Advanced persistent threat (APT) groups are more dangerous than your run-of-the-mill cybercriminals. They, after all, trail their sights not only on financial gain but loftier targets such as wreaking havoc on entire nations.

The WhoisXML API research team expanded lists of indicators of compromise (IoCs) related to six Asia-Pacific (APAC)-based or -targeting APT groups that launched attacks in 2023, as shown in the table below.

Download the white paper now to explore our insights into the inner workings of the six APT groups.

Methodology

Our analysis began with compiling a list of 34 APT groups from the MITRE ATT&CK Groups and Mandiant APTs pages. We then filtered for groups that launched attacks in 2023, were based in or targeted APAC countries, and had published domains identified as IoCs.

We were left with six APT groups—APT29, APT32, Earth Lusca, Higaisa, Sandworm Team, and Higaisa. Next, we scoured security research blogs ¹ and collated 44 domains identified as IoCs in total.

Overall Findings

Our in-depth study of the six APT groups led to:

• More than 150 email addresses via WHOIS History API, 30 of which were not redacted nor privacy-protected
• More than 60 and 300 email-connected domains retrieved via reverse WHOIS searches for current and historical WHOIS records, respectively
• Several live email-connected domains determined via Screenshot API

A Closer Look at APT29

APT29, a Russia-based cyber espionage group said to have ties to the nation’s Foreign Intelligence Service (SVR) active since 2008, has trailed its sights on government networks across Europe and other North Atlantic Treaty Organization (NATO) member countries in the past. The group also reportedly attacked research institutes and think-tanks prior to its most recent target in the first half of 2023—Ukrainian organizations.

Our researchers expanded a public list of 11 domains identified as APT29 IoCs as part of the white paper, which led to the discovery of:

• Close to 30 email addresses that could belong to the APT group’s members, 17 of which were redacted while 11 were public
• 15 email-connected domains that contained some of the public email addresses in their current WHOIS records
• 203 email-connected domains that had some of the public email addresses in their historical WHOIS records

APT groups are bound to remain elusive since they are often backed by powerful and resourceful entities. Our research shows that several cyber intelligence sources can help provide more insights into APT-related activities.

Want to know more about the six APT groups? Download our complete white paper “2023 IoC List Expansion for APAC-Based/Targeting APT Groups: Leveraging Current and Historical WHOIS Data” now.