Blog Post
December 13, 2023 | Cybersecurity education
What is an advanced persistent threat (APT)?
By Katie Yahnke
With contributions from Andrew Hunter.
Advanced persistent threats (APTs) have long been overlooked as serious cyber threats for the average business owner because many believe bad actors only target government agencies, massive corporations, or critical infrastructure providers.
Just like other threat actors and cybercrime groups, APTs are increasingly targeting small- and medium-sized businesses (SMBs), especially those that fit into a larger target's supply chain. These companies typically have fewer cybersecurity controls, making them easier access points than the end targets. This rising threat led to security departments across five countries issuing a 2022 advisory informing companies of security measures to implement.
More recently, in November 2023, the cybersecurity departments from the Republic of Korea and the United Kingdom released a joint advisory warning that APT attacks from Democratic People’s Republic of Korea (DPRK) state-linked threat actors have improved in sophistication and volume.
As a result, APT attacks are a real possibility for all businesses. This blog will answer all your questions about APTs, including:
- What is an APT?
- Who do APTs target?
- How do APTs operate?
...and much more.
What is an APT in cybersecurity?
In cybersecurity, advanced persistent threat (APT) refers to a sophisticated threat actor with significant resources and the expertise needed to stage long-term attack campaigns, often using multiple attack vectors to gain access and remain undetected.
APTs:
- Pursue specific goals and take time to carefully target victims, in contrast to the opportunistic approach taken by most other attackers.
- Are highly skilled, well-funded, and extremely coordinated—often researching new techniques and developing their own tools and tradecraft to further their attacks.
Are you prepared for tomorrow’s threats?
Dive into the past, present, and future of cybersecurity with The State of Cybersecurity eBook.
What is the main goal of APTs?
Launching and sustaining an APT requires extensive funding and resources. As such, many APTs are state-sponsored or nation-state threat actor groups, supported directly or indirectly by governments, like Russian APT attacker TA499, which has been targeting Americans and Europeans of influence who have come out against the war in Ukraine.
This state involvement means that APTs typically have political or economic goals. The majority of APTs collect sensitive information or state secrets but may also attempt to sabotage critical infrastructure.
The National Institute of Standards and Technology (NIST) explains that APTs seek to achieve either (or both) of these two goals:
- To establish and extend its presence within the information technology infrastructure of organizations for purposes of continually exfiltrating information.
- To undermine or impede critical aspects of a mission, program, or organization, or place itself in a position to do so in the future.
However, that doesn’t mean APTs exclusively target the public sector.
Who do APTs target?
APTs are known to attack smaller companies to infiltrate the supply chain of their ultimate target, knowing that smaller companies are often more vulnerable to attack.
A 2023 report says that APT threat actors aligned with Russian, Iranian, and North Korean state interests have increasingly targeted SMBs in the past year, using three tactics:
- Compromising infrastructure with phishing campaigns.
- Engaging in targeted, state-aligned, and financially motivated attacks against smaller businesses' financial services.
- Targeting smaller businesses to conduct supply chain attacks against larger corporations.
The Cybersecurity and Infrastructure Security Agency (CISA) recently issued an advisory warning that APTs have also been increasingly targeting managed service providers (MSPs).
The advisory also recommends that SMBs and MSPs take proactive measures to mitigate cloud-based cyber threats, including:
- Applying CISA's baseline security configuration recommendations for Microsoft services.
- Separating administrator accounts from user accounts.
- Collecting and monitoring access and security logs.
- Reviewing contractual relationships with all cloud service providers, making sure the contracts include appropriate security controls, appropriate monitoring and logging, and notifications for suspicious or confirmed bad activity.
MITRE also keeps a list of suspected threat actor groups. Researchers estimate there are over 140 APTs located in various areas, and have targeted:
- Government bodies
- Financial corporations, such as banks, cryptocurrency exchanges, ATMs, and even casinos
- Energy providers and infrastructure
- Manufacturing plants
- Media outlets and journalists
- High-tech and information technology companies
- Law firms
- Non-government organizations and human rights groups
- Healthcare services and providers
- Research institutes and think tanks
This range of victims demonstrates that APTs will attack any business that advances its goals—no industry or vertical is immune.
The stages of an APT attack
Most APT attacks—and cyberattacks in general—follow a similar pattern. After identifying their goal and possible target, the attacker begins collecting information.
1. Conduct reconnaissance
Before launching an attack, APTs observe their target and conduct reconnaissance to gather information about the chosen individual or organization. The APT analyzes daily operations, security gaps, and more.
APTs will collect open source intelligence (OSINT), which is any free, publicly available information (often found on the internet—especially social media). Various no-cost OSINT tools make it relatively easy for attackers to acquire information about the target, its technology, and its employees.
2. Gain initial access
Next, the APT begins infiltration. They may use phishing and spear phishing campaigns, network intrusions, strategic web compromises, and more to gain initial access. Due to their sophistication, APTs often use multiple attack vectors or entry points to infiltrate the victim’s network.
As an example, Helix Kitten, a covert group that has targeted the finance, government, energy, chemical manufacturing, and telecommunications industries since 2014, recently used a phishing attack to get into its targets' systems. For this campaign, Helix Kitten emailed enterprises a decoy file that looked like an introduction to a company's global marketing services.
3. Maintain access
Once it gains initial access, the APT will work to create multiple entries into the network. They do this by:
- Collecting additional credentials for external access.
- Moving laterally to other hosts on the network.
- Developing persistence techniques to survive system reboots.
UAE-linked APT group Stealth Falcon used a backdoor called Deadglyph to target a government entity in the Middle East. The group employed a persistence technique that accessed the system through a vulnerability in Windows Management Instrumentation. Deadglyph then set up a server to launch commands from, which it would communicate with at random intervals so the behavior would be harder to detect.
4. Act on objective
Depending on the APT’s goal, they may collect information, exfiltrate data, or shut down critical systems.
Throughout the attack, the APT strives to remove traces of compromise or evidence of their existence. They may continue to hide within the victim’s network, seeking further attack opportunities—part of what sets an APT apart from most other threat actors. APTs have extensive resources and capabilities to pursue their goals repeatedly and over time.
This is why Russian threat actor Gamaredon has been able to successfully infiltrate a wide variety of Ukrainian targets since 2013, possibly also infecting targets in other countries.
Symantec researchers noted that Gamaredon's attacks have gone unnoticed for sometimes up to three months. During this time, the threat actors had access to sensitive information, including reports on Ukrainian military service members' deaths, enemy engagements, air strikes, arsenal inventories, and military training.
How are APTs detected?
Cybersecurity experts identify APT attacks by looking at patterns. Two cyberattacks that...
- use the same tactics, techniques, and procedures (TTPs),
- use the same infrastructure, and
- target the same types of victims
may indicate that one group executed both.
For example, a recent malware attack on ASEAN governments (Association of Southeast Asian Nations) and military entities was connected to the APT group Dark Pink, as it was almost identical to another attack discovered in January.
Sometimes, APTs outright claim responsibility for an attack. In 2022, Chinese hacker group APT 27 claimed responsibility for hacking 7-Eleven convenience stores in Taiwan, displaying political messages on their TV screens in protest of a certain event.
However, the claims alone aren't sufficient. Cybersecurity experts should be digging deeper for evidence that corroborates a group's claims. Multiple groups sometimes claim credit, like with a recent attack on the MGM casino.
In this case, hacking group Scattered Spider told news outlets it was responsible, while ransomware group Alphv posted on their dark website that they were behind the attack.
Threat actors might make these claims to:
- Build up their credibility
- Attract potential new sponsors
- Hide the real culprit from law enforcement
What to do if you're facing an APT threat
If an APT targets you, you should immediately seek help from a qualified incident response team. These teams have the skills and knowledge to investigate and remediate the attack. APTs are highly sophisticated, and not all organizations have the in-house personnel or expertise needed for a proper defense.
If you notice a security incident, the Field Effect team has years of hands-on experience defending some of the world's largest, most complex networks. We:
- Assess the situation to learn about the threat, response actions taken so far, and any concerns.
- Investigate the source by collecting historical data and determining tactics, techniques, and procedures.
- Help recover business operations, minimize damage today, and lower your risk in the future.
How to reduce your risk of APT attacks
The adage, "prevention is better than cure," still holds. Even though APTs prioritize stealth, they still have to interact with the targeted system and network throughout their attack. Each activity poses a risk to the attacker and an opportunity for detection. Meaning, you can increase the likelihood of detection by maximizing visibility with a comprehensive cybersecurity solution.
Covalence is a holistic cybersecurity solution that looks for suspicious activity and potential vulnerabilities and threats across your entire business, acting quickly to improve your defense and lower your risk of attacks—even from APTs.
Investing in a solution that's as sophisticated as an APT can help you identify attacks in the early stages and avoid the potential damage they may cause. Watch this three-minute demo to learn the key features of Covalence and understand how it can help you not only detect and respond to security incidents but also help prevent attacks entirely.