An advanced persistent threat (APT) is a type of intentional, technologically sophisticated cyber attack that lingers on a high-value organisation’s network undetected for a prolonged period. The main aim of an APT is to map the target’s critical network, and data flows silently, intending to infiltrate, evade detection, establish the most valuable data resources, and exfiltrate this sensitive information.
Recognising and classifying APTs began with the Stuxnet attack in 2010, which was a sustained attack on Iran’s nuclear centrifuge capabilities. Stuxnet caused the centrifuges to malfunction, indicating a high degree of prior knowledge about the target and a specially designed payload to compromise it. The attack is generally attributed to a joint effort between the US and Israel.
An APT differs from regular phishing, malware, or virus cyber-attack (although this is how the attack may start) because it is aimed at a particular target and developed with the target’s flaws in mind rather than as a broad-spectrum data theft effort. These characteristics also mean APTs are extremely difficult to detect and respond to for organisations. The perpetrators are typically well-funded, technology experts, and are working towards a particular outcome. APTs are mainly ascribed to state-sponsored cyberespionage groups, hacktivists, and organised cybercriminals.
APT attacks usually follow a simple pattern:
- detection evasion
- privilege escalation
- moving across the network
- identifying vulnerabilities in the infrastructure
- identifying target that contains sensitive data
- deploying a specifically crafted exploit on the vulnerability (such as malware or zero-day)
- exfiltration of data
- leaving an open backdoor
To respond to this level of sophistication, security teams must have the capability and resources to act quickly and decisively. Continuous security monitoring, threat intelligence, and NDRs can help detect tell-tale signs such as suspicious employee account activity, unexpected network traffic activity, and higher-than-normal volumes of data passing through the network.
Advanced Persistent Threat (APT) Groups
Several security research centres are engaged in identifying and naming APT groups. Currently, over 150 APT groups have been identified and are assigned numbers. For example, APT1 to Chinese state hackers by the firm Mandiant. This type of classification means that the usual attack tactics of identified APTs are well-documented, meaning organisations can deduce the kind of APT from their methods and operations for better attribution and response. There are several lists of known groups, but some are in contention or incomplete.
Other examples of known APTs include:
- APT28 (Fancy Bear) - attributed to Russian-based hackers specialising in spear phishing
- APT29 (Cozy Bear) - attributed to Russian state-sponsored attackers known to target national security organisations
- APT32 (Ocean Buffalo) - attributed to Vietnam-based hackers specialising in custom malware
- APT41 (Wicked Panda) - is said to be a Chinese state-sponsored group specialising in cyber espionage activities