Advanced Persistent Threats

Nation-State Cyber Actors

Helping cybersecurity defenders protect against and respond to nation-state actors.

Report to CISA

Overview

Nation-state adversaries pose an elevated threat to our national security. These adversaries are known for their advanced persistent threat (APT) activity:

  • The Chinese government—officially known as the People’s Republic of China (PRC)—engages in malicious cyber activities to pursue its national interests including infiltrating critical infrastructure networks.
  • The Russian government—officially known as the Russian Federation—engages engages in malicious cyber activities to enable broad-scope cyber espionage, to suppress certain social and political activity, to steal intellectual property, and to harm regional and international adversaries.
  • The North Korean government—officially known as the Democratic People’s Republic of Korea (DPRK)—employs malicious cyber activity to collect intelligence, conduct attacks, and generate revenue.
  • The Iranian government—officially known as the Islamic Republic of Iran—has exercised its increasingly sophisticated cyber capabilities to suppress certain social and political activity, and to harm regional and international adversaries.

APT actors are well-resourced and engage in sophisticated malicious cyber activity that is targeted and aimed at prolonged network/system intrusion. APT objectives could include espionage, data theft, and network/system disruption or destruction. Organizations within the cybersecurity community conducting APT research assign names/numbers to APTs upon discovery. Because more than one organization engages in APT research, and there may be overlaps among APTs, there can be multiple names for a single APT. There is no ultimate arbiter of APT naming conventions. For examples of APT listings, see MITRE ATT&CK’s® GroupsMandiant’s APT Groups, and Microsoft’s Threat Actor Naming Taxonomy.

Note: Although CISA uses the APT names that the cybersecurity community most prevalently uses, any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA.

CISA's Role

As the nation’s cyber defense agency and national coordinator for critical infrastructure security, CISA provides resources to help critical infrastructure and other stakeholders build resilience against APTs, including cybersecurity advisories written in coordination with interagency and international partners.

Improve Your Resilience Against Nation-State Cyber Threats

CISA consistently collaborates with cybersecurity community partners to provide the public with timely advisories to defend against APT threats. Proactive steps to improve your steady state cyber resilience against these threats include: 

Current State
Assess Your Current State
  1. Assess your organization’s current security posture and implement Cybersecurity Performance Goals (CPGs) to bolster resilience. 
  2. Establish a baseline normal host behavior and user activity to detect anomalous activity on endpoints when reviewing logs. See CPG 2.T: Log Collection and CISA's free Logging Made Easy, CISA's open-source log management solution for Windows-based devices.
Read more
Mitigate Risk
Mitigate Risk
  1. Prioritize mitigation of known exploited vulnerabilities, including those outlined in our joint advisory on the top common vulnerabilities and /known-exploited-vulnerabilities-catalog exposures
  2. Fix common network misconfigurations. See our joint advisory that details the top 10 misconfigurations and how to fix them.
  3. Prioritize logging (e.g., command-line interface "CLI") and close and/or monitor high-risk ports (e.g., Remote Desktop Protocol, Server Message Block, File Transfer Protocol, Trivial File Transfer Protocol, Secure Shell, and Web Distributed Authoring and Versioning).  
  4. Establish the principle of least privilege by defining privileged administrator actions and locations to a manageable baseline. See our joint guide on Identity and Access Management Recommended Best Practices Guide for Administrators.
Read more
Report Malicious Activity
Report Malicious Activity

Urgently report potential malicious activity to CISA or the FBI:

  1. The easiest way is to go to CISA.gov and click the “report a cyber issue” button right up top.  
  2. You can also contact CISA’s 24/7 Operations Center: cisa.gov/report | report@cisa.gov | 888-282-0870
  3. Contact your local FBI field office or IC3.gov.
Read more
Connect with CISA
Connect With Your CSA

Establish a relationship with a regional CISA Cybersecurity Advisor to access additional services, assessments, and guidance.  

Read more
Stay Informed
Stay Informed
  1. Sign up to receive CISA’s cybersecurity alerts and advisories for timely notification of emerging campaigns and incidents..
  2. Sign up for CISA’s free Vulnerability Scanning service to receive early warning when a vulnerability known to be exploited by nation-state actors or other malicious groups is identified on internet-facing assets. 
Read more

Key Resources

CISA provides the following resources that can greatly aid organizations in defending against APT activity:

Known Exploited Vulnerabilities Catalog text on the left of glowing alert icon on dark background

Known Exploited Vulnerabilities Catalog

CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild. Organizations should use the KEV catalog as an input to their vulnerability management prioritization framework.

Text of Secure by Design on grid background in a colorful isometric design

Secure by Design

It's time to build cybersecurity into the design and manufacture of technology products. Find out here what it means to be secure by design.

Shields Up text on red background

Shields Up!

Keep your Shields Up! to prepare for, respond to, and mitigate the impact of cyber-attacks. CISA is here to support you and your cybersecurity needs with expert resources, tools, and services to protect you from cyber threats. 

Shields Ready

Shields Ready

CISA stands ready to help America prepare for and adapt to changing risk conditions and withstand and recover rapidly from potential disruptions, regardless of cause.

CISA Roadmap for AI

Artificial Intelligence

CISA is particularly concerned about potential adversary use of AI to evade security controls and launch more damaging intrusions at scale.   

A graphic that says "Cybersecurity Performance Goals"

Cyber Performance Goals (CPGs)

CPGs provide a baseline of fundamental cybersecurity practices organizations can implement to meaningfully reduce the likelihood and impact of APT activity.

Vulnerability Scanning Service

Vulnerability Scanning Service

This free service sends subscriber organizations alerts when the service identifies vulnerabilities known to be exploited by APTs.

Cyber Advisors

Cybersecurity Advisors

Regional CISA Cybersecurity Advisors advise, assist, and provide a variety of risk management and response services to critical infrastructure and SLTT organizations.

An image portraying a cybersecurity threat

Cybersecurity Advisories

CISA regularly publishes Cybersecurity Advisories that cover: 

  1. APT tactics, techniques, and procedures, and 

  1. Specific mitigations to protect against these threats. 

Envelope with an exclamation mark on it

Report a Cyber Incident

To report anomalous cyber activity and or cyber incidents visit www.cisa.gov/report.

Report to CISA