An advanced persistent threat (APT) is a prolonged and targeted cyberattack in which an intruder gains access to a network and remains undetected for an extended period of time.
APT attacks are initiated to steal data rather than cause damage to the target organization's network.
The goal of most APT attacks is to achieve and maintain ongoing access to the targeted network rather than to get in and out as quickly as possible. Because a great deal of effort and resources can go into carrying out APT attacks, hackers typically select high-value targets, such as nation-states and large corporations, with the goal of stealing information over a long period of time.
To gain access, APT groups often use advanced attack methods, including advanced exploits of zero-day vulnerabilities, as well as highly-targeted spear phishing and other social engineering techniques. To maintain access to the targeted network without being discovered, threat actors will continuously rewrite malicious code to avoid detection and other sophisticated evasion techniques. Some APTs are so complex that they require full-time administrators to maintain the compromised systems and software in the targeted network.
The motives of advanced persistent threat actors are varied. For example, attackers sponsored by nation-states may target intellectual property to gain a competitive advantage in certain industries. Other targets may include power distribution and telecommunications utilities and other infrastructure systems, social media, media organizations, and electoral and other political targets. Organized crime groups may sponsor advanced persistent threats to gain information they can use to carry out criminal acts for financial gain.
Although APT attacks can be difficult to identify, data theft is never completely undetectable. However, the act of exfiltrating data from an organization may be the only clue defenders have that their networks are under attack. Cybersecurity professionals often focus on detecting anomalies in outbound data to see if the network has been the target of an APT attack.
How an APT attack works
Attackers executing APTs typically take the following sequential approach to gain and maintain ongoing access to a target:
- Gain access. APT groups gain access to a target by targeting systems through the internet. Normally, through spear phishing emails or via an application vulnerability with the intention of leveraging any access by inserting malicious software into the target.
- Establish a foothold. After gaining access to the target, threat actors use their access to do further reconnaissance. They use the malware they've installed to create networks of backdoors and tunnels to move around unnoticed. APTs may use advanced malware techniques such as code rewriting to cover their tracks.
- Gain even greater access. Once inside the targeted network, APT actors may use methods such as password cracking to gain administrative rights. This gives them more control of the system and get even deeper levels of access.
- Move laterally. Once threat actors have breached their target systems, including gaining administrator rights, they can then move around the enterprise network at will. They can also attempt to access other servers, as well as other secure areas of the network.
- Stage the attack. At this point, the hackers centralize, encrypt and compress the data so they can exfiltrate it.
- Take the data. The attackers harvest the data and transfer it to their own system.
- Remain until they're detected. Cybercriminals can repeat this process for long periods of time until they're detected, or they can create a backdoor so they can access the system again later.
Examples of advanced persistent threats
APTs are usually assigned names by their discoverers, though many advanced persistent threat attacks have been discovered by more than one researcher, so some are known by more than one name.
Advanced persistent threats have been detected since the early 2000s, and they date back as far as 2003 when China-based hackers ran the Titan Rain campaign against U.S. government targets in an attempt to steal sensitive state secrets. The attackers targeted military data and launched APT attacks on the high-end systems of government agencies, including NASA and the FBI. Security analysts pointed to the Chinese People's Liberation Army as the source of the attacks.
Some examples of advanced persistent threats include:
- The Sykipot APT malware family exploits flaws in Adobe Reader and Acrobat. It was detected in 2006, and further attacks using the malware reportedly continued through 2013. Threat actors used the Sykipot malware family as part of a long-running series of cyberattacks, mainly targeting U.S. and U.K. organizations. The hackers used a spear phishing attack that included links and malicious attachments containing zero-day exploits in targeted emails.
- The GhostNet cyberespionage operation was discovered in 2009. Executed from China, the attacks were initiated via spear phishing emails containing malicious attachments. The attacks compromised computers in more than 100 countries. The attackers focused on gaining access to the network devices of government ministries and embassies. These attacks enabled the hackers to control these compromised devices, turning them into listening and recording devices by remotely switching on their cameras and audio recording capabilities.
- The Stuxnet worm used to attack Iran's nuclear program was detected by cybersecurity researchers in 2010. It is still considered to be one of the most sophisticated pieces of malware ever detected. The malware targeted SCADA (supervisory control and data acquisition) systems and was spread with infected USB devices. The U.S. and Israel have both been linked to the development of Stuxnet, and while neither nation has officially acknowledged its role in developing it, there have been unofficial confirmations that they were responsible for Stuxnet.
- APT28, the Russian advanced persistent threat group also known as Fancy Bear, Pawn Storm, Sofacy Group and Sednit, was identified by researchers at Trend Micro in 2014. APT28 has been linked to attacks against military and government targets in Eastern Europe, including Ukraine and Georgia, as well as campaigns targeting NATO organizations and U.S. defense contractors.
- APT29, the Russian advanced persistent threat group also known as Cozy Bear, has been linked to a number of attacks, including a 2015 spear phishing attack on the Pentagon, as well as the 2016 attacks on the Democratic National Committee.
- APT34, an advanced persistent threat group linked to Iran, was identified in 2017 by researchers at FireEye, but has been active since at least 2014. The threat group has targeted companies in the Middle East with attacks against financial, government, energy, chemical and telecommunications companies.
- APT37, also known as Reaper, StarCruft and Group 123, is an advanced persistent threat linked to North Korea that is believed to have originated around 2012. APT37 has been connected to spear phishing attacks exploiting an Adobe Flash zero-day vulnerability.
Characteristics of advanced persistent threats
Advanced persistent threats often exhibit certain characteristics reflecting the high degree of and coordination necessary to breach high-value targets.
Most APTs are carried out in multiple phases, reflecting the same basic sequence of gaining access, maintaining and expanding access, and attempting to remain undetected in the victim network until the goals of the attack have been accomplished.
Advanced persistent threats are also distinguished by their focus on establishing multiple points of compromise. APTs usually attempt to establish multiple points of entry to the targeted networks, which enables them to retain access even if the malicious activity is discovered and incident response is triggered, enabling cybersecurity defenders to close one compromise.
Detecting advanced persistent threats
Advanced persistent threats have certain warning signs despite typically being hard to detect. An organization may notice certain symptoms after it has been targeted by an APT, including:
- unusual activity on user accounts;
- extensive use of backdoor Trojan horse malware, a method that enables APTs to maintain access;
- odd or uncharacteristic database activity, such as a sudden increase in database operations involving massive quantities of data; and
- presence of unusual data files, which may indicate data that has been bundled into files to assist in the exfiltration process.
Detecting anomalies in outbound data is perhaps the best way for cybersecurity professionals to determine if a network has been the target of an APT attack.
