What Is an Advanced Persistent Threat?

An advanced persistent threat (APT) is a concealed or disguised cyberattack. During an APT, bad actors gain unauthorized access to a network, evading detection for an extended period. The US Department of Defense coined the term “advanced persistent threat” in the early 21st century to describe cyber espionage campaigns, particularly those conducted by China against US national security interests [1]. 

Read on to gain a deeper insight into advanced persistent threats, including strategies to defend against them. 

Read more: Cybersecurity Terms: A to Z Glossary

What’s the motive behind an advanced persistent threat (APT)?

APTs have varied motivations. For example, state-sponsored attackers, often backed by governments, launch APTs to acquire military intelligence. On the other hand, organized crime syndicates back advanced persistent threats in pursuing financial profits. In essence, both rogue criminal groups and national governments orchestrate APTs. 

Read more: 10 Common Types of Cyberattacks and How to Prevent Them

Characteristics of advanced persistent threats

APTs differ from conventional cyberattacks in several ways. Primarily, APTs are covert, targeted, and relentless. 

1. Covert 

Unlike typical cyberattacks, APTs adopt a subtler approach that instantly creates chaos and turmoil by disrupting systems. They remain dormant during the initial infection to avoid raising alarms in the target network. The prolonged dormancy, lasting anywhere from a few days to several years, allows threat actors to silently observe, gather information, and execute a sophisticated, long-term attack.

2. Targeted 

APTs operate with a clear objective, armed with knowledge of a target’s security vulnerabilities. These attacks are meticulously designed to penetrate the specific defenses of the target through sophisticated, custom-made malware, among other cyber weapons. Substantial resources, including financial support, go into crafting a single attack.

3. Relentless

APTs create several entry points into a target organization's networks and systems. With multiple points of compromise, APT initiators can evade or delay incident response efforts, allowing them to maintain their foothold in the network.

What are some known attack pathways utilized in APT campaigns?

Spear phishing, rootkits, and zero-day vulnerabilities are three commonly exploited attack vectors by APTs. Let's take a closer look at each.

1. Spear phishing

Spear phishing is a focused effort to pilfer privileged users' credentials. A privileged user is identified following an extensive search for potential infiltration points. Keyloggers or deceptive emails may be leveraged to coerce individuals into revealing their credentials.

2. Rootkits

Rootkits are stealthy malicious programs that give APT attackers remote control over a target system via command-and-control servers. Often introduced through email phishing, rootkits create hidden access points within an infected system, allowing APT groups to discreetly infiltrate an organization's network.

3. Zero-day vulnerabilities

A zero-day vulnerability is an undiscovered security flaw within software applications or operating systems. Since zero-day vulnerabilities are unknown to the software manufacturer, no defense or patch is in place to mitigate the risks they pose. This lack of preparedness aids potential exploitation by APT groups.

5 stages of an advanced persistent threat

Advanced persistent threats are sophisticated breaches, and their effectiveness is largely due to the multiple steps each follows to systematically gain access to sensitive information. A successful APT attack unfolds in a series of five stages: 

1. Securing access

APT attacks begin by creating multiple access points into a target network. Attackers may secure these access points through privileged user credentials, phishing emails, and zero-day vulnerabilities, among other attack vectors. 

2. Infiltration 

After gaining initial access, attackers establish remote network access to the compromised system(s) through malicious software. Additionally, the perpetrators set up an outbound connection with the target network’s command-and-control servers to control the compromised system(s). At this point, attackers may use custom-developed malware to maintain and hide their covert presence within the targeted network. 

3. Lateral movement

Attackers utilize brute force attacks and other network vulnerabilities to extend their control over the target network to identify and access sensitive systems. Subsequently, backdoors and tunnels are set up for lateral movement within the network and transfer data as needed.

4. Initiating the attack

Upon broadening their foothold, APT attackers identify valuable data they intend to exploit and move it to a secure location within the network. The data may undergo encryption and compression to facilitate easy transfer during the exfiltration phase.

5. Data exfiltration 

Efiltration marks the last stage of an advanced persistent threat. During this stage, attackers extract the sensitive data from a target network’s compromised system(s) using tunneling techniques or encrypted channels. If the exfiltration goes unnoticed, attackers might linger within the network and await opportunities for subsequent attacks. 

Infamous APT groups

The following are examples of some prominent state-sponsored APT groups. The presumed end goals of all three—APT 29, APT 14, and APT 35—are data theft and cyber espionage. 

1. Cozy Bear (APT29) 

The APT 29 group, Cozy Bear, leverages social media and cloud storage sites to transmit commands and exfiltrate data from compromised networks. These commands are typically concealed within images with encrypted data.

2. Anchor Panda (APT 14)

The APT 14 or Anchor Panda group uses a customized simple mail transfer protocol (SMTP) mailer tool for dispatching spear-phishing messages. The messages are artfully crafted to give the impression of being sent from trustworthy organizations.

3. Phosphorus and Newscaster Team (APT 35)

The APT35 group primarily relies on spear-phishing to compromise an organization’s critical systems. The group is also known for utilizing compromised accounts and credentials obtained from prior successful attacks.

How to identify an advanced persistent threat?

Being aware of the warning signals of APTs can help you keep your data secure or stop an attack before it goes too far. Here are some indicators of an advanced persistent threat: 

1. Unusual data activity 

Suspicious connections to external devices, unusual data transfers between them, or any atypical increases in data traffic across your network are indicators of an APT attack. Remember, APT attackers identify and move target data and assets to a specific location before transferring them to an external server for future use.

2. Dubious files 

Look for peculiar data files in your system. These unusual data files can indicate a sophisticated and organized attempt to exfiltrate sensitive information from your network.

3. Irregular logins

A noticeable uptick in uncommon logins can be a telltale sign of an APT attack. These logins frequently occur at unconventional hours, possibly due to attackers operating in different time zones. 

How to protect against advanced persistent threats?

Along with recognizing the signs of APTs, you can also take proactive measures to help prevent them. Below are some tactics to strengthen your defenses against APTs:

1. Whitelisting

Utilize whitelisting to designate a specific set of applications or domains as secure. This way, your network will exclusively permit traffic originating from the applications and domains you've specified on your list, lowering the risk of infiltration by APT groups.

2. Vulnerability scanning 

Keep your software up-to-date by applying patches as soon as vulnerabilities are identified. Furthermore, performing routine vulnerability scans can aid in identifying potential weaknesses before malicious actors can exploit them.

3. Multi-factor authentication 

Incorporating two-factor or multi-factor authentication introduces an extra layer of security, drastically reducing the likelihood of credential theft.

Get started with Coursera.

Deepen your understanding of cybersecurity with IBM’s Introduction to Cybersecurity Tools and Cyber Attacks course, available on Coursera. Intended for beginners, this course is designed to help you comprehend the types and motives of modern-day cyberattacks. Upon completion, gain a shareable Professional Certificate to include in your resume, CV, or LinkedIn profile.