All About APT: Advanced Persistent Threats

By
Praveen Yeleswarapu
July 8, 2021

What does APT mean? Definition and examples

APT, or “Advanced Persistent Threat,” is a kind of stealthy cyberattack. The term traditionally applied to nation-state-sponsored cyber attacks, but in recent years, even non-nation state groups or criminals have been seen to conduct targeted intrusions on a large scale, with specific goals in mind. Typically these goals are related to political or industrial espionage or financial gain. They have also been associated with hacktivism or the intentions of causing destruction and chaos. By the time they are detected, a great deal of damage has already been done.

In this mode of cyber attack, a person or group successfully remains undetected for a long time, once they have gained unauthorized access to a secure network. The attackers strike with a specific goal in mind. They will have typically spent time and resources ahead of time in order to zero in on the vulnerabilities in the system. This empowers them to devise an attack that will stay under the reader for a long, long time. Custom malware may or may not be a component of such an attack. APTs allow the attackers to continually monitor and “sit in” on key communications, even classified ones.

Needless to say, pulling off advanced persistent threat-type attacks requires a high level of cyber sophistication and superlative hacking techniques. APT orchestrators must be capable of bypassing intrusion detection programs and anti-malware installations. APTs have to be built for the long haul, partly because the networks they plan to hit are extremely complex and well-guarded, quite impenetrable to automated techniques that can breach simpler targets.

The typical life cycle of an advanced persistent threat:

There are four main stages in an APT life cycle:

  1. Reconnaissance (recon)
  2. Initial compromise
  3. Securing access/Grabbing a strong foothold
  4. Data exfiltration


  1. Reconnaissance

This activity is performed to uncover specific, effective targets, both digital and human, and assess their susceptibility. Additionally, during the recon stage, the attackers also identify vulnerable personnel within the organization from a point of view of expediting security breaches, or others they can target, such as vendors or suppliers, and exploit this access to further their overall objective.

  1. Initial compromise

The attacker breaches the perimeter and wins access to the system. This is accomplished in one of many ways, including custom-designed malware, or highly sophisticated spear phishing campaigns. The phishing emails are designed so expertly that they can fool the experienced eye, and look legitimate enough for the target to click on the embedded hyperlinks or open the attachments without any suspicion. The aim of these phishing campaigns is to score passwords, personal details and credentials of key employees. People can be tricked into handing over their credentials through fake “security alerts” that prompt them to change their password, among other details.

In addition, the attackers can lure the employees of the organization to a malware-loaded website. Visiting it triggers malware downloads and the target system is breached. Another strategy for depositing the malware is to leave malware-containing USBs around the target office, in the hope that someone plugs it in.

  1. Securing access

Once the target has been breached, the attacker’s next step is to avoid getting kicked out of the system. In addition to securing a strong foothold, the goal is to broaden the initial compromise’s footprint to make sure that access is not lost even if one of the breaches gets discovered. The threat actors accomplish this by moving laterally: expanding and escalating their own privileges once they’ve breached the system.

  1. Data exfiltration

This is the last and final phase of the life cycle of an advanced persistent threat: herein the desired information is dug up, acquired, possibly encrypted, and extracted from the system straight into the custody of the attacker. All that remains then is to wipe all traces of the attack and bury any information that may point  to the source of the breach.

Strategies to block advanced persistent threats:

It is important to take security seriously and base strategies on the understanding that systems, however sound, can be breached. Constantly upping the protection level of sensitive files as technology evolves is of utmost importance.

Detection and prevention are the two main and equally important pillars of preventing an Advanced Persistent Threat from gaining access to the system. Prevention serves to slow down an attack and give the organization some leeway to detect who the intruder might be.

Some of the technologies essential to preventing APTs include:

  1. Behavior-Driven Anomaly Detection

The system can be trained to flag any activity or profile that can be classified as an “outlier” or a deviation from what has been defined as normal and acceptable. The trouble begins when a savvy intruder is capable of making the anomaly look normal and thus coast under the radar. However, behavior-driven anomaly detection via Entity, User, and Network is a necessary filter to isolate an attack and provide actionable information about the adversary.

  1. Application aware firewalls or devices

These are the next level of firewalls that have kept up with the latest changes in technology and thus provide a higher degree of protection for the organization against APTs. These are capable of blocking attacks even before they make it into the network of an organization. This technology does provide other advantages that add up to cost savings as well as a heightened response to incidents or attacks. The most significant one is visibility of the incoming threat trails along with their context.

Well-known examples and nomenclature of advanced persistent threats

Many advanced persistent threats have been uncovered, and they are given numbers as well as multiple names. This happens because cybersecurity outfits give an APT their own name. For instance, APT29, a Russian cyber threat actor is also referred to by the title Cozy Duke, Cozy Bear, and for some reason, Office Monkeys, among others. New APTs are being discovered all the time.

These are some famous examples of APTs:

Deep Panda- Deep Panda is believed to be a cyber-intrusion outfit with ties to China that targets vital entities such as defense, industries, government, telecommunication sectors for espionage purposes and selling compromised environments to high bidders.

Helix Kitten- Helix Kitten is thought to be a group based in Iran, active since 2014. Its reach extends mostly to the Middle East, targeting the sectors of energy, finance, government, aerospace, communications and hospitality.

The GhostNet attacks- A highly sophisticated and old APT that was first uncovered in March 2009, with possible ties to China. The GhostNet is believed to have compromised a range of economic, media, and political targets across nearly 103 countries.

To protect your organization against advanced persistent threats, continually sweep for spear phishing campaigns that are particularly targeted at key or high-level employees within your organization. Also keep a lookout for logins at odd hours. Unexpected data flows could also be another tell-tale sign.

Constantly update your software and use the “principle of least privilege” and “need to know'' principles when granting employees access. Deploy a comprehensive cybersecurity solution and keep off-site, secure backups of all your data.