When I first heard APT, I thought it was great that there was a pop song about cybersecurity, and really liked the way they spelled out the initialism in the chorus. It’s really...

Wait, what?

Not about cybersecurity? But “APT” stands for...

Oh.

“Apt” is the Korean word “apateu” (아파트), which means “apartment”?

But what does an apartment have to do with cybersecurity?

Nothing, actually. It’s a reference to a Korean drinking game called “Apartment”, in which players stack their hands together, someone calls out a number, then everyone removes their hands in order, and the one pulling out their hand on the number called has to take a shot.

Sounds silly, but fun, I guess, which is kind of the point of drinking games.

But I wanted to talk about cybersecurity, so I will!

When I first heard the song, I thought it was fun and catchy, and the title appeared as “APT” in my car, so I thought of “Advanced Persistent Threat”, which is a generic term for a threat actor which gains access to a computer network and remains undetected for extended periods. In the past, most were assumed to be (or confirmed to a reasonable degree of confidence) state actors - organizations with time, resources, and long-term goals, as opposed to non-state-actors, who were generally assumed to have limited time, or resources, or more immediate goals.

While state-sponsored hacking has certainly been around since the dawn of the computer age, civilian security research on state actors is relatively recent. The first such report appears to have been published by Mandiant in 2013, and focused on a group they identified as “APT1”. This famous report, based entirely on unclassified sources, concluded that APT1 was actually part of Unit 61398 of the People’s Liberation Army of China.

While it would be wonderful if we had a clear and unambiguous way to identify and name different threat actors, it’s extraordinarily difficult to do. So, different organizations, with different data available and different approaches to identifying groups have all come up with different naming conventions. Sometimes they overlap, sometimes not, and there is almost always some degree of confusion.

As examples, Mandiant uses “APT” (“Advanced Persistent Threat”), “FIN” (“Financial” - where not considered a nation state), and “UNC” (“Unclassified”), followed by a number. So, “APT1”, “FIN7”, “UNC2452”. Crowdstrike (and some others, which causes additional confusion) combines a designation with animal names by nation-state (or other category), such as Cozy Bear (aka APT29).

The industry works hard to at least tie their naming together whenever possible, so you’ll often hear multiple names listed. So, “Cozy Bear, also known as APT29 (Mandiant), also known as NOBELIUM (Microsoft), also known as..., etc”

At the time of the earliest APT reports, the implicit assumption was that state actors, criminal groups, and hacktivists were (mostly) separate groups, and understanding which type of adversary you were dealing with would help you with defence. State actors were often assumed to be using the latest tools and techniques to gather information, while criminal actors were more focused on “smash ‘n’ grab”, to get money.

Things have changed significantly over time, the lines have blurred, and the cybersecurity community’s understanding of the ecosystem has evolved.

In the case of China, we see “traditional” espionage, but we also see the government sub-contracting hacking to private companies. The recent leak of documents from one of these subcontractors – a company called I-Soon – gives some very interesting insights into how these organizations operate.

Looking at Russia, we see criminal actors closely tied to the Russian government, who traditionally appeared to have carte blanche to attack anyone outside the Russian sphere of influence. Sometimes, however, we see arrests. It’s hard to know why these arrests take place, but it is usually assumed that these are people who attacked the wrong target, or lost the favour of a “protector” within the Russian government, or simply became too high-profile to ignore.

And then there’s North Korea. (Disclaimer: When I started this, I had no idea that the song Apt. referred to a Korean drinking game, or that Rosé is a Kiwi of South Korean descent. That said, it’s kind of a cool coincidence, huh?)

North Korea is relatively small (at 120,538 km2, it’s about the size of New Brunswick and Nova Scotia combined), with a population of about 26 million people. Due to a very long list of international sanctions, North Korea is sometimes referred to as a pariah state, or the “Hermit Kingdom”.

And yet, North Korea has made cyber capabilities a major focus for many years, and is considered a major “cyber” power. Their focus appears to have shifted over the last few years, from DDoS (Distributed Denial of Service) attacks, to espionage and information gathering, to financial gain, but it’s unclear whether this indicates a shift in focus, or changes in the sophistication of their attacks.

What seems clear, however, is that their focus on financial gain is intended to help fund the government in the face of international sanctions, and that they are a force to be reckoned with.

The Lazarus Group (aka “Hidden Cobra”, “ZINC”, “Diamond Sleet”, “APT38”) may be a blanket name for North Korean activity, and is the name commonly associated with the 2016 Bangladesh Bank heist, where they attempted to steal nearly $1 billion (USD), and managed to transfer $101 million (USD), though they were able to get away with only about $63 million (USD). For more information on this, I’d highly recommend the BBC’s excellent “The Lazarus Heist” podcast.

Since then, the group has been focused on a number of attacks on cryptocurrency users and markets, up to the recent heist of approximately $1.5 billion dollars (USD) worth of Ethereum from a cryptocurrency exchange known as ByBit. (I won’t go into the details, but it was widely considered quite a sophisticated attack). Due to the nature of cryptocurrencies, a game of cat-and-mouse has been ongoing, whereby various groups are attempting to track and recover the funds before they can be laundered to the point of being untrackable. So far, at least $380 million (USD) appears to have been successfully converted to unrecoverable funds, and the game is not yet over.

So, that’s how we get from music, to drinking games, to cybersecurity and North Korea. And that doesn’t even include the North Korean hackers in Western workforces – maybe a topic for future discussion.

Cheers!