14.11.2022 What is an advanced persistent threat (APT)?

by Katie Yahnke

Advanced persistent threats (APTs) have long been overlooked as serious cyber risks because many believe that only government agencies, massive corporations, or critical infrastructure providers get targeted. The truth is APTs are a threat to even small companies, and it’s important to know what an advanced persistent threat is and how to respond if attacked.

This blog will answer all your questions about APTs, including: 

  • What is an APT? 
  • Who do APTs target? 
  • How do APTs operate? 

…and much more. 

What is an APT in cyber security? 

In cyber security, advanced persistent threat (APT) refers to a sophisticated threat actor with significant resources and the expertise needed to stage long-term attack campaigns, often using multiple attack vectors to gain access and remain undetected.  

APTs commonly:  

  • Pursue specific goals and take time to carefully target victims, in contrast to the opportunistic approach taken by most other attackers.  
  • Are highly skilled, well-funded, and extremely coordinated—often researching new techniques and developing their own tools and tradecraft to further their attacks. 

The term APT is also sometimes used to refer to the toolset that this threat actor uses for attacks.

What’s the difference between an APT and malware?

APT refers to sophisticated threat actor which uses a variety of techniques to attack their targets, including social engineering and ransomware. Due to their extensive resources, APTs use malware that is typically more advanced and harder to detect.  

What is the main goal of advanced persistent threats? 

Launching and sustaining an APT requires extensive funding and resources. As such, many APTs are state-sponsored or nation-state threat actor groups, supported directly or indirectly by governments. 

This means that APTs typically have political or economic goals. The majority of APTs collect sensitive information or state secrets, but may also sabotage critical infrastructure.

The National Institute of Standards and Technology (NIST) explains that APTs seek to achieve either (or both) of these two goals: 

  1. To access an organization’s IT infrastructure to continually exfiltrate information. 
  2. To undermine or impede critical aspects of a mission, program, or organization. 

However, that doesn’t mean APTs exclusively target the public sector. 

Who do APTs target? 

No business is too small to fly under an APT’s radar. If your company holds the information an APT wants, you could be a target. 

In fact, APTs are known to attack smaller companies to infiltrate the supply chain of their end target. APTs know that smaller companies are often more vulnerable to attack and therefore may be a better initial access point. 

MITRE keeps a list of suspected threat actor groups. Researchers estimate there are over 100 APTs located in various areas including China, Russia, Vietnam, Iran, North Korea, and South America. According to that same MITRE list, APTs have targeted: 

  • Government bodies 
  • Financial corporations, such as banks, cryptocurrency exchanges, ATMs, and casinos 
  • Energy providers and infrastructure 
  • Manufacturing plants 
  • Media outlets and journalists 
  • High-tech and IT companies 
  • Law firms 
  • Non-government organizations (NGOs)
  • Healthcare services and providers 
  • Research institutes and think tanks 

This range of victims demonstrates that APTs will attack any business that advances its goals—no industry or vertical is immune.

Consider the 2021 SolarWinds supply chain compromises which were later attributed to APT29. Victims of the attack included government, technology, telecommunications, consulting, and other organizations located across multiple continents. 

Stages of an advanced persistent threat attack 

Most APT attacks—and cyber attacks in general—follow a similar pattern. After identifying their goal and target, the attacker begins collecting information. 

1. Conduct reconnaissance 

Before launching an attack, advanced persistent threats observe their target and conduct reconnaissance to gather information about the individual or organization. The APT analyzes daily operations, security gaps, and more. 

APTs will collect open source intelligence (OSINT), which is any free, publicly available information (often found on the internet—especially social media). There are various no-cost OSINT tools that make it easy for attackers to acquire information about the target organization, its technology, and its employees. 

2. Gain initial access 

Next, the advanced persistent threat begins infiltration. They may use phishing and spear phishing campaigns, network intrusions, strategic web compromises, and more to gain initial access. Due to their sophistication, APTs often use multiple attack vectors or entry points to invade the victim’s network.  

As an example, PWC reported that one APT group with a long-proven history of using social engineering tactics created a falsified recruitment brochure in 2021. They used a legitimate IT services provider’s branding to lure individuals with specific roles.  

3. Maintain access 

Once gaining initial access, the APT works to create multiple entries into the network. They do this by: 

  • Collecting additional account credentials
  • Moving laterally to other devices on the network
  • Developing persistence techniques (to survive a reboot, for example)

4. Action on objective 

Depending on the APT’s goal, they will collect information, exfiltrate data, or shut down critical systems. 

Throughout the attack, the APT often removes traces of compromise or evidence of their existence. They may hide within the victim’s network seeking further attack opportunities—which is part of what sets an APT apart from most other threat actors. Their extensive resources and capabilities allow them to continually pursue their goals. 

How are advanced persistent threats detected? 

Cyber security experts identify APTs by looking at patterns. Two cyber attacks that use the same tactics, techniques, and procedures (TTPs), use the same infrastructure, and target the same types of victims may indicate that one group executed both. Other times, APTs outright claim responsibility for an attack. 

What to do if you’re targeted by an APT 

If you’re targeted by an advanced persistent threat, you should contact a qualified incident response team. They will have the skills and knowledge to investigate and remediate the attack. APTs are highly sophisticated, and few organizations have the in-house expertise needed to neutralize this type of threat.  

However, the better option is prevention.

Even though APTs prioritize stealth, they still interact with the network throughout the attack. Each movement is another opportunity for detection. You can increase the likelihood of detection by maximizing your visibility with a holistic cyber security solution. 

Covalence is a holistic cyber security solution that looks for suspicious activity, potential vulnerabilities, and potential threats across your entire business, and acts quickly to improve your defence and lower your risk of all types of attacks—even from APTs. Investing in a solution just as sophisticated as an APT can help you identify attacks in the first stages and avoid the potential damage they may cause. 


Request Demo

Fill out the form and we will send you details about our demo.