Skip to main content

Anatomy of APT: Advanced Persistent Threat Guide

Advanced Persistent Threat (APT) refers to complex network attacks that include many phases and distinct attack methods. APTs are not attacks that are developed or carried out on the spur of the moment. Instead, attackers carefully prepare their attack techniques against particular targets and execute the attack over an extended period.

Recent years have seen an upsurge in advanced persistent attacks designed to exploit the infrastructure's fragility. APT hackers and malware are more pervasive and sophisticated than ever before.

Advanced Persistent Threats are motivated by financial gain or political espionage. Initially, APTs were mostly connected with nation-state attackers attempting to steal government or corporate secrets. Currently, cybercriminals utilize APTs to steal data or intellectual property that they can sell or otherwise profit from. Professional hackers are employed by their government or related sectors, hacking certain firms and targets is their full-time occupation. They may access private information, insert malicious malware, or install covert backdoor programs that let them re-enter the target network or machine at will.

In this article, we will explain the notion of an APT, its common characteristics, and the phases of an APT attack. In addition, we will present examples of APTs, including GhostNet and Stuxnet, and discuss APT detection and protection strategies.

What is an Advanced Persistent Threat Attack?

APT is an adversary with sophisticated levels of expertise and significant resources that can generate opportunities to achieve its objectives through the use of multiple attack vectors (e.g., cyber, physical, and deception). These objectives are typically to establish and extend control of territory within the information technology infrastructure of organizations for the purpose of continuously exfiltrating information and/or undermining or impeding critical aspects of an organization, program, or mission, or to position itself to do so in the future.

APT, in contrast to "hit-and-run" attacks, is a "low-and-slow" and premeditated attack to collect important information from the target systems or organizations over a long period without being noticed.

APT attacks need a greater degree of customization and complexity than conventional attacks.

Numerous organizations, both big and small, in the public and commercial sectors, launch advanced persistent threat attacks. Typically, APTs are well-funded, seasoned cybercriminal teams that target high-value enterprises. They have invested substantial time and money in investigating and identifying organizational weaknesses. Many individuals assume that governments and nation-states have used APT attacks to sabotage certain military or intelligence missions. Attacks such as Titan Rain, Ghostnet, and Stuxnet are examples. Additionally, smaller organizations use less sophisticated methods, such as social engineering, to get access and steal intellectual property.

Although APTs may use standard hacker tools, they often deploy sophisticated, specialized software that is less likely to be detected by security protection systems. APTs and delivery tactics include zero-day attacks, phishing, sophisticated malware, and several Web breaches.

The objective of an APT attack is to enter a particular organization and steal data rather than cause a network outage, denial of service, or malware infection while evading current security measures and remaining undetected. The objectives of APTs fall into four categories:

  • eCrime for financial benefit
  • Cyberespionage involves the theft of intellectual property or government information
  • Destruction
  • Hacktivism

What are the Targets of the APTs?

Advanced persistent threats are very likely to attack the following businesses with a large amount of personally identifiable information:

  • Financial institutions
  • Telecommunications
  • Energy
  • Transportation
  • Manufacturing
  • Technology
  • Medical care
  • Higher education
  • Agriculture

What are the characteristics of an Advanced Persistent Threat (APT)?

Advanced persistent threats are difficult to detect since one of the goals of cybercriminals is to stay on a system for an extended length of time in order to do the work of data exfiltration until their purpose is achieved. As the attacking tactics used by APT attackers are very sophisticated and distinct from those employed by other kinds of cyber attacks, they are distinguished by distinct indicators of compromise (IoC). The following are indications of an advanced persistent threat attack:

  • Unexpected data packages: APTs often combine stolen data at internal collection sites before transferring it outside. Look for huge (gigabytes, not megabytes) data pieces in locations where they should not be, particularly if they are packed in archive formats not often utilized by your organization.
  • Concentrated spear phishing attacks: Spear phishing email campaigns targeting a company's workers using document files (e.g., Adobe Acrobat PDFs, Microsoft Office Word, or Microsoft Office PowerPoint PPTs) containing executable malware or malicious URL links would be one of the most significant signs. This is the root cause of the overwhelming majority of APT attacks. The most significant indicator is that the attacker's phishing email is not sent to everyone in the company, but rather to a more selective target of high-value individuals (e.g., CEO, CFO, CISO, or technology leaders), often using information that could only have been obtained by intruders who had already compromised other team members. The emails may be fictitious, yet they include terms referencing active corporate initiatives and topics. Instead of a generic "Hey, read this!" subject line, these phishing emails include information pertinent to your present project and are sent by another team member. If you've ever received one of these very detailed, targeted phishing emails, you're likely to feel uneasy since you'll wonder if you might have prevented it. Typically, they are that excellent.
  • Unanticipated data flows: Examine internal origination sites for massive, unexpected data flows to other internal or external computers. It might be network to network, server to server, or server to client. To identify a probable APT, you must understand your data flows before the breach of your environment.
  • An increase in the number of late-night logins: APTs quickly go from compromising a single computer to seizing control of many machines or the whole network in a matter of hours. This is accomplished by accessing an authentication database, stealing credentials, and then reusing them. They determine which user accounts have elevated access and permissions, then compromise environment assets using those accounts. Because the attackers reside on the other side of the globe, a disproportionate number of logins occur at night. If you detect a rapid increase in the number of elevated log-ins across numerous servers or high-value individual machines when the genuine workforce is at home, you should be concerned.
  • Widespread Trojan backdoors: APT hackers often install Trojan horses on hacked systems in the exploited environment. They do this to guarantee that they can always regain access, even if the victim changes their captured credentials. Another related characteristic is that once found, APT hackers do not vanish like conventional attackers. They possess computers in your area, and it is unlikely that you will face them in court.

What are Examples of an Advanced Persistent Threat?

Major examples of advanced persistent threats are summarized below:

  • Stuxnet: Stuxnet, developed to attack Iran's nuclear program, is one of the earliest and most historically notable instances of an APT. Despite being found in 2010, it is believed that its development began around 2005. Stuxnet was a 500-kilobyte computer worm that infected the software of over 14 industrial locations in Iran at the time of its discovery. It targeted computers running Microsoft Windows and propagated on their own. Iran lost about one-fifth of its nuclear centrifuges.

  • APT10: APT10, a campaign that may have begun as early as 2009 APT10, which may be one of the longest-lasting sustained cybersecurity threats in history, recently attacked companies through managed service providers in multiple industries and many countries, as well as some Japanese companies, causing an unknown amount of damage through the theft of large volumes of data. PwC UK and BAE Systems uncovered these attacks, which have been operational since late 2016.

  • GhostNet: This China-based APT used spear phishing emails carrying malware to execute attacks. Focusing on acquiring access to the networks of government ministries and embassies, the gang hacked computers in over 100 nations. Intruders infiltrated computers inside these companies, activated their cameras and microphones, and transformed them into surveillance devices.

  • Sykipot APT: The Sykipot APT takes advantage of weaknesses in Adobe Reader and Acrobat. It was initially spotted in 2006, and more attacks utilizing the Sykipot APT virus occurred in 2013. Threat actors employed the Sykipot malware family as part of a long-running campaign of attacks that predominantly targeted U.S. and U.K. companies, including government agencies, military services, and telecom enterprises. The attackers utilized a spear-phishing attempt that contained links and infected attachments containing zero-day vulnerabilities in targeted emails.

What is an Advanced Persistent Threat Group?

APT groups are generally threat actors that get instruction and backing from nation-states for conventional objectives that include data theft, intelligence gathering, disruption, and destruction. APT attacks target governments that handle sensitive information, such as military activities, security files, and sophisticated military technology papers. These organizations vary from other cybercriminals in that they have a tendency to adapt to protections and may remain in a system for months or years.

Mandiant's 2013 "APT1" report resembled the commencement of a hunting season for APT groups. Companies such as MITRE, CrowdStrike, Kaspersky, FireEye, and TrendMicro, have begun sharing information regarding known APT groups. However, each organization has various naming conventions and nomenclature for APTs. For example, MITRE and FireEye designate APTs numerically, but Crowdstrike assigns animal names (such as "Bear" for Russia, "Panda" for China, "Kitten" for Iran, etc.) to APT groups based on their place of origin. These organizations have uncovered over 150 APT groups worldwide. Some APT groups are listed below.

Russia-based APT groups are as follows:

  • Cozy Bear (APT29): It is a Russian adversary that is believed to be working for the Foreign Intelligence Service of the Russian Federation. As part of an attempt to attack political, scientific, and national security groups across several industries, this adversary has been identified as using large-scale spear phishing operations to distribute a vast array of malware variants.
  • FANCY BEAR (APT28): It is an adversary headquartered in Russia, that employs phishing messages and websites that closely mimic legal ones to obtain access to traditional PCs and mobile devices.
  • Voodoo Bear
  • Venomous Bear

China-based APT groups are as follows:

  • Wicked Panda (APT41): From the mid-2010s through the 2020s, Wicked Panda (APT41) was one of the most prolific and effective China-based adversaries. It is estimated that Wicked Panda comprises a superset of entities comprised of many contractors working in the interests of the Chinese government while also engaging in illegal, for-profit operations, perhaps with the tacit consent of CCP authorities.
  • GOBLIN PANDA (APT27): It was identified for the first time in September 2013. This attacker from China utilizes two Microsoft Word exploit documents with training-related topics to drop malicious files when they are opened.
  • PLA Unit 61398 (also known as APT1)
  • PLA Unit 61486 (also known as APT2)
  • Buckeye (also known as APT3)
  • Red Apollo (also known as APT10)
  • Codoso Team (also known as APT19)
  • Wocao (also known as APT20)
  • PLA Unit 78020 (also known as APT30 and Naikon)
  • Periscope Group (also known as APT40)

North Korea-based APT groups are as follows:

  • Ricochet Chollima (also known as APT37)
  • Lazarus Group (also known as APT38)

Iran-based APT groups are as follows:

  • HELIX KITTEN (APT34): It has presumably operated from Iran since at least late 2015. It targets firms in the aerospace, energy, banking, government, hotel, and telecommunications industries and employs highly relevant spear-phishing messages that have been well studied and prepared.
  • Elfin Team (also known as APT33)
  • Charming Kitten (also known as APT35)
  • APT39

Uzbekistan-based APT groups are as follows:

  • SandCat

Vietnam-based APT groups are as follows:

  • Ocean Buffalo (APT32): It is a targeted intrusion adversary headquartered in Vietnam that has supposedly been active since at least 2012. This adversary is known to deploy a broad variety of Tactics, Techniques, and Procedures (TTPs), including the use of both bespoke and off-the-shelf tools and the dissemination of malware via Strategic Web Compromise (SWC) operations and spear phishing emails carrying malicious attachments.

United States-based APT groups are as follows:

  • Equation Group

What are the Goals of the APT Groups?

The objectives of APT groups are grouped into the following categories:

  • Theft of intellectual property: The major purpose of many APT attacks is the theft of intellectual property to further the economic or military objectives of the host country. Theft of proprietary technology may save billions of dollars in research and development expenditures, providing the guilty nation a competitive edge in the marketplace or aiding in the closing of a military readiness gap. By stealing the sensitive information of another nation or company, the APT group may provide their government an advantage in negotiations or merger and acquisition discussions.
  • Disruption and destruction: APT organizations may also engage in destructive activities, such as destroying communication networks, industrial control systems, and public utilities. Also included are economically driven attacks. Some nation states believe that just exhibiting their ability to inflict devastation on another country will be sufficient to discourage an opponent or competitor from acting.
  • Geopolitical interests: Governments with issues affecting adjacent nations often use APT organizations to monitor and/or infiltrate neighboring states in order to gather information on economic or military actions, intentions, or tactics.
  • Misinformation campaigns: As proven by recent meddling in free elections throughout the globe, APT organizations are increasingly using cyber operations to spread disinformation in order to affect the voting public in targeted countries. This is often done to persuade people to choose a candidate who is less antagonistic and more philosophically aligned with the cause of the host country.

How Does an Advanced Persistent Threat Work?

Advanced persistent threat actors often use a methodical approach to get access to a company's network. Most APTs follow the same basic life cycle of penetrating a network, extending access, and completing the attack's objective, which is often the theft of data through network extraction. The stages of a successful APT attack are as follows:

  1. Get Initial Access: APT organizations often launch attacks by exploiting vulnerabilities on all three attack surfaces of an organization: network equipment, online assets, and privileged users. For early penetration, they may use different social engineering techniques, such as spear phishing emails. Intruders may also use DDoS attacks to increase network traffic and distract security professionals. The target has been compromised, but has not yet been "broken into".
  1. Establish a Foothold: After gaining initial access to the target network, attackers install a backdoor shell, a remote access trojan (RAT), or other malware on the compromised machine to acquire remote network access. In addition, some APTs use code authoring and obfuscation to cover their traces. Establishing an outbound connection with command-and-control (C&C) servers is essential for attackers to control infected computers at this point.
  1. Perform Lateral Movement: Attackers increase their presence by attacking more vulnerabilities inside the network in order to get a deeper level of control. In order to increase their privileges, they also utilize keyloggers and brute-force attacks to gather important password information. Creating additional backdoors or a botnet enables attackers to engage in lateral movement and design an optimal attack approach.
  1. Stage the Attack: In this phase, attackers begin to identify, examine, and study data and assets, including crucial credentials, sensitive data, personally identifiable information, communication routes, and more. Stealing or destroying crucial information may cause devastation for any firm. Such information is encrypted, compressed, and sent to a safe place for subsequent exfiltration. The process might be lengthy as attackers seek to compromise increasingly critical systems beyond their attack zone.
  1. Exfiltrate and Perform Follow-up Attacks: Finally, APT attackers exfiltrate critical data beyond the organization's security perimeters without being detected, compromising the network. During exfiltration, techniques like denial-of-service (DoS) are used to distract the security team's attention. If the exfiltration event is not noticed, attackers may choose to remain within the network. They watch for possibilities to conduct additional attacks or construct difficult-to-detect backdoors to regain access to the organization's network in the future.

Life Cycle Stages of an Advanced Persistent Threat(APT)

Figure 1. Life Cycle/Stages of an Advanced Persistent Threat(APT)

Which Attack Vectors Does APT Use?

Advanced persistent threat attacks commonly use the following attack vectors:

  • Exploit Kits: An exploit is a shellcode that examines the target system for vulnerabilities and, if identified, installs malware to execute illegal actions. In contrast, exploit kits are complete collections of many exploits. Exploit kit deployment by APT attackers often occurs through malicious websites and emails. When consumers click links on hacked websites or emails, they are sent to landing pages under the control of the attacker that scans the devices for vulnerabilities in order to conduct an attack or install a malicious payload.
  • Rootkits: Malicious software that offers remote control of a target machine through command-and-control servers while concealing its existence. Once inside attacked computers, rootkits establish backdoors for APT groups to get unauthorized access to the organization's network. Rootkit installs depend on standard malware attack routes, such as phishing email campaigns.
  • Social Engineering: Social engineering is one of the oldest and most effective techniques used by APT attackers to get initial network access by influencing unwary users or workers. Popular social engineering attack strategies include:
    • Phishing: Phishing is the practice of sending well-crafted, authentic-looking emails or text messages to induce targets with a feeling of urgency, anxiety, or curiosity, and compel them to divulge critical information. To attack the target computers, APT organizations often transmit harmful payloads or ransomware with phishing emails.
    • Spear Phishing: Spear phishing is the practice of targeting specific persons or corporations in a phishing attack. As the number of the target group is restricted in APT attacks, the possibility of undetected exploitation increases. Messages carefully designed according to the traits and occupations of the targeted persons make the attack less suspicious. It enables threat actors to quickly grab the credentials of privileged users through keylogger when they click on questionable emails or text messages.
  • Other Approaches: There are several techniques for launching an advanced persistent threat (APT) attack, including DNS tunneling, rogue Wi-Fi, and drive-by downloads. The selection of APT attack vectors is primarily determined by the intent and attack tactics of threat actors.

How to Defend Against APT?

There are several cybersecurity and cyber threat intelligence solutions available to help firms better defend against APT attacks. Here are a few of the most effective strategies you protect your organization against an advanced persistent threat attack:

  • Threat Intelligence: Threat intelligence aids in the profiling of threat actors, the monitoring of campaigns, and the tracking of malware families. Today, it is more critical to comprehend the context of an attack than to just know that an attack occurred, and threat intelligence plays a crucial role in this regard. Several security firms provide threat intelligence services in which raw data about new risks is collected from several sources, processed, and filtered to provide actionable information. This information often takes the form of data feeds for security control systems and management reports designed to enable IT managers and C-level executives to comprehend the dangerous picture for their business. The key to threat intelligence is the linkage of global information with threats to an organization's network, which enables security employees to rapidly detect and respond to high-risk attacks in real-time. APTs may propagate via a variety of techniques and may target weaknesses not yet identified by security firms. Thus, it is crucial to spot early signs of an APT. Frequently, threat intelligence provides the missing connection between, for example, abnormalities in network log data and zero-day vulnerabilities. Connecting the connections is what matters, regardless of the outcome.
  • Threat Hunting: Many firms need managed, 24/7, human-based threat hunting to complement their existing cybersecurity technologies.
  • Technical Intelligence: Utilize technical intelligence, such as indications of compromise (IOCs), to augment data inside security information and event management (SIEM). This provides more intelligence when correlating information, perhaps revealing network occurrences that might have otherwise gone undiscovered.
  • Service Provider: Partnering with a top-tier cybersecurity company is essential. Organizations may need support in reacting to a sophisticated cyber attack if the unimaginable occurs.
  • Security Awareness Training: For good reason, almost every discussion of IT security highlights the need for security awareness training. Educating workers about the risks of clicking on suspicious links in emails and detecting social engineering tactics and enlisting them as allies in the battle against security threats, helps secure networks and the data they contain.
  • Email Screening: The majority of APT attempts use phishing for first access. Email filtering and the banning of harmful links and attachments inside emails might thwart these intrusion attempts.
  • Endpoint Protection: All APT attacks include endpoint device takeovers. Advanced anti-malware protection and Endpoint Detection and Response may assist in identifying and responding to APT actor compromises of endpoints.
  • Access Control: Including robust authentication mechanisms and tight monitoring of user accounts, with a particular emphasis on privileged accounts may lower the danger of APT.
  • Traffic Monitoring: Monitoring, examining, analyzing, and monitoring all internal and external traffic for any anomalies that may signal malicious behavior as a result of an existing vulnerability is essential for preventing advanced persistent attacks. Close monitoring of security measures enables the identification of early warning indications of an APT, which often manifest as abnormalities in log files and data traffic, as well as other out-of-character actions. It is crucial to monitor all incoming and outgoing network traffic, internal network traffic, and all network-accessible devices. Continuous monitoring not only enables you to notice suspicious behavior as soon as possible but also decreases the likelihood of privilege escalation and long-term intrusions. Moreover, the output of monitoring may serve as forensic proof if an attack reaches that stage. Security tools and approaches that provide multi-layer protection and network traffic monitoring are as follows:
  • Web Application Firewall: Web Application Firewall (WAF) is a security device meant to safeguard companies at the application level by filtering, and monitoring, and analyzing HTTP and HTTPS traffic between a web application and the internet.
  • Anti-malware Software: Anti-malware software serves as the first line of protection. Installing and keeping up-to-date anti-malware software may aid in detecting and preventing the functioning of the majority of prevalent malware before any APT attackers can infect the system.
  • Firewall: The first line of security against APT attacks is the firewall. Firewall-based protection requires implementing the necessary firewall settings and changes for first-layer security. It is essential to use software, hardware, and cloud-based firewalls to provide optimal security.
  • Intrusion Detection and Prevention Systems (IDS/IPS): IDS systems monitor your network for any unexpected or suspicious activity and inform you before hacks recognized in the industry do actual harm.
  • Network Monitoring Tool: The purpose of network monitoring software is to manage and monitor network traffic. Some software automates network monitoring to improve network security.
  • Defense-in-depth Implementation: Experts stress the need for layered security as part of a normal network security plan, and defense-in-depth is one of the most effective methods for preventing an APT from infiltrating a network. Controlling network entry and exit points, deploying next-generation firewalls, deploying intrusion detection/prevention systems and security information and event management (SIEM) systems, implementing a vulnerability management system, utilizing strong authentication and identity management, keeping security patches up to date, and implementing endpoint security are all required. The objective is to make the initial penetration of the network difficult. Still, if one layer of protection is breached, each successive layer of protection must offer a considerable additional barrier, either preventing the attack from spreading or slowing it down until it can be noticed and dealt with. Because attackers are always updating their tools and searching for new weaknesses - chinks in the armor�your tools must also be updated.
  • Incident Response Plan: Even with the finest efforts and most expensive systems in place, an organization's security will be compromised at some point: the question is not "if" but "when." Implementing a robust incident response plan may halt an attack, limit damage, and prevent additional data breach, therefore mitigating reputation or brand harm. In addition to specifying which job roles are accountable for which activities from detection through resolution, your incident response plan should contain processes for the preservation of forensic evidence of the breach. Your organization may require this evidence to prosecute a perpetrator if he or she is arrested.
  • Penetration Testing: Penetration testing may assist in identifying a company's security flaws. Internal red and blue teams (attackers and defenders) or an external team offering penetration testing services may do the testing. This testing exercise may be used to strengthen a company's cyber defenses and keep IT security professionals vigilant. Thus, building a threat-hunting team and a continuous testing platform for current and future vulnerabilities might play an important role in APT detection.
  • Sandboxing: Sandboxing employs a threat detection technique to execute questionable items found on the network or a host computer, maybe from untrusted third parties, suppliers, users, or websites, without endangering the host machine or operating system. By analyzing the execution characteristics of questionable objects, the sandbox is able to discover malware that is difficult to detect using static analysis alone.
  • Patch Management: APT attackers utilize existing and well-known vulnerabilities to deceive you into believing that the assault is purely opportunistic. Consequently, deploying a patch management system and keeping all network software, operating system, and application vulnerabilities patched may assist an organization in protecting its network or systems, not just against APT attacks but also against any cyber-attacks that may arise in the current threat environment.