What is an advanced persistent threat (APT)?

Advanced persistent threats (APTs) have long flown under the radar for many business owners, often dismissed as concerns only for government agencies, global enterprises, or critical infrastructure.

But that assumption no longer holds true. APTs, just like other cybercriminal groups, are increasingly targeting small- and medium-sized businesses (SMBs), particularly those embedded within larger organizations’ supply chains.

These businesses typically operate with fewer cybersecurity defenses, making them ideal entry points for attackers seeking access to more prominent targets. In fact, the growing risk prompted cybersecurity authorities across five nations to issue a joint advisory, outlining essential safeguards businesses should implement.

Stay on top of emerging APTs.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up

More recently, cybersecurity agencies in the Republic of Korea and the United Kingdom released a separate joint alert. This time, they warned of a surge in advanced persistent threat activity linked to the Democratic People’s Republic of Korea (DPRK). These campaigns have grown in both volume and sophistication—further proving that APTs are not a distant threat reserved for high-profile entities.

Today, every organization—regardless of size or sector—must treat APTs as a real and rising risk. In this blog, we’ll break down what you need to know about APTs, including:

• What is an APT?
• Who do APTs target?
• How do APTs operate?

...and more.

What is an APT in cybersecurity?

In cybersecurity, an advanced persistent threat refers to a highly sophisticated and well-resourced threat actor capable of executing prolonged, targeted attack campaigns.

Unlike opportunistic cybercriminals who cast wide nets for quick wins, APT groups pursue specific objectives—often spending weeks or months carefully planning and executing multi-phase attacks across various entry points.

APTs:

• Set strategic, long-term goals and invest significant time in selecting and surveilling their targets.
• Operate with advanced skills, substantial funding, and tight coordination—often researching novel tactics and engineering custom tools to outmaneuver traditional defenses.

Are you prepared for tomorrow’s threats?

Dive into the past, present, and future of cybersecurity with The State of Cybersecurity eBook.

Download now

What is the main goal of APTs?

Because sustained APT operations demand considerable resources, many of these groups are state-sponsored or directly tied to nation-states. These adversaries typically serve political or economic agendas. For example, Russian-linked APT group TA499 has targeted influential Americans and Europeans who have publicly opposed the war in Ukraine.

These connections to national interests mean that APTs are often focused on:

• Stealing sensitive data or classified information
• Undermining critical infrastructure or operational stability

The National Institute of Standards and Technology (NIST) explains that APTs seek to achieve either (or both) of these two goals:

1. To establish and extend its presence within the information technology infrastructure of organizations for purposes of continually exfiltrating information.
2. To undermine or impede critical aspects of a mission, program, or organization, or place itself in a position to do so in the future.

But make no mistake—APTs don’t limit their activities to the public sector. Many SMBs, especially those with access to valuable intellectual property or connected to high-value supply chains, are increasingly in the crosshairs.

Who do APTs target?

A 2023 report found that APT groups aligned with Russian, Iranian, and North Korean state interests are increasingly targeting small and mid-sized businesses (SMBs). Their methods vary but commonly include:

1. Launching phishing campaigns to compromise IT infrastructure
2. Executing financially motivated attacks, especially in financial services
3. Using SMBs as stepping stones for supply chain attacks against larger organizations

The Cybersecurity and Infrastructure Security Agency (CISA)  recently issued an advisory highlighting a concerning trend—APT actors are increasingly focusing on managed service providers (MSPs) as part of their broader attack strategies.

To defend against these threats, CISA recommends several proactive measures for both SMBs and MSPs:

• Apply CISA's baseline security configuration recommendations for Microsoft services
• Separate administrator accounts from standard user accounts
• Collect and actively monitor access and security logs
• Review all contracts with cloud service providers to ensure they include:
  • Appropriate security controls
  • Monitoring and logging
  • Notifications for suspicious or malicious activity

According to MITRE, over 140 known or suspected APT groups have been observed targeting:

• Government bodies
• Financial corporations, such as banks, cryptocurrency exchanges, ATMs, and even casinos
• Energy providers and critical infrastructure
• Manufacturing facilities
• Media organizations and journalists
• High-tech and information technology companies
• Law firms
• Non-government organizations and human rights groups
• Healthcare services and providers
• Research institutes and think tanks

This range of victims demonstrates that APTs will attack any business that advances its goals—no industry or vertical is immune.

The stages of an APT attack

Most cyberattacks follow a familiar playbook—and APTs are no exception. What sets APTs apart is their patience, precision, and persistence. These attackers don’t just strike and leave. They embed themselves deeply to carry out long-term, strategic objectives.

Here’s how a typical APT campaign unfolds:

1. Conduct reconnaissance

Advanced persistent threats often begin with intelligence gathering. APT groups study their target closely—analyzing daily operations, identifying security weaknesses, and mapping out potential entry points.

To do this, they rely heavily on open source intelligence (OSINT)—publicly available information often found online, especially across social media platforms. Today’s OSINT tools are widely accessible and cost little to use, making it easy for attackers to build detailed profiles on organizations, their technology stacks, and their employees.

2. Gain initial access

Armed with intelligence, the APT moves to infiltrate the network. They often use a combination of phishing or spear phishing emails, strategic web compromises, and network intrusions to gain initial access. Because of their sophistication, APT actors rarely rely on a single method—multiple entry points and attack vectors are common.

As an example, Helix Kitten, a covert group that has targeted the finance, government, energy, chemical manufacturing, and telecommunications industries since 2014, recently used a phishing attack to get into its targets' systems. For this campaign, Helix Kitten emailed enterprises a decoy file that looked like an introduction to a company's global marketing services.

3. Maintain access

After breaching a system, the APT works to entrench itself. This involves:

• Harvesting additional credentials for broader access.
• Moving laterally across the network to reach valuable systems
• Establishing persistence mechanisms that survive reboots and detection attempts

UAE-linked APT group Stealth Falcon used a backdoor called Deadglyph to target a government entity in the Middle East. The group employed a persistence technique that accessed the system through a vulnerability in Windows Management Instrumentation. Deadglyph then set up a server to launch commands from, which it would communicate with at random intervals so the behavior would be harder to detect.

4. Act on objective

The final phase depends on the APT’s mission. They may exfiltrate sensitive data, disrupt operations, or quietly monitor systems for long-term espionage. What makes an APT particularly dangerous is the ability to operate undetected for extended periods—often months.

Throughout the attack, the APT strives to remove traces of compromise or evidence of their existence. They may continue to hide within the victim’s network, seeking further attack opportunities—part of what sets an APT apart from most other threat actors. APTs have extensive resources and capabilities to pursue their goals repeatedly and over time.

This is why Russian threat actor Gamaredon has been able to  successfully infiltrate a wide variety of Ukrainian targets since 2013, possibly also infecting targets in other countries.

Symantec researchers noted that Gamaredon's attacks have gone unnoticed for sometimes up to three months. During this time, the threat actors had access to sensitive information, including reports on Ukrainian military service members' deaths, enemy engagements, air strikes, arsenal inventories, and military training.

How are APTs detected?

Cybersecurity experts identify APT attacks by looking at patterns. It could indicate that one group is responsible if two separate cyberattacks:

• use the same tactics, techniques, and procedures (TTPs),
• use the same infrastructure, and
• target the same types of victims

For example, a recent malware attack on ASEAN governments (Association of Southeast Asian Nations) and military entities was connected to the APT group Dark Pink, as it was almost identical to another attack discovered in January.

Sometimes, APTs outright claim responsibility for an attack. In 2022, Chinese hacker group APT 27 claimed responsibility for hacking 7-Eleven convenience stores in Taiwan, displaying political messages on their TV screens in protest of a certain event.

However, the claims alone aren't sufficient. Cybersecurity experts should be digging deeper for evidence that corroborates a group's claims. Multiple groups sometimes claim credit, like with a recent attack on the MGM casino.

In this case, hacking group Scattered Spider told news outlets it was responsible, while ransomware group Alphv posted on their dark website that they were behind the attack. 

Threat actors might make these claims to: 

1. Build up their credibility
2. Attract potential new sponsors
3. Hide the real culprit from law enforcement

What to do if you're facing an APT threat

If an APT targets you, you should immediately seek help from a qualified incident response team. These teams have the skills and knowledge to investigate and remediate the attack. APTs are highly sophisticated, and not all organizations have the in-house personnel or expertise needed for a proper defense.

If you notice a security incident, the Field Effect team has years of hands-on experience defending some of the world's largest, most complex networks. We:

• Assess the situation to learn about the threat, response actions taken so far, and any concerns.
• Investigate the source by collecting historical data and determining tactics, techniques, and procedures.
• Help recover business operations, minimize damage today, and lower your risk in the future. 

How to reduce your risk of APT attacks

The adage, "prevention is better than cure," still holds. Even though APTs prioritize stealth, they still have to interact with the targeted system and network throughout their attack. Each activity poses a risk to the attacker and an opportunity for detection. Meaning, you can increase the likelihood of detection by maximizing visibility with a comprehensive cybersecurity solution.

Field Effect MDR is a holistic cybersecurity solution that looks for suspicious activity and potential vulnerabilities and threats across your entire business, acting quickly to improve your defense and lower your risk of attacks—even from APTs.

Investing in a solution that's as sophisticated as an APT can help you identify attacks in the early stages and avoid the potential damage they may cause. Watch this three-minute demo to learn the key features of Field Effect MDR and understand how it can help you not only detect and respond to security incidents but also help prevent attacks entirely.