Provisioning the external infrastructure for Cyberspace Operations. A spotlight on Russian APT groups

Authors : Antonio Villalonhuerta, Ismael Ripollripoll, Hector Marcogisbert

Pages : 1-32

Doi:10.55859/ijiss.1431064

View : 210 | Download : 187

Publication Date : 2024-06-30

Article Type : Review Paper

Abstract :Advanced threat actors conduncting operations in cyberspace require the utilization of external infrastructure. This referes to elements of infrastructure available on the Internet, situated outside the target’s own premises. The analysis of this infrastructure and the techniques employed to bring it to full operational capacity constitute a pivotal factor in characterizing threat actors and their operations. However, the majority of the existing scientific and technical literature found focuses on internal infrastructure elements, particularly on malware implants, as well as on the tactics and techniques employed by the threat actor within their victim’s infrastructure. In this work a comprehensive analysis of this external infrastructure and its provisioning techniques is presented. While our research has primarily concentrated on Russian APT groups and their operations, our findings are equally applicable to all advanced groups and operations. The outcomes of our study can greatly assist analysts in characterizing these groups and their operations, especially with regards to attribution efforts. Our proposal follows a logical structure that can be easy to expand and adapt, and it can be used to improve commonly accepted industry standards such as MITRE ATT&CK.
Keywords : Advanced Persistent Threat, APT, Russia, Infrastructure, Tactics, techniques and procedures, Resource development, MITRE ATT CK

ORIGINAL ARTICLE URL