What is an Advanced Persistent Threat (APT)?

In discussions of cybercrime, especially nation-state cyberattacks, the term advanced persistent threat (APT) is often used. APT activity is growing and becoming a bigger threat to organizations in every sector. There was a 100% rise in significant nation-state incidents between 2017-2021, and APTs are almost inevitably behind those attacks. Here’s the story behind APTs and the threat they represent to organizations around the globe.

What is an APT

An advanced persistent threat (APT) is a prolonged and targeted cyberattack in which an intruder gains access to a network and remains undetected for an extended period of time. This type of attack is primarily associated with nation-state cybercrime and is frequently used as an espionage tool. APT attacks can also be used as weapons of war to hamper enemy operations or sow chaos, as exemplified in the Russia-Ukraine conflict.  

What are the main objectives of APTs?

The goal of an APT is to establish ongoing access to a target’s systems and data to facilitate further cyberattacks and data theft. APTs also strike at linchpins in a country’s military, government, transportation, infrastructure and manufacturing operations to cause their rival harm, hamper military or manufacturing operations and/or spread public uncertainty. APTs are best known as corollaries to nation-state cybercrime.  An estimated 90% of advanced persistent threat groups regularly attack organizations outside of the government or critical infrastructure sectors.

What are APT Groups?

Advanced persistent threat groups (APTs) are typically state-sponsored cybercriminal organizations that identify and exploit vulnerabilities in a country’s digital infrastructure, attacking targets like public utilities, corporations, government agencies and assets in the defense industrial base. 

An estimated 150 APT groups have been identified and tracked by specialists like Mandiant since 2013, but new APT groups form regularly. Russia, China, Iran and North Korea are the four largest sponsors of APT groups. Experts consider Russian nation-state actors to be the most effective APT groups,  jumping from a 21% successful compromise rate in 2020 to a 32% rate in 2021.

Who are the most notable APT groups?

These are a few of the more well-known APT groups:

• Lazarus Group is a North Korean APT group known for the retaliatory attack on Sony in 2014 after the release of a movie that portraying the North Korean leader Kim Jong-un in a derogatory manner. The group has attacks associated with nation-state cybercrime from 2010 through 2021.
• The now-defunct group Shadow Brokers was known for publishing information leaks that included hacking tools associated with The Equation Group another APT group widely suspected to have a connection to the U.S. National Security Agency. Experts believe that those tools were stolen by someone connected to NSA’s Tailored Access Operations unit.
• Fancy Bear is an APT group well known for causing political chaos during Hillary Clinton’s presidential election campaign in 2016. While Russia is yet to claim responsibility for the political chaos, the U.S. Department of Justice linked the group to Russian intelligence in 2018.
• Machete is a South American APT group first noted in 2014. The group has historically focused on a variety of targets across Latin America, but it has recently concentrated its operations against government and military targets in Venezuela.
• Chinese hacking group Hafnium is an active organization that is commonly associated with APT attacks. Microsoft singled out Hafnium as the group responsible for the 2021 Microsoft Exchange Server data breach, declaring that the group is “state-sponsored and operating out of China.”
• The Equation Group is generally suspected to be a cover for the U.S. NSA’s nation-state hacking operations. Identified publicly by Kaspersky Labs in 2015, this group is suspected to be behind the Stuxnet computer worm. It’s considered among the most advanced APT groups in the world.

What are examples of APT attacks?

These well-known APT attacks caused security upheaval.

• Stuxnet: First discovered in 2010, the Stuxnet computer worm targeted the computer hardware of Iran’s nuclear program. It was the first malware that targeted industrial control systems and had several variations in operation until at least 2012.
• Titan Rain: The operation “Titan Rain” was a series of far-ranging attacks on U.S. government and military agencies in 2003 by suspected state-sponsored Chinese hackers. These attacks hit several departments that deal with national security and classified data including the FBI, NASA and the U.S military. [AH6]
• NotPetya: Russian hackers were behind the notorious NotPetya malware that was originally dispatched to knock out government and infrastructure targets in Ukraine in 2017 before spreading widely throughout the world. A U.S. government assessment pegged the total damages brought about by NotPetya to more than $10 billion.

What are the characteristics of APTs?

APT attacks share a few common characteristics. Familiarity with them can help IT professionals spot red flags.

• Advanced persistent threat attacks generally target government and military assets, infrastructure and businesses. An estimated 90% of Advanced Persistent Threat Groups (APTs) regularly attack organizations outside of the government or critical infrastructure sectors.
• Malware including ransomware is the preferred weapon of nation-state threat actors.
• An estimated 60% of nation-state activity is directed at IT companies, commercial facilities, manufacturing facilities and financial services firms. 
• APT attacks can slowly unfold over a long period of time and be very hard to detect.
• Phishing is a common method used to initiate attacks by APT groups.

What is an APT attack?

An APT attack is a multistage cyberattack by a state-sponsored cybercrime group that typically results in damage to a rival nation’s assets. An APT attack can also be an information gathering expedition as part of espionage operations. APT attacks are characterized by being highly sophisticated, difficult to detect and long lasting.

What is the goal of an APT attack?

The goal of an APT attack is to gain access to systems and information that can be exploited for espionage purposes or used to do damage to a rival nation’s infrastructure or economy.  Apt attacks are generally tightly targeted and aimed at government, military, infrastructure or essential industrial targets. A recent study by Trellix and the Center for Strategic and International Studies (CSIS) revealed that nearly nine in 10 (86%) organizations believe they have been targeted by a nation-state threat actor. 

APT Attack Phases

APT attacks can widely vary depending on the goal of the attack and its origin. Some groups favor deploying malware, while other groups may be focused on planting back doors. However, most advanced persistent threat attacks unfold in this pattern:

1. Research: Accumulating important information about the target, looking for vulnerabilities in the target’s network and identifying likely successful social engineering tactics.
2. Entry: The hackers gain access to the target’s environment using a method with a high chance of success, like a phishing message, often deploying customized malware.
3. Mapping: The hackers stay under the radar and map out the network, often using this opportunity to set the stage for future attacks by doing things like opening back doors.
4. Data Capture: One common result of an APT attack is that bad actors are able to gather sensitive data for over months or years. This was the case in the 2020 SolarWinds attack.
5. Ransomware/Malware Deployment: Another common result of an APT intrusion is the deployment of malware like ransomware to force the target to stop operations by encrypting systems and/or data and demanding payment for the decryptor. North Korea made an estimated $1 billion in 2021 from state-sponsored ransomware attacks.

Why are APT attacks so successful?

Advanced persistent threat attacks are frequently successful because they’re hard to detect and the cybercriminals that perpetrate them are highly skilled at using techniques like spear phishing, credential compromise and social engineering. After an attack, APT groups may also leave behind difficult-to-detect back doors in systems that they can exploit later.

What are the best measures to avoid APT attacks?

The best measures to avoid APT attacks include:

• Consistent patching to reduce exploitable vulnerabilities
• Strong email security to stop phishing
• Secure identity management, like using multifactor (MFA) or two-factor authentication (2FA) for all user logins to prevent unauthorized access
• Regular security awareness training for all employees

APT Protection with Graphus

Graphus delivers powerful, automated, AI-based email security that prevents sophisticated phishing threats, like those used by APT groups, from landing. Unlike employees, Graphus doesn’t fall for social engineering tricks. Instead, organizations enjoy three strong shields of defense that hinder suspicious messages without slowing down communications.

IT teams will love the fast API deployment to Microsoft 365 and Google Workspace with no fussy configurations or lengthy downloads. Plus, machine learning enables Graphus to gather its own threat intelligence and minimize false positive alerts, reducing IT teams’ workload.

Book a demo now!