APT attacks are conducted by highly sophisticated threat actors and are commonly associated with state-sponsored groups. These adversaries have emerged as a significant concern, and the ability to effectively identify and mitigate APT attacks remains a pressing issue for many organizations and countries.

Despite the aura of sophistication surrounding APT groups, and although it is difficult to identify them in cybercrime sources, the cybercrime ecosystem (forums, marketplaces, Telegram channels, etc.) is an important resource for APT groups when it comes to their operations. The cybercrime underground platforms enable the APT groups to obtain tooling to use in their attack chain, gather information during reconnaissance, leak or sell victim data to damage victim’s reputation, recruit skilled actors and more.

In this report, we show how APT groups not only access standard cybercrime sources, but are their active participants, as these sources are important in ensuring that their operations run successfully. Furthermore, we outline the importance of implementing recommendations for protecting an organization against APT attacks.