APT Groups Make Quadruple What They Spend on Attack Tools

Some advanced persistent threat actors can spend north of $1 million on attacks, but the return on that investment can be huge.

Advanced persistent threat (APT) groups can sometimes spend a substantial amount of money mounting attacks on large, well-protected organizations. But for every dollar they spend, the payoff can be four times as much or more, a new study from Positive Technologies has found.
The security vendor analyzed the tools and tactics that 29 active APT groups are currently using in campaigns worldwide against organizations in multiple sectors, including finance, manufacturing, and government.
For the analysis, Positive Technologies looked at how much these groups have been spending, on average, to gain initial access to a target network and how much they are spending on developing the attack after they gain a foothold. The security vendor considered data both for financially motivated APT groups and separately for groups focused on cyberespionage and spying. The data was obtained from Positive Technologies monitoring of active threat groups and from Dark Web and publicly available sources.
The exercise shows that the starting price for a full set of tools for attacks on large financial enterprises could be as high as $55,000, while some cyber espionage campaigns can start at over $500,000. But when the attacks are successful. the payoffs can be enormous as well.
For instance Silence, a well-known, financially motivated cybercrime group, last year stole the equivalent of $930,000 from Russias PIR Bank. To pull off the caper, the group likely spent about $66,000 upfront on tools for creating malicious email attachments, stealing from the banks ATMs, spying on the banks employees, and on other legitimate penetration testing tools and homegrown malware, Positive Technologies estimates.
In addition, Silence likely forked out between 15% and 50% of the loot on money mules and other services that actually withdrew cash from PIR Banks ATMs — still leaving the threat actor with substantially more than it spent.
The potential benefit from an attack far exceeds the cost of a starter kit, says Leigh-Anne Galloway, cybersecurity resilience lead at Positive Technologies. For groups like Silence, the profit from one attack is typically more than quadruple the cost of the attack toolset, she says.
The ROI for some APT groups can be many magnitudes higher. Positive Technologies, for instance, estimated that APT38, a profit-driven threat group with suspected backing from the North Korean government, spends more than $500,000 for carrying out attacks on financial institutions but gets over $41 million in return on average. A lot of the money that APT38 spends is on tools similar to those used by groups engaged in cyber espionage campaigns.
Building an effective system of protection against APTs can be expensive, Galloway says. For most organizations that have experienced an APT attack, the cost of restoring infrastructure in many cases is the main item of expenditure. It can be much more than direct financial damage from an attack, she says.
Positive Technologies
breakdown of attack costs
shows that financially motivated APT groups typically spend a relatively low amount on gaining initial access. In nine out of 10 attacks, the threat actors use spear-phishing as a way to penetrate the companys internal network.
From $100 to Over $1 Million
Tools for creating the malicious attachments — or exploit builders — used in these email campaigns can range from as little as $300 to $2,500 for a monthly subscription to services for creating documents with malicious content. In some cases, exploit builders can cost substantially more. Positive Technologies estimates that the Cobalt Group, a group associated with attacks on numerous financial institutes, in 2017 paid $10,000 for malware it used in phishing emails to exploit a remote code execution vulnerability in Microsoft Office.
Meanwhile, APT groups that are focused on spying and cyber espionage rarely buy their initial access tools from Dark Web marketplaces and instead tend to use custom exploit builders. Prices for these are impossible to estimate, but evidence shows such groups are willing to pay even $20,000 for these tools, Positive Technologies said. For zero-day vulnerabilities, some APT groups dont flinch at paying as much as $1 million.
Once inside a network, APT groups — both the financially motivated ones and the cyberspies — tend to rely heavily on legitimate, publicly available tools and custom products rather than Dark Web tools. The most commonly used legitimate tools are penetration-testing platforms such as Cobalt Strike and Metasploit, Galloway says. Legal utilities for administration, such as Sysinternals Suite, and remote access tools, like TeamViewer, Radmin, and AmmyAdmin, are all popular as well.
While these tools can be obtained legally via public access, APT actors are often forced to shop for them in underground forums because of how some vendors vet their buyers before selling to them. Prices for these tools can range from as little as $100 for a modified version of TeamViewer to $15,000 for a modified version of Metasploit Pro with one year of technical support.
The cost for some specialized tools that APT groups use can be relatively steep. Tools for escalating OS privileges can easily cost $10,000, while those that take advantage of zero-day vulnerabilities in Adobe products, for instance, can fetch over $130,000. Positive Technologies estimates that cyber espionage group FinSpy has spent some $1.6 million on FinFisher, a framework that allows it to spy on users through webcam and microphone, capture email and chat messages, steal sensitve data, and employ a variety of anti-analysis techniques.
These tools can be hard to defend against, which is why many APT groups are willing to spend on them. It is almost impossible to stop APT attacks at the stage of infrastructure penetration, and it is extremely difficult to do it at the stages of consolidation and distribution in the infrastructure, Galloway says.
Related Content:
The State of IT Operations and Cybersecurity Operations
Zebrocy APT Group Expands Malware Arsenal with New Backdoor Family
Russian Nation-State Hacking Units Tools Get More Fancy
APT28, Turla Nation-State Groups Deployed Multiple 0Days in Recent Attacks
6 Ways to Anger Attackers on Your Network
Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the
conference
and
to register.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
APT Groups Make Quadruple What They Spend on Attack Tools