Protecting IoT and ICS Platforms Against Advanced Persistent Threat Actors: Analysis of APT1, Silent Chollima and Molerats

  • Samuel Grooby
  • Tooska Dargahi
  • Ali DehghantanhaEmail author


One of the greatest threats to cyber security is the relatively recent increase in intrusion campaigns conducted by well trained, well-funded and patient adversaries. These groups are known as advanced persistent threats and they are a growing concern for governments and industries around the world. APTs may be backed by terrorist organisations, hacktivists or even nation state actors, conducting covert cyber-warfare against other countries. Due to the advanced capabilities of these groups, a non-targeted, catch-all defence strategy is unlikely to be successful. Instead, potential targets of APTs must be able to research and analyse previous attacks by the groups in order to tailor a cyber defence triage process based on the attacker’s modus operandi. In this paper we attempt to do just that using Diamond Model and kill chain analysis to craft a course of action matrix for three example APT groups.


Big data Advanced persistent threat APT Diamond model Cyber kill chain 


  1. 1.
    H. Haughey, G. Epiphaniou, H. Al-Khateeb, and A. Dehghantanha, Adaptive traffic fingerprinting for darknet threat intelligence, vol. 70. 2018.Google Scholar
  2. 2.
    S. Homayoun, A. Dehghantanha, M. Ahmadzadeh, S. Hashemi, and R. Khayami, “Know Abnormal, Find Evil: Frequent Pattern Mining for Ransomware Threat Hunting and Intelligence,” {IEEE} Trans. Emerg. Top. Comput., p. 1, 2017.Google Scholar
  3. 3.
    D. Kiwia, A. Dehghantanha, K.-K. R. Choo, and J. Slaughter, “A cyber kill chain based taxonomy of banking Trojans for evolutionary computational intelligence,” J. Comput. Sci., Nov. 2017.Google Scholar
  4. 4.
    B. E. Binde, R. McRee, and T. J. O’Connor, “Assessing Outbound Traffic to Uncover Advanced Persistent Threat,” 2011.Google Scholar
  5. 5.
    NIST, “Glossary of Key Information Security Terms,” 2013.Google Scholar
  6. 6.
    N. Villeneuve, N. Moran, M. Scott, and T. Haq, “OPERATION SAFFRON ROSE,” 2013.Google Scholar
  7. 7.
    S. E. Goodman, J. C. Kirk, and M. H. Kirk, “Cyberspace as a medium for terrorists,” Technol. Forecast. Soc. Change, vol. 74, no. 2, pp. 193–210, 2007.Google Scholar
  8. 8.
    A. Earls, “APTs New waves of advanced persistent threats are vastly improved and smarter than ever.,” ebook SC Magazine, 2015.Google Scholar
  9. 9.
    H. Haddad Pajouh, R. Javidan, R. Khayami, D. Ali, and K.-K. R. Choo, “A Two-layer Dimension Reduction and Two-tier Classification Model for Anomaly-Based Intrusion Detection in IoT Backbone Networks,” IEEE Trans. Emerg. Top. Comput., pp. 1–1, 2016.Google Scholar
  10. 10.
    G. M. Insights, “Advanced Persistent Threats (APT) Market Size, Industry Outlook, Regional Analysis (U.S., Canada, Germany, France, UK, Italy, Russia, China, Japan, India, Thailand, Indonesia, Malaysia, Australia, Brazil, Mexico, Saudi Arabia, UAE, South Africa), Applicat,” 2017.Google Scholar
  11. 11.
    M. Hopkins and A. Dehghantanha, “Exploit Kits: The production line of the Cybercrime economy?,” in 2015 Second International Conference on Information Security and Cyber Forensics (InfoSec), 2015, pp. 23–27.Google Scholar
  12. 12.
    A. Azmoodeh, A. Dehghantanha, and K.-K. R. Choo, “Robust Malware Detection for Internet Of (Battlefield) Things Devices Using Deep Eigenspace Learning,” IEEE Trans. Sustain. Comput., pp. 1–1, 2018.Google Scholar
  13. 13.
    R. Brewer, “Advanced persistent threats: Minimising the damage,” Netw. Secur., vol. 2014, no. 4, pp. 5–9, 2014.Google Scholar
  14. 14.
    I. Friedberg, F. Skopik, G. Settanni, and R. Fiedler, “Combating advanced persistent threats: From network event correlation to incident detection,” Comput. Secur., vol. 48, pp. 35–57, 2015.Google Scholar
  15. 15.
    H. HaddadPajouh, A. Dehghantanha, R. Khayami, and K.-K. R. Choo, “A deep Recurrent Neural Network based approach for Internet of Things malware threat hunting,” Futur. Gener. Comput. Syst., 2018.Google Scholar
  16. 16.
    J. Chen, C. Su, K.-H. Yeh, and M. Yung, “Special Issue on Advanced Persistent Threat,” Futur. Gener. Comput. Syst., vol. 79, pp. 243–246, 2018.Google Scholar
  17. 17.
    H. H. Pajouh, A. Dehghantanha, R. Khayami, and K.-K. R. Choo, “Intelligent OS X malware threat detection with code inspection,” J. Comput. Virol. Hacking Tech., 2017.Google Scholar
  18. 18.
    C. Tankard, “Advanced Persistent threats and how to monitor and deter them,” Netw. Secur., vol. 2011, no. 8, pp. 16–19, Aug. 2011.Google Scholar
  19. 19.
    A. Azmoodeh, A. Dehghantanha, M. Conti, and K.-K. R. Choo, “Detecting crypto-ransomware in IoT networks based on energy consumption footprint,” J. Ambient Intell. Humaniz. Comput., pp. 1–12, Aug. 2017.Google Scholar
  20. 20.
    A. Greenberg, “The Zero-Day Salesmen.,” Forbes, vol. 189, no. 6, pp. 40–44, 2012.Google Scholar
  21. 21.
    M. Petraityte, A. Dehghantanha, and G. Epiphaniou, “A Model for Android and iOS Applications Risk Calculation: CVSS Analysis and Enhancement Using Case-Control Studies,” 2018, pp. 219–237.Google Scholar
  22. 22.
    Mandiant, “APT1: Exposing One of China’s Cyber Espionage Units,” 2014.Google Scholar
  23. 23.
    F. N. P. Office, “Update on Sony Investigation,” 2017.Google Scholar
  24. 24.
    B. Parys, “MoleRats: there’s more to the naked eye,” PWC Blogs, 2016.Google Scholar
  25. 25.
    M. Conti, A. Dehghantanha, K. Franke, and S. Watson, “Internet of Things Security and Forensics: Challenges and Opportunities,” Futur. Gener. Comput. Syst., Jul. 2017.Google Scholar
  26. 26.
    J. Baldwin, O. M. K. Alhawi, S. Shaughnessy, A. Akinbi, and A. Dehghantanha, “Emerging from the Cloud: A Bibliometric Analysis of Cloud Forensics Studies,” 2018, pp. 311–331.Google Scholar
  27. 27.
    A. Cook, H. Janicke, R. Smith, and L. Maglaras, “The industrial control system cyber defence triage process,” Comput. Secur., vol. 70, pp. 467–481, Sep. 2017.Google Scholar
  28. 28.
    M. Marchetti, F. Pierazzi, M. Colajanni, and A. Guido, “Analysis of high volumes of network traffic for Advanced Persistent Threat detection,” Comput. Networks, vol. 109, pp. 127–141, Nov. 2016.Google Scholar
  29. 29.
    K. A. Ismail, M. M. Singh, N. Mustaffa, P. Keikhosrokiani, and Z. Zulkefli, “Security Strategies for Hindering Watering Hole Cyber Crime Attack,” Procedia Comput. Sci., vol. 124, pp. 656–663, 2017.Google Scholar
  30. 30.
    S. Caltagirone, A. Pendergast, and C. Betz, “The Diamond Model of Intrusion Analysis,” Threat Connect, vol. 298, no. 0704, pp. 1–61, 2013.Google Scholar
  31. 31.
    E. M. Hutchins, M. J. Cloppert, and R. M. Amin, “Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains.”Google Scholar
  32. 32.
    U.S. Department of Justice, “U.S. Charges Five Chinese Military Hackers For Cyber Espionage Against U.S. Corporations And A Labor Organization For Commercial Advantage,” 2014.Google Scholar
  33. 33.
    S. Fagerland, “Systematic cyber attacks against Israeli and Palestinian targets going on for a year,” 2012.Google Scholar
  34. 34.
    T. Dahms, “Molerats, Here for Spring!,” 2014.Google Scholar
  35. 35.
    ClearSky, “Operation DustySky,” 2016.Google Scholar
  36. 36.
    R. Sherstobitoff and I. Liba, “Dissecting Operation Troy: Cyberespionage in South Korea,” 2013.Google Scholar
  37. 37.
    D. Tarakanov, “The ‘Kimsuky’ Operation: A North Korean APT?,” 2013.Google Scholar
  38. 38.
    Fast Horizon, “Inside an APT Covert Communications Channel,” 2011.Google Scholar
  39. 39.
    K. Wilhoit, “The SCADA That Didn’t Cry Wolf,” 2013.Google Scholar
  40. 40.
    S. Narang, “Backdoor.Barkiofork Targets Aerospace and Defense Industry,” Symantec Official Blog, 2013.Google Scholar
  41. 41.
    N. M. Nart Villeneuve, Thoufique Haq, “Operation Molerats: Middle East Cyber Attacks Using Poison Ivy,” FireEye, 2013.Google Scholar
  42. 42.
    RBS, “A Breakdown and Analysis of the December, 2014 Sony Hack,” RiskBasedSecurity, 2014.Google Scholar
  43. 43.
    J. Bort, “How The Hackers Broke Into Sony And Why It Could Happen To Any Company,” Business Insider UK, 2014.Google Scholar
  44. 44.
    P. Brown, J. Sciutto, E. Perez, E. Bradner, and J. Acosta, “Investigators think hackers stole Sony passwords,” CNN Poltics, 2014.Google Scholar
  45. 45.
    S. Gallagher, “Inside the ‘wiper’ malware that brought Sony Pictures to its knees [Update],” ars Technica, 2014.Google Scholar
  46. 46.
    S. Walker-Roberts, M. Hammoudeh, and A. Dehghantanha, “A Systematic Review of the Availability and Efficacy of Countermeasures to Internal Threats in Healthcare Critical Infrastructure,” IEEE Access, pp. 1–1, 2018.Google Scholar
  47. 47.
    A. Shalaginov, S. Banin, A. Dehghantanha, and K. Franke, Machine learning aided static malware analysis: A survey and tutorial, vol. 70. 2018.Google Scholar
  48. 48.
    Y.-Y. Teing, A. Dehghantanha, K. Choo, M. T. Abdullah, and Z. Muda, “Greening Cloud-Enabled Big Data Storage Forensics: Syncany as a Case Study,” IEEE Trans. Sustain. Comput., pp. 1–1, 2017.Google Scholar
  49. 49.
    Y.-Y. Teing, A. Dehghantanha, and K.-K. R. Choo, “CloudMe forensics: A case of big data forensic investigation,” Concurr. Comput., 2017.Google Scholar
  50. 50.
    N. Milosevic, A. Dehghantanha, and K.-K. R. Choo, “Machine learning aided Android malware classification,” Comput. Electr. Eng., vol. 61, 2017.Google Scholar
  51. 51.
    O. M. K. Alhawi, J. Baldwin, and A. Dehghantanha, Leveraging machine learning techniques for windows ransomware network traffic detection, vol. 70. 2018.Google Scholar
  52. 52.
    J. Baldwin and A. Dehghantanha, Leveraging support vector machine for opcode density based detection of crypto-ransomware, vol. 70. 2018.Google Scholar
  53. 53.
    S. Homayoun, M. Ahmadzadeh, S. Hashemi, A. Dehghantanha, and R. Khayami, “BoTShark: A Deep Learning Approach for Botnet Traffic Detection,” 2018, pp. 137–153.Google Scholar
  54. 54.
    O. Osanaiye, H. Cai, K.-K. R. Choo, A. Dehghantanha, Z. Xu, and M. Dlodlo, “Ensemble-based multi-filter feature selection method for DDoS detection in cloud computing,” EURASIP J. Wirel. Commun. Netw., vol. 2016, no. 1, p. 130, May 2016.Google Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Samuel Grooby
    • 1
  • Tooska Dargahi
    • 1
  • Ali Dehghantanha
    • 2
    Email author
  1. 1.Department of Computer Science, School of Computing, Science and EngineeringUniversity of SalfordManchesterUK
  2. 2.Cyber Science Lab, School of Computer ScienceUniversity of GuelphGuelphCanada

Personalised recommendations