If I had six hours to chop down a tree, I’d spend the first four sharpening the axe.
– Abraham Lincoln
One of the differences between a targeted attack and a wide spread malware campaign is the effort and time spent on preparation for attacking a specific target. Preparation, especially in the form of reconnaissance, is the first and most important phase in the APT life-cycle.
Due to the fact that an APT attack is advanced in its nature and therefore requires significant resources which often involve the (highly expensive) acquisition or development of Zero-Day Exploits, APT actors take time to properly plan their attacks. The main reason for this is the fact that Zero-Days, if detected, will be fixed by respective software vendors, which decreases the chances of using them in other targeted attacks.
Proper reconnaissance of the target provides the actor with valuable information which allows to understand the target, its business, the technology in place, and the people that could potentially be targeted. This information is then used to create a blueprint of the victim’s IT systems in order to look for exploitable vulnerabilities which would allow the adversary to adjust TTPs for penetrating into the network and bypassing existing defenses. In order to do so, the TTPs need to be tested to confirm the success of a particular attack technique. This involves testing an exploit, rootkit, backdoor, or phishing website to ensure that the tools involved work as expected during the attack .
The reconnaissance phase takes place in two stages of the APT lifecycle: pre-exploitation reconnaissance, and post-exploitation reconnaissance (or internal reconnaissance). The pre-exploitation reconnaissance involves gathering information about the target infrastructure through active and passive reconnaissance on the target systems, followed by vulnerability discovery through enumeration of specific details about a particular system, and gathering information about the human targets selected for the initial compromise phase (e.g. malware delivery though spear-phishing). Post-exploitation reconnaissance takes place after an initial foothold on a target system has been established and further information has to be collected in order to discover valuable assets by moving laterally within the target network. This phase is described in chapter Lateral Movement.
In order to find the most efficient way to attack the target, adversaries perform extensive information gathering on target’s technical and non-technical assets (see Figure 1). Examples of technical data include: Domain Name Service (DNS) records associated with the organization, username and email formats, remote access and login systems and specific technologies used by the organization, such as Anti-Virus software, Firewalls, routers, etc. Examples of nontechnical data include: important employees and their job titles, major departments and geographical locations of the organization .
Performing open-source intelligence (OSINT) is a common approach for collecting valuable information, such as names of employees and their contact details, network topology including internal and external resources, security measures used by the target company, etc. Other categories of reconnaissance data sources include:
- HUMINT (Human Intelligence): describes information collected by and from humans, for instance via social engineering face to face, over phone, eavesdropping in a public place.
- FININT (Financial Intelligence): Acquisitions, quarterly financial reports, and any other financial information related to the target organization.
- GEOINT (Geospatial Intelligence): Office locations, employee locations, target areas and any information related to geographical data regarding the target.
Data can be collected using active or passive reconnaissance. Active reconnaissance involves any activity in which the actor directly communicates with a system of the target organization. Whereas passive reconnaissance uses sources the target organization doesn’t own, making it much harder to detect the reconnaissance activity. Data gathered directly from sources that the target organization owns can be detected. Even seemingly passive activities such as performing a single DNS record lookup by querying a DNS server of the organization or visiting a web page is considered as active reconnaissance as these activities may be logged by the respective systems. However, given the fact that organizations face a flood of attacks on a daily basis, active reconnaissance activities might be difficult to distinguish from other malicious traffic. It is important to keep in mind that any host that is connected to the internet is constantly being scanned by automated tools in attempt to find vulnerable systems .
After Footprinting the target, the collected information is used to probe the target’s systems for vulnerabilities, which means that the actor switches from a rather passive information gathering tactic to a more offensive approach of identifying potentially vulnerable points in target’s infrastructure. The more insight the actor gains about the target’s infrastructure and security mechanisms, the higher are the chances of a successful exploitation leading to malware deployment in further steps.
There are many tools and techniques that can be used during the reconnaissance phase, yet the choice is based on the attack vector which is pre-planned for the initial compromise phase. In order to illustrate one of many possible ways adversaries take to figure out email addresses of their victims, let’s take the open-source tool EmailHarvester. With this simple tool, it is possible to quickly extract email addresses from websites which were indexed by search engines:
$ python3 EmailHarvester.py -d company.com
After the tool finishes, a list of email addresses associated with the target domain is returned. For example:
The structure of the identified email addresses might help to predict the email address for the target person if one is not in the returned list. Moreover, it’s a common practice that one of the following email formats is used by a target company:
Once the email addresses of potential victims are obtained, attackers use previously gathered Intel in order to prepare a very personalized email. The purpose of this email is to trick the target person into clicking on a malicious link or opening an attachment which contains a virus. One of the most common approaches to infect users who click on the link embedded in the email is to attack their web browsers via a known or a 0day vulnerability. In case of a malicious attachment, it is likely that attackers will choose Microsoft Office documents with embedded active content, such as Macros.
Real World example: APT28 / SOFACY
The ultimate goal in the target selection stage is to compile a list of high-value individuals who have information or access that the APT28 group is interested in. Potential high-value targets are being identified through OSINT (email lists, information harvested from public forums and social network sites). Furthermore, email accounts, obtained during a Spear-phishing attack, are used to identify additional targets. Moreover, in cases where victims do not fall for Spear-phishing attacks, APT28 gathers metadata, such as the operating system, web browser’s versions and its add-ons, etc. This information is useful for planning future drive-by download attacks after which an access to target’s machine is finally gained. However, reconnaissance does not stop here, as the second stage backdoor (such as EVILTOSS) is used for internal reconnaissance, monitoring, credential theft and other information gathering activities.
Once enough basic information about the target has been gathered, the initial compromise setup has to be prepared. APT28 is known for its use of a technique of registering typo-squatted domains that resemble a legitimate news site or a site for a conference. This technique is used to trick victims into thinking that the domains are legitimate, which makes it more likely for the victims to trust the domain and click the link sent in a Spear-phishing email .
The following table contains a sample listing of typo-squatted domains used in Outlook Web Application’s (OWA) Spear-Phishing attack.
More insights about TTPs used in the DNC breach were revealed by researchers while looking at the name server hosting information for the domain misdepatrment.com which was spoofed during the attack. They identified that the spoofed domain was registered through a hosting service that is attractive to malicious actors due to the fact that it allows buying domains with Bitcoins and therefore makes the efforts of tracing the real actor’s identity difficult .
The following table lists examples of domain names spoofed by APT28 in some of their attacks.
In general, APT28 uses OSINT to identify and gather information about its target and then uses the collected information for the preparation of the initial attack. In most of the cases, this threat actor relies on Spear-phishing during the initial compromise phase, where targets are tricked into visiting domains which appear similar to their own organization. The following table provides a common approach used by Sofacy.
Real World example: APT30
Tactics for target selection used by APT30 greatly correlate with their interests. For example, in order to gain access to systems of targets who potentially possess valuable information about political instability in a certain region APT30 was identified to be targeting members of financial services, government or defense sectors of the area of interest. If attackers managed to infiltrate systems in these sectors they would be able to access valuable diplomatic or political information which could then be leveraged according to the threat actor’s needs. While the collection of contact details is not documented, it is likely that techniques like OSINT are used in order to discover initial targets due to common practice of such entities exposing their contact details publicly due to law regulations or by design of their business. Further target selection continues in case of a successful compromise. For example, in cases where initial targets were identified to be working in a diplomatic environment, like press attaché, APT30 attackers could try to obtain contact details of journalists which the compromised person is corresponding with and therefore attack those contacts while impersonating the victim giving a perfect disguise for Spear-Phishing attacks .
Finally, the target selection and prioritization is supported as a feature by the backdoor controller software. As show in Figure 2, each infected machine can be assigned a comment and a priority level ranging from normal (most left option) to very important (most right option). This feature indicates that the malware is designed to keep close track of group’s assets and provide a feature of notification once the target is online (check box on the bottom).
Figure 2: Target prioritization feature in APT30 malware 
1. Wrightson, T. (2015). Advanced Persistent Threat Hacking – The Art and Science of Hacking any Organization. McGraw-Hill Education.
2. Trend Micro Research Team. (2014). Operation Pawn Storm – Using Decoys to Evade Detection.
3. Threatconnect Research Team (2016, July 7).
4. Fireeye Labs. (2015). APT30 and the mechanics of a long-running cyber espionage operation.