Skip Navigation

November 14, 2022 |

What is an advanced persistent threat (APT)?

By Katie Yahnke

With contributions from Andrew Hunter.

Loading table of contents...

Advanced persistent threats have long been overlooked as serious cyber threats because many believe that only government agencies, massive corporations, or critical infrastructure providers get targeted. Most companies are at risk of APT attacks and should know what APTs are, how they work, and what they can do in response to mitigate damage should they be targeted.

This blog will answer all your questions about APTs, including:

  • What is an APT?
  • Who do APTs target?
  • How do APTs operate?
...and much more.

What is an APT in cyber security?

In cyber security, advanced persistent threat (APT) refers to a sophisticated threat actor with significant resources and the expertise needed to stage long-term attack campaigns, often using multiple attack vectors to gain access and remain undetected.

APTs often:

  • Pursue specific goals and take time to carefully target victims, in contrast to the opportunistic approach taken by most other attackers.
  • Are highly skilled, well-funded, and extremely coordinated—often researching new techniques and developing their own tools and tradecraft to further their attacks.

The term APT may also refer to the toolset that this threat actor uses to be successful.

What’s the difference between an APT and malware?

APT refers to sophisticated threat actor which uses a variety of techniques to attack their targets, including social engineering and ransomware. Due to their extensive resources, APTs use malware that is typically more advanced and harder to detect.

Are you prepared for tomorrow’s threats?

Dive into the past, present, and future of cyber security with The State of Cyber Security eBook.

Download now

What is the main goal of APTs?

Launching and sustaining an APT requires extensive funding and resources. As such, many APTs are state-sponsored or nation-state threat actor groups, supported directly or indirectly by governments.

This means that APTs typically have political or economic goals. The majority of APTs collect sensitive information or state secrets, but may also sabotage critical infrastructure. The National Institute of Standards and Technology (NIST) explains that APTs seek to achieve either (or both) of these two goals:

  1. To establish and extend its presence within the information technology infrastructure of organizations for purposes of continually exfiltrating information.
  2. To undermine or impede critical aspects of a mission, program, or organization, or place itself in a position to do so in the future.

However, that doesn’t mean APTs exclusively target the public sector.

Who do APTs target?

No business is too small to fly under an APT’s radar. If an APT determines you hold the information they want, you may be targeted. It’s important to consider the various adversaries interested in your data.

APTs are known to attack smaller companies in order to infiltrate a supply chain of their ultimate target—they know that smaller companies are often more vulnerable to attack.

MITRE keeps a list of suspected threat actor groups. Researchers estimate there are over 100 APTs located in various areas including China, Russia, Vietnam, Iran, North Korea, and South America. According to that same MITRE list, APTs have targeted:

  • Government bodies
  • Financial corporations, such as banks, cryptocurrency exchanges, ATMs, and even casinos
  • Energy providers and infrastructure
  • Manufacturing plants
  • Media outlets and journalists
  • High-tech and information technology companies
  • Law firms
  • Non-government organizations and human rights groups
  • Healthcare services and providers
  • Research institutes and think tanks

This range of victims demonstrates that APTs will attack any business that advances its goals—no industry or vertical is immune.

Consider the 2021 SolarWinds supply chain compromises. Victims of the attack, which was attributed to APT 29, included government, technology, telecommunications, consulting, and other organizations located across multiple continents.

The stages of an APT attack

Most APT attacks—and cyber attacks in general—follow a similar pattern. After identifying their goal and possible target, the attacker begins collecting information.

1. Conduct reconnaissance

Before launching an attack, APTs observe their target and conduct reconnaissance to gather information about the chosen individual or organization. The attacker(s) analyze daily operations, security gaps, and more.

APTs will collect open source intelligence (OSINT), which is any free, publicly available information (often found on the internet—especially social media). There are various no-cost OSINT tools that make it easy for attackers to acquire information about the target organization, its technology, and its employees.

2. Gain initial access

Next, the APT begins infiltration. They may use phishing and spear phishing campaigns, network intrusions, strategic web compromises, and more to gain initial access. Due to their sophistication, APTs often use multiple attack vectors or entry points to successfully infiltrate the victim’s network.

As an example, PWC reported that one APT group with a long-proven history of using social engineering tactics to gain access went so far as to create a falsified recruitment brochure in 2021, using the branding of a legitimate IT services provider to lure individuals with specific roles.

3. Maintain access

Once initial access is gained, the APT will work to create multiple entries into the network. They do this by:

  • Collecting additional credentials for external access
  • Moving laterally to other hosts on the network
  • Developing persistence techniques to survive system reboots

4. Action on objective

Depending on the APT’s goal, they will collect information, exfiltrate data, or shut down critical systems.

Throughout the attack, the APT strives to remove traces of compromise or evidence of their existence. They may continue to hide within the victim’s network seeking further attack opportunities—which is part of what sets an APT apart from most other threat actors. APTs have extensive resources and capabilities to pursue their goals repeatedly and over time.

How are APTs detected?

Cyber security experts identify APTs by looking at patterns. Two cyber attacks that use the same tactics, techniques, and procedures (TTPs), use the same infrastructure, and target the same types of victims may indicate that one group executed both.

Sometimes, APTs outright claim responsibility for an attack.

What to do if you're targeted by an APT

If you’re targeted by an APT, you should immediately seek help from a qualified incident response team. They will have the skills and knowledge needed to investigate and remediate the attack. APTs are highly sophisticated, and very few organizations have the in-house personnel or expertise needed to neutralize this type of threat.

However, the superior option is prevention. Even though APTs prioritize stealth, they must interact with the system and network throughout their attack. Each activity poses risk to the attacker and an opportunity for detection. You can increase the likelihood of detection by maximizing your visibility with a holistic cyber security solution.

Covalence is a holistic cyber security solution that looks for suspicious activity, potential vulnerabilities, and potential threats across your entire business, and acts quickly to improve your defence and lower your risk of all types of attacks—even from APTs.

Investing in a solution just as sophisticated as an APT can help you identify attacks in the first stages and avoid the potential damage they may cause.