The APT Logical Fallacy: More Harm Than Good
The problem arises when the a decision is made by the company executives or government officials to label such an attack an "Advanced Persistent Threat". First, the name itself is an oxymoron if it's used to describe what happened. Once an attack occurs, you can't call it a "threat". Someone "acted" against you. They didn't "threaten" to act. And a spear phishing attack isn't "advanced". It's rather mundane, albeit effective. Granted the payload may be advanced, but it doesn't have to be.
If you belong to the "APT is a Who" school, like my friends at Mandiant and the U.S. Air Force (who use my book in their cyber certification courses, by the way), then APT is a code word meaning "China". No such code word exists for other countries who use targeted spear phishing attacks, which is where the logical fallacy in the title of this post comes in to play. It's proponents say that's because no other country engages in this type of attack. Simply put, Eastern European hackers rob banks, Chinese hackers steal IP. End of story. So when an incident occurs that involves a non-financial organization like Battelle, the IMF, or an energy company, and if the attack vector is a targeted email with a malicious payload, the culprit must be China. Why? Because it fits the modus operandi of the APT.
When you diagram that belief as a logical syllogism, it might look like this:
Major Premise: A targeted spear phishing attack against ABC company (a non-financial target) is an APT.
Minor Premise: All APT attacks originate from China.
Conclusion: China attacked ABC company.
Unfortunately for APT advocates, the evidence presented often doesn't support this logic when it relies on IP addresses based in China. See my earlier post on the fallacy of Chinese IP addresses. It also ignores the fact that Ukrainian, Romanian, Russian, and other Eastern European hackers have moved from financial crime to IP-related attacks utilizing the spear phishing model and the Zeus (aka Zbot) trojan as far back as January 2010 and have continued to the present day. NetWitness  released an excellent report on the Kneber botnet which is responsible for compromising data from about 2500 corporate and government organizations world-wide. Chinese IP addresses figure prominently in these attacks, yet the responsible parties are Eastern European hacker crews who would find a receptive audience among the Russian Federation security services for at least some of the exfiltrated data.
|Domains registered to Hilary Kneber|
|Part of an UNCLASS briefing to COS USSTRATCOM 16 JUN 10|
 Cisco White Paper "Email Attacks: This Time Its Personal", June 2011
 NetWitness White Paper "The Kneber Botnet: A Zeus Discovery and Analysis", released January 2010