlto Networks, Tech. Rep., June 2016.
142. [143] D. Creus, T. Halfpop, and R. Falcone, “Sofacy’s ‘Komplex’ OS X Trojan,” [Online]. Available: https://unit42.paloaltonetworks.com/unit42-sofacys-komplexos- x-trojan/, Unit42. PaloAlto Networks, Tech. Rep., September 2016.
143. [144] B. Lee and R. Falcone, “Sofacy group’s parallel attacks,” [Online]. Available: https://unit42.paloaltonetworks.com/unit42- sofacy-groups-parallel-attacks/, Unit42. PaloAlto Networks, Tech. Rep., June 2018.
144. [145] E. Research, “Lojax: First uefi rootkit found in the wild, courtesy of the sednit group,” [Online]. Available: https://www.welivesecurity.com/2018/09/27/lojax-first-uefirootkit- found-wild-courtesy-sednit-group/, ESET, Tech. Rep., September 2018.
145. [146] J. Kennedy, “A Zebra in Gopher’s Clothing: Russian APT Uses COVID-19 Lures to Deliver Zebrocy,” [Online]. Available: https://intezer.com/blog/research/russian-apt-uses-covid- 19-lures-to-deliver-zebrocy/, Intezer, Tech. Rep., December 2020.
146. [147] G. Research and A. Team, “A slice of 2017 sofacy activity,” [Online]. Available: https://securelist.com/a-slice-of- 2017-sofacy-activity/83930/, Kaspersky, Tech. Rep., February 2018.
147. [148] O. Eichelsheim, “GRU close access cyber operation against OPCW,” [Online]. Available: https://english.defensie.nl/ downloads/publications/2018/10/04/gru-close-access-cyberoperation- against-opcw, Dutch Defence Intelligence & Security Service (Alankomaat), Tech. Rep., October 2018.
148. [149] L. Smith-Spark and K. Polglase, “Netherlands officials say they caught russian spies targeting chemical weapons body,” CNN, October 2018.
149. [150] S. Miller, N. Brubaker, D. K. Zafra, and D. Caban, “Triton actor ttp profile, custom attack tools, detections, and att&ck mapping,” [Online]. Available: https://cloud.google.com/blog/topics/threat-intelligence/tritonactor- ttp-profile-custom-attack-tools-detections, Fireeye Threat Response, Tech. Rep., April 2019.
150. [151] Dragos, “ICS/OT cybersecurity. Year in review 2022,” [Online]. Available: https://hub.dragos.com/hubfs/312-Yearin- Review/2022/Dragos Year-In-Review-Exec-Summary- 2022.pdf, Dragos, Inc., Tech. Rep., February 2023.
151. [152] J. Slowik, “The continuous conundrum of cloud atlas,” [Online]. Available: https://www.domaintools.com/ resources/blog/the-continuous-conundrum-of-cloud-atlas/, DomainTools, Tech. Rep., February 2021.
152. [153] P. E. S. Center, “APT Cloud Atlas: Unbroken Threat,” [Online]. Available: https://www.ptsecurity.com/wwen/ analytics/pt-esc-threat-intelligence/apt-cloud-atlasunbroken- threat/, Positive Technologies, Tech. Rep., December 2022. [154] T. Lancaster, “Inception attackers target Europe with year-old office vulnerability,” [Online]. Available: https://unit42.paloaltonetworks.com/unit42-inceptionattackers- target-europe-year-old-office-vulnerability/, Unit42. PaloAlto Networks, Tech. Rep., November 2018.
153. [155] G. Research and A. Team, “Recent cloud atlas activity,” [Online]. Available: https://securelist.com/recent-cloud-atlasactivity/ 92016/, Kaspersky, Tech. Rep., August 2019.
154. [156] P. E. S. Center, “Apt cloud atlas: Unbroken threat,” [Online]. Available: https://www.ptsecurity.com/ww-en/analytics/ptesc- threat-intelligence/apt-cloud-atlas-unbroken-threat/, Positive Technologies, Tech. Rep., December 2022.
155. [157] G. Research and A. Team, “The “red october” campaign – an advanced cyber espionage network targeting diplomatic and government agencies,” [Online]. Available: https://www.kaspersky.com/about/pressreleases/ 2013 kaspersky-lab-identifies-operation--redoctober-- an-advanced-cyber-espionage-campaign-targetingdiplomatic- and-government-institutions-worldwide, Kaspersky, Tech. Rep., January 2013.
156. [158] K. GReAT, “Cloud Atlas: RedOctober APT is back in style,” [Online]. Available: https://securelist.com/cloudatlas- redoctober-apt-is-back-in-style/68083/, Kaspersky, Tech. Rep., December 2014.
157. [159] T. H. Team, “Inception framework: Alive and well, and hiding behind proxies,” [Online]. Available: https://symantec-enterprise-blogs.security.com/blogs/threatintelligence/ inception-framework-hiding-behind-proxies, Symantec, Tech. Rep., March 2018.
158. [160] Unit42, “Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot,” [Online]. Available: https://unit42.paloaltonetworks.com/ukraine-targeted-outsteelsaintbot/, PaloAlto Networks, Tech. Rep., February 2022.
159. [161] C. UA, “Cert–ua 4145. cyber attack on state organizations of ukraine using malicious programs cobalt strike beacon, grimplant and graphsteel,” [Online]. Available: https://cert. gov.ua/article/37704, Computer Emergency Response Team of Ukraine, Tech. Rep., March 2022.
160. [162] J. Kennedy and N. Fishbein, “Elephant framework delivered in phishing attacks against ukrainian organizations,” [Online]. Available: https://intezer.com/blog/research/elephant-malwaretargeting- ukrainian-orgs/, Intezer, Tech. Rep., April 2022.
161. [163] Hasherezade, H. Jazi, and E. Noerenber, “A deep dive into saint bot, a new downloader,” [Online]. Available: https://www.malwarebytes.com/blog/threatintelligence/ 2021/04/a-deep-dive-into-saint-bot-downloader, Malware Bytes, Tech. Rep., April 2021.
162. [164] R. Falcone, M. Harbison, and J. Grunzweig, “Threat brief: Ongoing russia and ukraine cyber activity,” [Online]. Available: https://register.paloaltonetworks.com/ unit42briefingrussiaukraine, Unit42. PaloAlto Networks, Tech. Rep., January 2022.
163. [165] A. B. S. Ehrlich, “Threat actor uac-0056 targeting ukraine with fake translation software,” [Online]. Available: https://www.sentinelone.com/blog/threat-actor-uac-0056- targeting-ukraine-with-fake-translation-software/, Sentinel One, Tech. Rep., March 2022.
164. [166] J. Ji, “APT Retrospection: Lorec53, An Active Russian Hack Group Launched Phishing Attacks Against Georgian Government,” [Online]. Available: https://nsfocusglobal.com/apt-retrospection-lorec53-anactive- russian-hack-group-launched-phishing-attacks-againstgeorgian- government/, NSFocus, Tech. Rep., February 2022.
165. [167] R. Santos and H. Jazi, “Cobalt Strikes again: UAC-0056 continues to target Ukraine in its latest campaign,” [Online]. Available: https://cymulate.com/threats/cobalt-strikes-againuac- 0056-continues-to-target-ukraine-in-its-latest-campaign/, Malware Bytes, Tech. Rep., July 2022.
166. [168] T. H. Team, “Graphiron: New Russian Information Stealing Malware Deployed Against Ukraine,” [Online]. Available: https://symantec-enterprise-blogs.security.com/blogs/threatintelligence/ nodaria-ukraine-infostealer, Symantec, Tech. Rep., February 2023.
167. [169] Z. Ma, Q. Li, and X. Meng, “Discovering suspicious apt families through a large-scale domain graph in informationcentric iot,” IEEE Access, vol. 7, pp. 13 917–13 926, 2019. [170] F. J. Abdullayeva, “Advanced persistent threat attack detection method in cloud computing based on autoencoder and softmax regression algorithm,” Array, vol. 10, p. 100067, 2021.
168. [170] F. J. Abdullayeva, “Advanced persistent threat attack detection method in cloud computing based on autoencoder and softmax regression algorithm,” Array, vol. 10, p. 100067, 2021.