{"id":15042,"date":"2014-12-18T18:13:19","date_gmt":"2014-12-18T18:13:19","guid":{"rendered":"http:\/\/kasperskydaily.com\/b2b\/?p=3440"},"modified":"2020-02-26T10:58:35","modified_gmt":"2020-02-26T15:58:35","slug":"the-distant-ships-under-the-horizon-kaspersky-lab-launches-apts-monitoring-tool","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/the-distant-ships-under-the-horizon-kaspersky-lab-launches-apts-monitoring-tool\/15042\/","title":{"rendered":"The distant ships under the horizon: Kaspersky Lab launches APTs monitoring tool"},"content":{"rendered":"

Kaspersky Lab has launched a new visual tool dedicated to real-time monitoring of APTs \u2013 \u201cTargeted Attacks Logbook\u201d<\/a>.<\/p>\n

\n<\/p>

Aside from looking extremely pretty, it provides brief, yet exhaustive data on every advanced persistent threat known today. Let\u2019s take a look at what it offers and how it works:<\/p>\n

#TargetedAttacksLogbook: new visual tool by @Kaspersky<\/p>Tweet<\/a><\/blockquote>\n

The first screen shows the APTs as a large fleet of military vessels afloat over time, with their stern wakes\u2019 length indicating how long the threat has been active. The length of the vessel is a time period between its discovery and \u201ccurrent status\u201d \u2013 i.e. is it currently active or not. Those with bows ahead in 2014 are still active, the rest are not. Unfortunately, most of them are active now, including the last one disclosed \u2013 Regin<\/a> campaign, which was discovered back in 2012, and apparently had been active since 2003.<\/p>\n

\"all_apts\"<\/a><\/p>\n

Now, if we roll the mouse over certain \u201cvessels\u201d, for instance that pretty Flame<\/a> motor boat, we will see the ties between this particular APTs and some others \u2013 Gauss, Duqu, miniFlame and Stuxnet, with the last one looking a lot like a submarine.<\/p>\n

\u00a0<\/p>\n

\"all_apts\"<\/a><\/p>\n

As we all know, if it wasn\u2019t for a coding mistake, Stuxnet<\/a> would have never been discovered and the history of APTs would look a bit different \u2013 although at least two of the APTs were known earlier: Agent.btz<\/a> and Aurora<\/a>. Agent.btz, by the way, has certain links to Epic Turla, the big bad campaign, that is still becoming bigger and, well, \u201cbadder\u201d as new data arrives.<\/p>\n

If we click on Epic Turla, we\u2019ll see its status, type, time of discovery, longevity, number of targets, targeted platforms, and a map of the most affected countries.<\/p>\n

\u00a0<\/p>\n

\"epic_turla\"<\/a><\/p>\n

\u00a0<\/p>\n

Below is additional data on the threat, including the way of propagation, purpose, special features and identified targets along with artifacts that point to possible attribution.<\/p>\n

\"Epic-Turla\"<\/a><\/p>\n

And then there is a link to Securelist\u2019s detailed research on the threat.<\/a><\/p>\n

Back to the main screen, we see a \u201cfilter\u201d that allows us to pick out the APTs based on a number of features. For instance, if we want to see what APTs are targeting iOS \u2013 quite an exotic query, right? \u2013 we can set this preference and we\u2019ll see two \u201cdestroyers\u201d and one \u201cmissile boat\u201d:<\/p>\n

\u00a0<\/p>\n

\"iOS_APT\"<\/a><\/p>\n

\u00a0<\/p>\n

These are FinSpy<\/a>, Hacking Team RCS<\/a>, and the newly discovered Cloud Atlas<\/a> \u2013 the successor to notorious RedOctober APT<\/a>. All three are targeting iOS devices among other platforms. And Hacking Team RCS appears to have been active since 2008.<\/p>\n

The term \u2018APT\u2019 was coined back in 2006, but despite attempts to make it clear and exhaustive, it is still quite vague. This is largely because the term Advanced Persistent Threat was meant to designate attacking entities \u2013 hacking groups, hostile cyber warfare units, etc., but the term has somewhat slid towards designating the malware used by APT groups and the campaigns they wage, correctly or not.<\/p>\n

We previously published a couple of blogposts [1<\/a>, 2<\/a>] explaining what APTs are.<\/p>\n

In a nutshell an APT is a threat posed by skilled, motivated, organized, and well-funded cyber-attackers. It is called \u201cadvanced\u201d since operators behind the threat have a full spectrum of intrusion, intelligence-gathering, and data stealing tools at their disposal. These tools are usually custom-made, although partial \u201ccode intercrossing\u201d between different APTs isn\u2019t uncommon.<\/p>\n

It is also called persistent because attackers give priority to a specific task such as exfiltration of certain data from particular entities. They don\u2019t seek information opportunistically, as common criminals do. Besides, the attacks are anything but one-offs: usually they are continuous, staying active for years, as illustrated above. Operators prefer a stealthy, hushed approach, and they try to keep access to the target\u2019s infrastructure for as long as possible without being discovered.<\/p>\n

Kaspersky Lab experts assume that in the near future, a wider range of cybercriminals will adopt APT tactics<\/a> since the continuous malicious presence in the compromised infrastructure may bring a larger profit than the one-off attacks.<\/p>\n","protected":false},"excerpt":{"rendered":"

Kaspersky Lab launches “Targeted Attacks Logbook” – a visual tool to monitor known Advanced Persistent Threats. In this post, we take a look at how to handle this pretty instrument.<\/p>\n","protected":false},"author":209,"featured_media":15807,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,3052],"tags":[2258,2262,2263,2264],"class_list":{"0":"post-15042","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-smb","9":"tag-apts","10":"tag-epic-furla","11":"tag-targeted-attacks-logbook","12":"tag-visual-tools"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/the-distant-ships-under-the-horizon-kaspersky-lab-launches-apts-monitoring-tool\/15042\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/the-distant-ships-under-the-horizon-kaspersky-lab-launches-apts-monitoring-tool\/7032\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/the-distant-ships-under-the-horizon-kaspersky-lab-launches-apts-monitoring-tool\/15042\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/the-distant-ships-under-the-horizon-kaspersky-lab-launches-apts-monitoring-tool\/15042\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/apts\/","name":"APTs"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/15042","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/209"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=15042"}],"version-history":[{"count":3,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/15042\/revisions"}],"predecessor-version":[{"id":33419,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/15042\/revisions\/33419"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/15807"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=15042"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=15042"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=15042"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}