Advanced Persistent Threats

Nation-State Threats

Helping critical infrastructure owners and operators protect against and respond to nation-state threats.

Report to CISA

Overview

As a nation, we are seeing continued cyber and physical threats targeting critical infrastructure Americans rely on every day.  Nation-state actors and nation-states sponsored entitiespose an elevated threat to our national security. On the cyber front these adversaries are known for their advanced persistent threat (APT) activity:

  • The Chinese government—officially known as the People’s Republic of China (PRC)—engages in malicious cyber activities to pursue its national interests including infiltrating critical infrastructure networks.
  • The Iranian government—officially known as the Islamic Republic of Iran—has exercised its increasingly sophisticated cyber capabilities to suppress certain social and political activity, and to harm regional and international adversaries.
  • The North Korean government—officially known as the Democratic People’s Republic of Korea (DPRK)—employs malicious cyber activity to collect intelligence, conduct attacks, and generate revenue.
  • The Russian government—officially known as the Russian Federation—engages in malicious cyber activities to enable broad-scope cyber espionage, to suppress certain social and political activity, to steal intellectual property, and to harm regional and international adversaries.

APT actors are well-resourced and engage in sophisticated malicious cyber activity that is targeted and aimed at prolonged network/system intrusion. APT objectives could include espionage, data theft, and network/system disruption or destruction. Organizations within the cybersecurity community conducting APT research assign names/numbers to APTs upon discovery. Because more than one organization engages in APT research, and there may be overlaps among APTs, there can be multiple names for a single APT. There is no ultimate arbiter of APT naming conventions. For examples of APT listings, see MITRE ATT&CK’s® GroupsMandiant’s APT Groups, and Microsoft’s Threat Actor Naming Taxonomy.

Note: Although CISA uses the APT names that the cybersecurity community most prevalently uses, any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA.

CISA's Role

As the nation’s cyber defense agency and national coordinator for critical infrastructure security, CISA provides resources to help critical infrastructure and other stakeholders build resilience against all types of threats- both cyber and physical.  It is critical to the nation’s safety and security that critical infrastructure owners and operators prepare for and adapt to changing conditions, and that they can withstand and recover rapidly from disruptions.   

CISA partners with critical infrastructure owners and operators nationwide to help them reduce risk and build their security capacity to withstand new threats and disruptions, whether from physical and cyber threats. 

Improve Your Resilience Against Nation-State Threats

CISA consistently collaborates with cybersecurity community partners to provide the public with timely advisories to defend against APT cyber threats. Proactive steps to improve your steady state cyber resilience against these threats include: 

Current State
Assess Your Current State
  1. Assess your organization’s current security posture and implement Cybersecurity Performance Goals (CPGs) to bolster resilience.
  2. Identify critical assets and map dependencies and determine the systems that are critical for ongoing business operations and map out their key dependencies on technology, vendors, and supply chains.  CISA’s Secure Tomorrow Series Toolkit is a free, voluntary resources to help stakeholders across the critical infrastructure community identify and examine risk mitigation strategies, manage uncertainty, and encourage strategic foresight methods in their long-term planning.  
  3. Establish a baseline normal host behavior and user activity to detect anomalous activity on endpoints when reviewing logs. See CPG 2.T: Log Collection and CISA's free Logging Made Easy, CISA's open-source log management solution for Windows-based devices.
Read more
Mitigate Risk
Mitigate Risk
  1. Prioritize mitigation of known exploited vulnerabilities, including those outlined in our joint advisory on the top common vulnerabilities and /known-exploited-vulnerabilities-catalog exposures.
  2. Fix common network misconfigurations. See our joint advisory that details the top 10 misconfigurations and how to fix them.
  3. Prioritize logging (e.g., command-line interface "CLI") and close and/or monitor high-risk ports (e.g., Remote Desktop Protocol, Server Message Block, File Transfer Protocol, Trivial File Transfer Protocol, Secure Shell, and Web Distributed Authoring and Versioning). 
  4. Establish the principle of least privilege by defining privileged administrator actions and locations to a manageable baseline. See our joint guide on Identity and Access Management Recommended Best Practices Guide for Administrators.
  5. Plan and Exercise. CISA Tabletop Exercise Packages are a comprehensive set of resources designed to assist stakeholders in conducting their own exercises and initiating discussions within their organizations about their ability to address a variety of threat scenarios.
Read more
Report Malicious Activity
Report Malicious Activity

Urgently report potential malicious activity to CISA or the FBI:

  1. The easiest way is to go to CISA.gov and click the “report a cyber issue” button right up top.  
  2. You can also contact CISA’s 24/7 Operations Center: cisa.gov/report | report@cisa.gov | 888-282-0870
  3. Contact your local FBI field office or IC3.gov.
Read more
Connect with CISA
Connect With Your CSA

Establish a relationship with a regional CISA Cybersecurity Advisor to access additional services, assessments, and guidance.  

Read more
Stay Informed
Stay Informed
  1. Sign up to receive CISA’s cybersecurity alerts and advisories for timely notification of emerging campaigns and incidents.
  2. Sign up for CISA’s free Vulnerability Scanning service to receive early warning when a vulnerability known to be exploited by nation-state actors or other malicious groups is identified on internet-facing assets. 
Read more

Key Resources

CISA provides the following resources that can greatly aid organizations in defending against APT activity:

Known Exploited Vulnerabilities Catalog text on the left of glowing alert icon on dark background

Known Exploited Vulnerabilities Catalog

CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild. Organizations should use the KEV catalog as an input to their vulnerability management prioritization framework.

Text of Secure by Design on grid background in a colorful isometric design

Secure by Design

It's time to build cybersecurity into the design and manufacture of technology products. Find out here what it means to be secure by design.

A crowded street of people walking in a city

Physical Security

CISA’s most important mission is to protect the American people. As part of that mission, CISA provides access to tools and resources to support physical security and resilience.

A graphic that says "Cybersecurity Performance Goals"

Cyber Performance Goals (CPGs)

CPGs provide a baseline of fundamental cybersecurity practices organizations can implement to meaningfully reduce the likelihood and impact of APT activity.

Vulnerability Scanning Service

Vulnerability Scanning Service

This free service sends subscriber organizations alerts when the service identifies vulnerabilities known to be exploited by APTs.

Cyber Advisors

Cybersecurity Advisors

Regional CISA Cybersecurity Advisors advise, assist, and provide a variety of risk management and response services to critical infrastructure and SLTT organizations.

An image portraying a cybersecurity threat

Cybersecurity Advisories

CISA regularly publishes Cybersecurity Advisories that cover: 

  1. APT tactics, techniques, and procedures, and 

  1. Specific mitigations to protect against these threats. 

Map of Earth connected by lights

Voluntary Cyber Incident Reporting

This resource is designed to help entities that may be considering voluntarily reporting cyber incidents understand “who” CISA recommends report an incident, “why and when” CISA recommends they report, as well as “what and how to report.” 

Envelope with an exclamation mark on it

Report a Cyber Incident

To report anomalous cyber activity and or cyber incidents visit www.cisa.gov/report.

Report to CISA