Home / Industry

WhoisXML API Publishes a New Study of 7 APT Groups That Have Targeted North America

In the past two decades, at least 41 advanced persistent threat (APT) groups have launched attacks on entities and organizations based in North America.

In a recent analysis, the WhoisXML API research team expanded lists of indicators of compromise (IoCs) related to seven APT groups that remained active as of 2023 and are currently targeting or have targeted the region in the past.

APT GROUPDESCRIPTION
APT33Iran-based APT33 has been active since at least 2013. It most recently targeted the aerospace and energy sectors in the U.S., Saudi Arabia, and South Korea using SHAMOON or Disttrack.
APT41China-based APT41 has been active since at least 2012. It most recently targeted organizations in the U.S. using WyrmSpy and DragonEgg.
FIN7Russia-based FIN7 has been active since at least 2013. It most recently targeted the finance, retail, restaurant, and hospitality industries in North America using various malware, including PowerTrash, Cl0p, and BlackMatter.
KimsukyNorth Korea-based Kimsuky has been active since at least 2012. While it most recently targeted research institutes in South Korea using RftRAT and Amadey, it has trailed its sights on various experts and think-tanks based in theU.S. in 2020as well.
MoleratsSaudi Arabia-based Molerats has been active since at least 2012. While it most recently targeted government entities in the Middle East, it has trailed its sights on organizations in Europe and theU.S. in 2014as well.
TurlaRussia-based Turla has been active since at least 2004. While it most recently targeted organizations in Ukraine, it has trailed its sights on entities in more than 50 countries, including theU.S. and Canada, in the past 20 years or so.
ZIRCONIUMChina-based ZIRCONIUM has been active since at least 2017. While it most recently targeted the industrial sector in Eastern Europe, it has trailed its sights on high-profile individuals related to the2020 U.S. presidential electionsas well.

Download our white paper “A Study of APT Groups Known for Targeting North American Countries” to explore our complete insights that leverage comprehensive current and historical WHOIS data.

Methodology

Our analysis began with compiling a list of 41 APT groups from the MITRE ATT&CK Groups and Mandiant APTs pages. We then filtered the list to include only the groups that met the following criteria:

  • Launched attacks in 2023
  • Are targeting or have targeted North America at some point in the past
  • Had available domain indicators of compromise (IoCs)
  • Have email-connected domains traceable through WhoisXML API solutions

We were left with seven APT groups—APT33, APT41, FIN7, Kimsuky, Molerats, Turla, and ZIRCONIUM—and 59 domains identified as IoCs across various security research blogs.1

Overall Findings

Our DNS deep dive into the 59 domain IoCs of the seven APT groups uncovered:

  • More than 140 email addresses via WHOIS History API, 47 of which were not redacted nor privacy-protected
  • More than 540 and 1,940 email-connected domains retrieved via reverse WHOIS searches from their current and historical WHOIS records, respectively
  • Hundreds of live email-connected domains identified via Screenshot API

Take a look at an extract from our white paper illustrating the findings for one of the APT groups.

A Deep Dive into APT33

Our researchers expanded a public list of nine domains identified as APT33 IoCs, which led to the discovery of:

  • 42 email addresses that could belong to the APT group’s members, 30 of which were redacted while 12 were public
  • 119 email-connected domains that contained some of the public email addresses in their current WHOIS records
  • 855 email-connected domains that had some of the public email addresses in their historical WHOIS records

APT groups like the seven featured in our North American study are likely to continue launching destructive attacks over time to steal national secrets, disrupt critical infrastructure operations, or worse so long as they remain unchecked. Our study shows that several cyber intelligence sources, specifically current and historical WHOIS records, can help unveil domain portfolios that could be linked to APT-related activities.

Want to know more about the seven APT groups and their email-connected domains? Download our complete white paper “A Study of APT Groups Known for Targeting North American Countries” now.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under

Comments

Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Related

Topics

IPv4 Markets

Sponsored byIPv4.Global

DNS

Sponsored byDNIB.com

New TLDs

Sponsored byRadix

Threat Intelligence

Sponsored byWhoisXML API

Brand Protection

Sponsored byCSC

Domain Names

Sponsored byVerisign

Cybersecurity

Sponsored byVerisign