
Blog Post
May 23, 2025 | Cybersecurity education
By Katie Yahnke
With contributions from Andrew Hunter.
Advanced persistent threats (APTs) have long flown under the radar for many business owners, often dismissed as concerns only for government agencies, global enterprises, or critical infrastructure.
But that assumption no longer holds true. APTs, just like other cybercriminal groups, are increasingly targeting small- and medium-sized businesses (SMBs), particularly those embedded within larger organizations’ supply chains.
These businesses typically operate with fewer cybersecurity defenses, making them ideal entry points for attackers seeking access to more prominent targets. In fact, the growing risk prompted cybersecurity authorities across five nations to issue a joint advisory, outlining essential safeguards businesses should implement.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
More recently, cybersecurity agencies in the Republic of Korea and the United Kingdom released a separate joint alert. This time, they warned of a surge in advanced persistent threat activity linked to the Democratic People’s Republic of Korea (DPRK). These campaigns have grown in both volume and sophistication—further proving that APTs are not a distant threat reserved for high-profile entities.
Today, every organization—regardless of size or sector—must treat APTs as a real and rising risk. In this blog, we’ll break down what you need to know about APTs, including:
...and more.
In cybersecurity, an advanced persistent threat refers to a highly sophisticated and well-resourced threat actor capable of executing prolonged, targeted attack campaigns.
Unlike opportunistic cybercriminals who cast wide nets for quick wins, APT groups pursue specific objectives—often spending weeks or months carefully planning and executing multi-phase attacks across various entry points.
APTs:
Dive into the past, present, and future of cybersecurity with The State of Cybersecurity eBook.
Because sustained APT operations demand considerable resources, many of these groups are state-sponsored or directly tied to nation-states. These adversaries typically serve political or economic agendas. For example, Russian-linked APT group TA499 has targeted influential Americans and Europeans who have publicly opposed the war in Ukraine.
These connections to national interests mean that APTs are often focused on:
The National Institute of Standards and Technology (NIST) explains that APTs seek to achieve either (or both) of these two goals:
But make no mistake—APTs don’t limit their activities to the public sector. Many SMBs, especially those with access to valuable intellectual property or connected to high-value supply chains, are increasingly in the crosshairs.
A 2023 report found that APT groups aligned with Russian, Iranian, and North Korean state interests are increasingly targeting small and mid-sized businesses (SMBs). Their methods vary but commonly include:
The Cybersecurity and Infrastructure Security Agency (CISA) recently issued an advisory highlighting a concerning trend—APT actors are increasingly focusing on managed service providers (MSPs) as part of their broader attack strategies.
To defend against these threats, CISA recommends several proactive measures for both SMBs and MSPs:
According to MITRE, over 140 known or suspected APT groups have been observed targeting:
This range of victims demonstrates that APTs will attack any business that advances its goals—no industry or vertical is immune.
Most cyberattacks follow a familiar playbook—and APTs are no exception. What sets APTs apart is their patience, precision, and persistence. These attackers don’t just strike and leave. They embed themselves deeply to carry out long-term, strategic objectives.
Here’s how a typical APT campaign unfolds:
Advanced persistent threats often begin with intelligence gathering. APT groups study their target closely—analyzing daily operations, identifying security weaknesses, and mapping out potential entry points.
To do this, they rely heavily on open source intelligence (OSINT)—publicly available information often found online, especially across social media platforms. Today’s OSINT tools are widely accessible and cost little to use, making it easy for attackers to build detailed profiles on organizations, their technology stacks, and their employees.
Armed with intelligence, the APT moves to infiltrate the network. They often use a combination of phishing or spear phishing emails, strategic web compromises, and network intrusions to gain initial access. Because of their sophistication, APT actors rarely rely on a single method—multiple entry points and attack vectors are common.
As an example, Helix Kitten, a covert group that has targeted the finance, government, energy, chemical manufacturing, and telecommunications industries since 2014, recently used a phishing attack to get into its targets' systems. For this campaign, Helix Kitten emailed enterprises a decoy file that looked like an introduction to a company's global marketing services.
After breaching a system, the APT works to entrench itself. This involves:
UAE-linked APT group Stealth Falcon used a backdoor called Deadglyph to target a government entity in the Middle East. The group employed a persistence technique that accessed the system through a vulnerability in Windows Management Instrumentation. Deadglyph then set up a server to launch commands from, which it would communicate with at random intervals so the behavior would be harder to detect.
The final phase depends on the APT’s mission. They may exfiltrate sensitive data, disrupt operations, or quietly monitor systems for long-term espionage. What makes an APT particularly dangerous is the ability to operate undetected for extended periods—often months.
Throughout the attack, the APT strives to remove traces of compromise or evidence of their existence. They may continue to hide within the victim’s network, seeking further attack opportunities—part of what sets an APT apart from most other threat actors. APTs have extensive resources and capabilities to pursue their goals repeatedly and over time.
This is why Russian threat actor Gamaredon has been able to successfully infiltrate a wide variety of Ukrainian targets since 2013, possibly also infecting targets in other countries.
Symantec researchers noted that Gamaredon's attacks have gone unnoticed for sometimes up to three months. During this time, the threat actors had access to sensitive information, including reports on Ukrainian military service members' deaths, enemy engagements, air strikes, arsenal inventories, and military training.
Cybersecurity experts identify APT attacks by looking at patterns. It could indicate that one group is responsible if two separate cyberattacks:
For example, a recent malware attack on ASEAN governments (Association of Southeast Asian Nations) and military entities was connected to the APT group Dark Pink, as it was almost identical to another attack discovered in January.
Sometimes, APTs outright claim responsibility for an attack. In 2022, Chinese hacker group APT 27 claimed responsibility for hacking 7-Eleven convenience stores in Taiwan, displaying political messages on their TV screens in protest of a certain event.
However, the claims alone aren't sufficient. Cybersecurity experts should be digging deeper for evidence that corroborates a group's claims. Multiple groups sometimes claim credit, like with a recent attack on the MGM casino.
In this case, hacking group Scattered Spider told news outlets it was responsible, while ransomware group Alphv posted on their dark website that they were behind the attack.
Threat actors might make these claims to:
If an APT targets you, you should immediately seek help from a qualified incident response team. These teams have the skills and knowledge to investigate and remediate the attack. APTs are highly sophisticated, and not all organizations have the in-house personnel or expertise needed for a proper defense.
If you notice a security incident, the Field Effect team has years of hands-on experience defending some of the world's largest, most complex networks. We:
The adage, "prevention is better than cure," still holds. Even though APTs prioritize stealth, they still have to interact with the targeted system and network throughout their attack. Each activity poses a risk to the attacker and an opportunity for detection. Meaning, you can increase the likelihood of detection by maximizing visibility with a comprehensive cybersecurity solution.
Field Effect MDR is a holistic cybersecurity solution that looks for suspicious activity and potential vulnerabilities and threats across your entire business, acting quickly to improve your defense and lower your risk of attacks—even from APTs.
Investing in a solution that's as sophisticated as an APT can help you identify attacks in the early stages and avoid the potential damage they may cause. Watch this three-minute demo to learn the key features of Field Effect MDR and understand how it can help you not only detect and respond to security incidents but also help prevent attacks entirely.