The type of work the people working at an APT do, is mainly office work, while it still is very much "hands-on-keyboard" work (so you cannot set an action to automatically occur when nobody is checking the results in the middle of the night). You might want to try shuffling this up when you are in charge, but your (usually highly skilled and expensive) employees probably don't want to be working weird shifts all the time. Especially when they have families.
It also may not be worth it. Generally APT's want to stay under the radar while they are executing. But after the goals have been reached, most of the time it doesn't matter much if they get attributed. We have yet to see real consequences against any APT's. So paying your employees more to work night shifts, likely doesn't stack up against the consequences of attribution.
I have a hard time imagining these APT attacks are manual at the keyboard typing. That seems like an invention for entertainment whereas I'd expect reality to be "run script & establish an ongoing backdoor" or "run script & perform attack". You might need on-call to flag if anything has gone wrong, but I'd have a hard time imagining the entire team is involved for that so the cost of paying extra for an on-call is quite trivial vs the overall cost of the team. In industry that's not even compensated since salaried employees don't get overtime although I imagine that for government work the unions have negotiated this better.
EDIT: Huh, I guess sometimes it is like the movies: > One of the frameworks used by TAO that was forensically uncovered during the incident named “NOPEN” requires human operation. As such, a lot of the attack required hands-on-keyboard and data analysis of the incident timeline showed 98% of all the attacks occurred during 9am – 16pm EST (US working hours).
On-Call for mission of this size sounds fairly unlikely, doesn't it?
You wouldn't spend hundreds of thousands of dollars on large scale attacks with lots of (temporary) infrastructure and planning to then yolo it at the last minute and hope that everything goes well and you have the results back when you come back on Monday.
> I have a hard time imagining these APT attacks are manual at the keyboard typing.
(My perspective on this comes from doing security assessments and pentests 10+ years ago. Take that for what it's worth.)
I think of it a little bit like robotic vs. human space missions.
A robot can gather a ton of data without human intervention. It can perform repeated mindless activities. A certain amount of contingency against unforeseen issues can be engineered-in. Beyond the point of expected anomalies, though, the robot is going to fail (and perhaps expose your operation).
When it comes to reacting to rapidly changing mission conditions nothing beats a human in the loop. It's really hard to plan for all the peculiarities of any given environment. Intuition and experience play an immense role. Most of all, though, you may only get one shot before you're detected and stopped.
I wonder how APT operates. I guess it is not too different from a well funded Corporate red team, but the stake is higher and the opponents have almost unlimited amount of resources.
Do we have any probe into the state-sponsored APT world? I wouldn't be surprised if there isn't any, but would like to know.
It also may not be worth it. Generally APT's want to stay under the radar while they are executing. But after the goals have been reached, most of the time it doesn't matter much if they get attributed. We have yet to see real consequences against any APT's. So paying your employees more to work night shifts, likely doesn't stack up against the consequences of attribution.