Our public sector under siege: APT activity on the darknet

April 14, 2021

The appropriately named ‘advanced persistent threat’ or APT, is a particular type of cybercriminal group. They are ‘advanced’ in their intelligence and in the resources at their disposal. They are ‘persistent’ in targeting their victims’ networks over extended periods of time. They are a ‘threat’ because they have the means and the motive. In short, if your organisation is targeted by one of these groups, you have a serious problem.

The darknet provides the route for APTs to commit cyber terrorism against governments and across all types of industry on a daily basis. While we are familiar with the darknet as the preserve of lone hackers and miscreants, APT activity has evolved darknet threats to world-order levels.

Most APTs are backed by hostile nation states, either directly connected to the nation's military or intelligence services, or operating at arm’s length but with state funding and support. Russian APTs are generally more advanced than those from Iran, and Chinese APTs have different long-term goals to those in North Korea, but they have one thing in common - they are all after your highly valuable data.                                                    

The target

The most appealing targets are those with large amounts of valuable data to steal, with the highest value ‘items’ being scientific research, and personally identifiable data. This is exactly the type of data that is contained within the UK’s health and education sectors, which is why we see NHS, HE, and FE organisations being so heavily targeted.

An APT will persist until it gains entry to a victim’s network, where they might remain undetected for several months, continuously extracting small amounts of data via the darknet until they have completed their task, or are eventually discovered.1

By the time anyone is aware of what has happened, it is probably too late - the APT is now holding all the cards. They are in a position to ransom the organisation by encrypting their data, effectively crippling service until the victim pays up. And even if the victim is able to restore service without paying, the APT has a hostage in the form of the victim’s sensitive and valuable data which can be held to ransom against the threat of publishing it on the dark web.

The cost

Recent attacks on NHS, HE, and FE organisations in the UK are a particular cause for concern. News headlines proclaiming “Tens of thousands of patient records posted to dark web” and “Dark web: Hackers sell doctors' identities for $500 in disturbing new trend” tell the stories behind the equally alarming statistics. Research shows a 45% increase in the number of global attacks on healthcare organisations in the last two months of 2020. This is double the already alarming increase of 22% across all sectors for the same period.

The financial cost of an attack doesn’t stop once the APT has been paid to release its hostage data. Targeted organisations face the additional costs of repairing whatever damage has been caused to their systems, as well as the possibility of large regulatory fines5. IBM’s 2020 data breach report puts the global average cost of an attack across all industries at £3.09m, rising to an average of £5.70m in healthcare.6

But what about the human cost? Healthcare and educational organisations deal first and foremost with people. These are the same people who will inevitably find themselves on the frontline of any attack. If an organisation is driven offline by an APT, the students or patients who rely on that service face potential chaos. Recent attacks against UK universities and colleges have resulted in cancelled exams, interrupted access to services, and forced students off campus - compounding any issues already caused by Covid-19.7

In the worst-case scenario, as happened in the case of the attack on Düsseldorf University Hospital in September 2020, the disruption of an attack could even result in loss of life.8 These are costs that nobody can afford to pay.

What next

APTs will continue to take advantage of the fact that most organisations are unable to monitor the darknet traffic in and around their networks. In a perfect storm for cybercrime, Covid-19 has allowed APTs to exploit the logistical and psychological stresses that remote working has created for most organisations. It has also provided APTs with another high value target in the form of new vaccine research and data. 

ITGL’s dark intelligence surveillance team is at the forefront of monitoring darknet connections in and out of organisations’ networks. We can help uncover threats you were unaware of, enhancing intelligence into your IT team, and potentially aiding criminal investigation and forensic analysis.

As we correlate data across the health sector and education sectors, we are able to observe patterns and similarities in organisations’ relationships with the darknet and the signature traits of APT groups, to gain more insight into attack patterns across these sectors.

We are disseminating our data findings to CISOs, SIROs, and security professionals across the UK public sectors. If you are interested in being part of our trial work, or would like to understand the potential threats your organisation faces, then talk to us at security@itgl.com.
ITGL Cybersecurity Practice


  1. IBM’s 2020 Cost of a Data Breach Report states a global average of 280 days to identify and contain a breach
  2. https://www.healthcareitnews.com/news/tens-thousands-patient-records-posted-dark-web
  3. https://www.independent.co.uk/life-style/gadgets-and-tech/news/dark-web-hackers-doctor-identities-medical-records-cyber-crime-a8943581.html
  4. https://www.checkpoint.com/downloads/resources/cyber-security-report-2021
  5. The UK GDPR and DPA 2018 sets a maximum fine of £17.5 million or 4% of annual global turnover (whichever is greater)
  6. https://www.ibm.com/security/digital-assets/cost-data-breach-report
  7. https://feweek.co.uk/2021/03/15/college-group-closes-all-campuses-for-a-week-following-major-cyber-attack/
  8. https://www.bbc.co.uk/news/technology-54204356