The assets of well-off companies and governments have always attracted attackers. That’s why potential targets commit considerable resources to securing their information. Gartner estimates that worldwide expenditures on digital security will exceed $124 billion this year. But attackers rarely give up on a target even if their first attempts are unsuccessful. According to FireEye statistics, 64 percent of companies attacked in 2018 were attacked again in the following 19 months. A cyberattack against a company with well-organized protection system is time-consuming, expensive, and requires special knowledge and tools. Multistage, well-planned, and organized attacks targeting a specific industry or company are called advanced persistent threats (APTs). To conduct such attacks, hackers form criminal groups, known as APT groups. It’s extremely difficult to detect an APT attack when it is underway.
After obtaining a foothold in a company’s infrastructure, criminals can stay there unnoticed for years. For example, the cybersecurity team at German pharmaceutical giant Bayer observed malware activity for over a year. The longest presence of attackers on a network, as measured by the PT Expert Security Center (PT ESC), was over eight years. However, profit-driven cybercriminals prefer to act quickly. Cosmos Bank fell victim to a cyberattack by the Lazarus Group, which stole $13.5 million in just three days. In other words, criminals’ behavior, techniques, and tools depend on their target. In this research, we will try to assess the cost of tools used for APT attacks and how easily these tools can be obtained. We will also analyze how attackers choose their tools based on their target. We hope that our study will assist security decision-makers to better protect their systems from industry-specific attacks.