What is an Advanced Persistent Threat?
The type of malware known as ‘Advanced Persistent Threats,’ or APTs, sounds like something out of a sci-fi action movie – reminiscent of the Terminator T-1000. And, like a futuristic movie villain, APTs are far more capable than your run-of-the-mill malware and can gain access without detection and then quietly carry out data theft for months or years at time.
This article will look at what makes an APTs advanced and persistent, discuss who is at risk from these elaborate cyberattacks, and consider what steps you should take to keep your system safe from viruses and malware.
Understanding APTs
An APT is a prolonged and targeted cyberattack in which a threat actor gains access to a network and remains undetected for a significant period.
Unlike more common cyber threats that seek immediate payoff, such as ransomware or denial of service attacks, APTs are characterized by their stealth and duration. Their primary aim is typically not to damage the systems outright but to stealthily gather valuable information over time.
Key Characteristics of APTs
- Targeted:
Unlike most viruses and worms, APTs are usually directed at specific organizations, businesses, or nations. This targeting is often based on the value of the information the attackers seek or the strategic advantage they wish to gain. - Persistent:
Persistence is a hallmark of APTs. Once a network is breached, attackers establish a long-term presence, carefully avoiding detection and maintaining access to the network for extended periods of months or even years. - Sophisticated:
APTs involve complex strategies and advanced techniques. Attackers often use custom-made malware and exploit zero-day vulnerabilities, a type of security hole unknown to software makers and antivirus vendors. It is not unreasonable for APT development to cost millions of dollars, although the cost has come down in recent years. - Stealthy:
The attackers behind APTs go to great lengths to ensure their activities are hidden. They use encryption, mimic normal network traffic, and erase evidence of their presence, making detection and removal particularly challenging.
Comparing APT Attacks with Traditional Cyber Threats
Traditional cyber threats, like viruses or standard hacking attempts, are often opportunistic, aiming for quick disruption or immediate financial gain. The individual hackers and small hacking groups which develop them are essentially digital burglars roaming around looking for easy targets.
In contrast, APTs are more likely to be sponsored by nation-states and their behavior looks more like cyber espionage. The attacks are planned long in advance, the objectives are clearly defined, and the teams which develop them usually seem to have significant resources at their disposal.
Stages of an APT Attack
1. Initial Access:
The first stage involves infiltration of the target network. Attackers often use sophisticated social engineering tactics, like spear-phishing emails, or exploit software vulnerabilities to install malware on a victim’s computer. This initial foothold is usually achieved discreetly to avoid detection.
2. Establishment of a Foothold:
Once inside the network, the attackers establish a secure and reliable foothold. This may involve creating backdoors, installing remote administration tools, or using the victim’s credentials to create new user accounts. The goal here is to ensure continued access to the network, even if the initial entry point is discovered and closed.
3. Expansion of Control:
With a foothold established, attackers explore the network to gain deeper access. They map out the network’s structure, identify valuable data, and escalate their privileges to gain broader access. This phase often involves moving laterally through the network to compromise additional systems and accounts.
4. Data Exfiltration:
The primary motive of most APTs is to extract sensitive information. In this stage, attackers collect data such as trade secrets, intellectual property, or other sensitive data. The exfiltration is typically done slowly and cautiously to avoid bandwidth spikes that might trigger alarms.
5. Maintaining Persistence:
A defining characteristic of APTs is their ability to exist undetected for an extended period of time. Attackers use various techniques to maintain their presence in the network. This includes using command-and-control servers to communicate with compromised systems, regularly updating malware to evade detection, and creating redundant access points to ensure continued access.
Tools and Techniques Used
- Malware: Customized malware is often used in APTs. This malware is typically designed to avoid detection by antivirus software and may include trojans, rootkits, and keyloggers.
- Social Engineering: APT attackers frequently use social engineering techniques to deceive individuals into breaking normal security procedures. Phishing campaigns, especially those tailored to specific individuals (spear phishing), are common. We’ve written an entire blog on the subject which can help you recognize and avoid phishing attacks.
- Exploits: Attackers often utilize exploits, particularly zero-day exploits, to take advantage of unpatched vulnerabilities in software used by the target.
Who is at Risk of an APT Attack?
One piece of good news for individuals and small businesses is that the cybercriminals who deploy APTs prefer to target large corporations and governments. APT groups are usually (but not always) state-sponsored and so their targets are often chosen by the respective government which funds them.
Common targets include:
- Government Agencies:
National, regional, and local government bodies are prime targets for APTs. Attackers may seek classified information, intelligence data, or insights into government policies and strategies. Such attacks could be driven by political, military, or economic motives. - Large Corporations:
Major companies, especially those in industries like finance, technology, defense, and energy, are frequent targets of APTs. Attackers aim to steal trade secrets, disrupt operations, or gain competitive advantages. Intellectual property, financial data, and internal communications are particularly valuable to attackers. - Critical Infrastructure:
Entities that manage critical infrastructure, such as power plants, nuclear storage facilities, water treatment facilities, and transportation systems, are also at risk. Compromising these can have far-reaching consequences, from economic disruption to threats to public safety. - Research Institutions and Universities:
These are targeted primarily for their cutting-edge research and development data. Sectors like pharmaceuticals, engineering, and tech are especially vulnerable to intellectual property theft. - Media and Telecommunications:
These sectors are targeted for their ability to influence public opinion and for access to vast amounts of data and communication channels.
Notable APTs in History
Stuxnet:
Perhaps the most famous APT, Stuxnet was a highly sophisticated computer worm discovered in 2010. It is widely believed to have been developed by the United States and Israel to target Iran’s nuclear program. Stuxnet specifically targeted programmable logic controllers (PLCs) used in uranium enrichment, causing substantial damage to Iran’s nuclear facilities.
APT28 (Fancy Bear):
Attributed to Russian military intelligence, APT28 has been active since the mid-2000s. It gained notoriety for its alleged involvement in the 2016 US presidential election interference, where it was accused of hacking and leaking emails from the Democratic National Committee.
APT1 (Comment Crew):
Linked to the Chinese military, APT1 has been implicated in numerous cyber espionage campaigns since 2006, targeting a wide range of industries globally, particularly for intellectual property theft.
Lazarus Group:
Associated with North Korea, this group is known for its wide-ranging cyber attacks utilizing APTs, including the 2014 Sony Pictures hack, the WannaCry ransomware outbreak in 2017, and various financial heists.
Operation Aurora:
Discovered in 2009, Operation Aurora was a series of cyber attacks against dozens of companies, including Google, Adobe, and Intel. It was allegedly sponsored by China and primarily aimed at gaining access to and potentially modifying source code repositories.
SolarWinds Hack:
Uncovered in 2020, this massive cyber espionage campaign targeted the SolarWinds Orion software. Believed to be orchestrated by a Russian state-sponsored group, the attack compromised thousands of businesses including Microsoft, Intel, Cisco, and NVIDIA, and government agencies, including parts of the U.S. federal government, by inserting a vulnerability in the software’s update mechanism.
NotPetya:
Initially thought to be a ransomware attack in 2017, NotPetya was later identified as a state-sponsored attack by Russia against Ukraine, which also affected global businesses. It caused significant financial damage to several large corporations, including Maersk and Merck.
How to Protect Yourself Against APTs
It’s important to note here, that APTs have historically targeted governments and corporations – not small businesses or individuals. However, the risk is clearly significant since these APT attacks have successfully circumvented the advanced security measures that mult-national companies and governments have at their disposal.
The best way to stay safe from APTs, and all malware, is to prevent them from getting onto your system in the first place by following cybersecurity best practices.
Use extreme caution with links and attachments in emails
We used to say to only avoid links and attachments from unknown senders. However, it has become increasingly common for attackers to gain unauthorized access to email accounts and then distribute their malware to the sender’s known contacts.
If you have even the slightest doubts about the authenticity of an email, we recommend contacting the sender and confirming its legitimacy. For emails from financial institutions, do not use the link in the email, but log into your account directly from your web browser instead.
Use antivirus software and a firewall
Neither antiviruses nor firewalls are foolproof – but they go a long way towards reducing your network’s attack surface. Essentially they make your computer a smaller, and harder target. Today, both Windows and Macs ship with these security solutions built into their operating systems – however you may need to confirm that they are running.
A hardware based firewall is a good option for an extra layer of defense – and protects all of the devices on your network. Check out our article on hardware firewalls to learn more.
Keep all of your devices and software updated
We’ve said it before, and we’ll say it again: when your computer, phone, or software asks you to update it – do so! More often than not, updates are closing security holes. Failure to update compromises your network security.
Use extreme caution with USB devices and connections
Never plug a found USB-drive into your computer. Attackers have been known to install malware onto drives and then leave them scattered in public places.
Similarly, use caution when charging your cell phone or tablet from publicly available USB charging stations. We recommend bringing your own 120 volt charger and plugging into power outlets.
APTs: More Than Just a Hacker in His Mom’s Basement
Advanced Persistent Threats have more in common with the high-budget Terminator movies than they do with the quick and dirty break-in style of your average hacker. Provided with an ample budget and a clear target by their nation-state sponsors, APT groups spend years perfecting their attack and waiting for the right moment.
While the average person isn’t going to fall victim to these high profile attacks – these risks highlight the importance of prevention in cybersecurity. Keeping your system updated, treating all email attachments and links with skepticism, and using care with USB-devices will go a long way towards keeping you safe. Concerned that your cyber security may have slipped and you’ve already got a virus? Contact a local digital security expert and get your system checked!