14 DAY TRIAL // Today, security company Kaspersky launched a map with the advanced persistent threat (APT) operations its researchers from the Global Research and Analysis Team (GreAT) investigated over the years.
Although the page may appear simple at a first glance, just like in the case of an APT, there is more to it than meets the eye.
It includes all the big names one would expect to see, presented in highly appealing visuals that show the start of the campaign, as determined by the security researchers during the analysis of the malware, the year of detection, the current status, and the other operations it is connected to.
Useful details for each threat are available
Shown as rockets in the list, probably alluding to the fact that studying such complex threats is similar to rocket science, the malware pieces in the selection include everything from the defunct Agent.btz, discovered in 2008, to the recently revealed to the public Regin.
The map shows that at the moment there are 12 APT campaigns active (Cosmic Duke, Dark Hotel, Energetic Bear, Kimusky, Mini Duke, NetTraveler, Regin, Winnti, Epic Turla, FinSpy, Black Energy and Hacking Team RCS), without counting Cloud Atlas, which is not included, probably because analysis is ongoing.
A summary is offered for each of them, containing the current status, type of malware, year of discovery, targeted platforms, number of targets and their type, purpose, special features and attribution. Some information may lack in some cases, such as the method of propagation.
The Targeted Cyberattack Logbook, as the page is named by Kaspersky, makes for a great intelligence repository about cyber operations that have lasted for years, more than a decade in the case of Regin, and the connection between them.
Only the most complex and persistent malware is included
Kaspersky says that their automated systems label more than 320,000 malicious files on a daily basis and about 1% requires human analysis. Only a very small part of this 1%, “samples that belong to the rarest, most menacing new APTs,” is investigated by Kaspersky GreAT researchers. These are actually the threats presented on the Logbook page.
According to the data presented by Kaspersky, the landscape of advanced persistent threats is quite empty until 2012, with only four operations being discovered before this year (Agent.btz, Aurora, Duqu and Stuxnet).
The APT scenery is completely different after 2012, with 23 operations leveraging complex malware pieces against specific targets having been discovered.
The three most long-lasting ones are Regin (tracing back to 2003), NetTraveler and TeamSpy (both believed to have been initiated in 2004). Out of these, only the first two are still active.
Two of the currently active sophisticated campaigns, MiniDuke and Winnti, are also ongoing, which means that the operators behind them continue to compromise computers and collect intelligence about the victims.
