- APT Groups Prioritize Espionage and Data Theft: Approximately two-thirds of all Trustwave SpiderLabs-tracked APT group activity is motivated by espionage, targeting government, defense, and telecom sectors primarily in the US, Ukraine, and Russia.
- Top Attacker Nations: China (41%), Iran (12.5%), and Russia are the leading origins for espionage attacks, emphasizing the critical need for robust threat intelligence to track state-sponsored activity.
- Beyond Detection: Actionable Threat Intelligence: Trustwave SpiderLabs operationalizes threat intelligence by dissecting APT group Tactics, Techniques, and Procedures (TTPs) and converting them into custom detection rules to dramatically reduce attacker dwell time.
Government administration, defense, and finance sector organizations are the primary areas Advanced Persistent Threat (APT) groups are targeting, according to the most recent data from the Trustwave SpiderLabs’ Cyber Threat Intelligence (CTI) team.
The team found most attacks are launched from China, Russia, and Iran, with the primary targets residing in the US, Ukraine, and, interestingly, Russia. The groups tracked include Lapsus$, ShinyHunters, and Silk Typhoon.
Trustwave’s CTI list is not all-inclusive, but it offers a solid overview of the actors involved, where the attacks are launched from, and the nations undergoing the heaviest attack. SpiderLabs aggregates information continuously from a variety of APT databases maintained by the cybersecurity sector, along with internal reports.
Let’s start off with a quick reminder on APT groups and then look at what motivating factors are driving APT activity.
APT Defined
An Advanced Persistent Threat (APT) is a type of prolonged, targeted cyberattack in which an intruder gains unauthorized access to a network and remains undetected for an extended period, sometimes even months or years.
APT groups often use sophisticated toolsets and techniques, such as custom-developed malware, zero-day exploits, and multiple methods to evade traditional security defenses and gain access.
Persistence is maintained, as these attackers are not looking for a quick smash-and-grab strike but want long-term access to the network to continuously monitor activity and steal data over a sustained period. They will re-attempt access if initially blocked.
APT Group’s Motivating Factors
- Information Theft and Espionage – This activity accounts for about two-thirds of all SpiderLabs-tracked APT activity. Our analysts noted that China is responsible for about 41% of these attacks, followed by Iran, conducting 12.5%, and Russia, with 5%. These attacks focused on targets within the US, with Ukraine second most targeted, followed by the British Indian Ocean Territory and Russia. The targets most often hit were government/administration, defense, and telecoms.
- Financial – This category covers attackers looking for straight-up financial gain and those attempting crimes against financial institutions. This could include data theft, ransomware, etc. Again, the US was the most targeted nation, followed by Ukraine and Canada. SpiderLabs' insight into which nations housed the attackers is not as clear, with almost half not being known, but of those that are known, Russia is the leader, followed by China.
- Sabotage and Destruction – This James Bond-sounding category was the least likely to take place, with instances comprising less than 5% of all attacks. Russia led the way, conducting the most attacks, followed by Iran, striking with the US, Ukraine, Germany, and Israel being the most frequently struck. The most popular targets were the energy, government, defense, and finance sectors.
Victimology
SpiderLabs has also determined which specific vertical sectors are most often targeted.
The government sector, attacked primarily by China-based threat actors, was hit most often, with defense, finance, education, energy, and healthcare all on the receiving end of APT group activity. China, Iran, and Russia were often the home bases for those attacking these groups.
SpiderLabs' Direct Role in APT Defense
SpiderLabs not only tracks threats but also serves as the instrumental tool that helps Trustwave protect its clients, including by defending against APT threats. The information derived for this report is based on the work SpiderLabs does in the field with our clients.
The protection offered by Trustwave against APTs is critically dependent on the continuous work of SpiderLabs, which operates across three key areas:
1. Elite Threat Intelligence & TTP Tracking
SpiderLabs analysts are dedicated to tracking and analyzing dozens of specific, sophisticated APT groups worldwide (e.g., APT34, APT44/Sandworm, Salt Typhoon, Silver Fox, and Scattered Spider).
- Dissection of TTPs: The team performs deep analysis on the Tactics, Techniques, and Procedures (TTPs), custom malware, and infrastructure used by these groups.
- Actionable Intelligence: This proprietary intelligence is immediately converted into custom detection rules and playbooks. These are infused directly into the Trustwave Fusion platform and the client's security tools (e.g., EDR/XDR/SIEM), enabling Trustwave's Security Operations Centers (SOCs) to detect subtle, behavioral anomalies that signature-based tools would miss.
2. Human-Led Advanced Threat Hunting
While automated security tools rely on known indicators, APTs specialize in stealth and avoiding detection (known as low-and-slow attacks). SpiderLabs' human expertise is used to find these hidden threats.
- Hypothesis-Driven Hunts: SpiderLabs experts use a hypothesis-based approach (assuming the client is already breached) to proactively search for indicators of compromise that align with known APT TTPs.
- MITRE ATT&CK Mapping: Their hunting methodology is mapped to the MITRE ATT&CK framework, allowing them to systematically search for activity across the entire attack chain—from initial access to persistence and command-and-control.
- Reduced Dwell Time: This proactive hunting significantly reduces the attacker's dwell time (the period an attacker remains in a network undetected), minimizing the damage an APT can inflict.
3. Incident Response and Preparation
If an APT successfully breaches a client, SpiderLabs' forensic and response capabilities are activated immediately.
- Digital Forensics & Incident Response (DFIR): The team provides 24/7 global support for emergency breach response, performing forensic investigations to determine the scope, root cause, and identity of the APT actor.
- Containment and Eradication: They rapidly execute the steps needed to contain the threat and ensure the APT is completely eradicated from the environment.
- Offensive Security: SpiderLabs' ethical hackers also perform penetration testing and red team exercises that are informed by real-world APT TTPs. This tests a client's defenses against the most advanced adversaries, identifying security gaps before an actual APT exploits them.
SpiderLabs ensures that clients are not just protected against general threats, but are specifically fortified against the evolving, state-sponsored, and financially motivated groups that pose the greatest risk.