Definition under: Definitions

What Are Advanced Persistent Threats?

Advanced Persistent Threats (APT) are sophisticated, long-term targeted cyber attacks that are carried out by skilled and well-resourced attackers, such as nation-state actors or organized crime groups, with the goal of compromising and gaining access to sensitive information or systems.

APTs typically involve a series of carefully planned and coordinated attacks that are designed to avoid detection and maintain persistence within the targeted network or system. This can include the use of malware, social engineering, and other techniques to gain initial access and then move laterally through the network to reach the ultimate target.

These types of attacks are especially dangerous as they are designed to be stealthy and to remain undetected for long periods of time, causing long-term and significant damage to any organization.


Dissecting Advanced Persistent Threats

The exact origin of the term APT is not clear, but it is generally attributed to the U.S. Air Force, which first used it in the late 2000s to describe a type of cyber attack that was observed in military networks. The term gained wider use in the security community following the 2010 publication of a report by security company Mandiant, which used the term to describe a specific Chinese hacking group that was carrying out persistent attacks against U.S. organizations.


The process of an Advanced Persistent Threat (APT) can be broken down into several stages. These stages can vary depending on the target, the specific attack and the attacker, but in general, the stages are as follows:

Reconnaissance: The first stage of an APT involves gathering information about the target. This can involve a variety of ways to extract information about the organization, its employees, and its IT infrastructure. Common techniques include:

  1. Open Source Intelligence (OSINT): Hackers can use publicly available sources of information, such as search engines, social media, and company websites to gather information about the target.
  2. Port Scanning: Hackers can use automated tools to scan the target's network and identify open ports and services, which can help them identify potential vulnerabilities.
  3. Vulnerability Scanning: Hackers can use automated tools to scan the target's systems for known vulnerabilities, which can be exploited to gain access to the network.

Initial Access: The next stage involves gaining initial access to the target network or system.

  1. Spear Phishing: Attackers may send targeted emails to employees within the organization, containing malware or links to malicious websites.
  2. Watering Hole: Attackers may compromise a website that is frequently visited by the target organization's employees, in order to deliver malware to the target system.
  3. Malware Delivery: Attackers may use a variety of techniques to deliver malware to the target system, including exploiting vulnerabilities in software, and using social engineering techniques.

Lateral Movement: Once initial access is obtained, they will begin to move laterally through the network to find the ultimate target. This may also involve identifying and compromising additional systems and resources within the target network.

  1. Exploiting Unpatched Vulnerabilities: Attackers may exploit unpatched vulnerabilities in systems or software on the network to gain access to other systems.
  2. Stealing and Using Credentials: Attackers may steal login credentials from one system and use them to gain access to other systems on the network.
  3. Pass-the-Hash Attacks: Attackers may use tools to extract password hashes from one system and use them to gain access to other systems on the network.

Persistence: At this stage, the attacker will take steps to maintain persistence within the target network. This can involve installing backdoors, creating new user accounts, or modifying existing system configurations to allow the attacker to maintain access and avoid detection. Other ways include:

  1. Hiding in Plain Sight: Attackers may use various techniques to hide their presence on the target system or network, such as using rootkits or other types of malware that are designed to evade detection by antivirus software.
  2. Covert Communication Channels: Attackers may use covert communication channels, such as steganography or encrypted channels, to communicate with command and control servers and to avoid detection.

Data Exfiltration: The final stage of an APT involves stealing sensitive data from the target network. Much like the previous steps, this can be achieved using a variety of methods, such as using keyloggers to capture login credentials or creating Command and Control (C2) Channels.


Common Targets of APT

Any organization that holds sensitive information or has valuable intellectual property is potentially at risk of being targeted by an APT However, APTs generally target the following types of organizations:

  • Government Agencies: Nation-state actors often target government agencies to gain access to sensitive political, military, or economic information.
  • Military Organizations: Military organizations are often targeted by nation-state actors seeking to gain access to sensitive military intelligence or weapon system designs.
  • Defense Contractors: Defense contractors are targeted to gain access to sensitive defense-related information, such as classified blueprints and designs. Defense contractors are often seen as a weak link in the defense supply chain and are frequently targeted by nation-state actors or organized crime groups.
  • Financial Institutions: Financial institutions are targeted to gain access to sensitive financial information and steal funds. Attacks against financial institutions are often motivated by financial gain and can result in significant financial losses for the target organization.
  • Healthcare Organizations: Healthcare organizations are targeted to gain access to sensitive patient data, such as medical records and personal information. Medical records are often valuable on the black market and can be used for identity theft or insurance fraud.
  • Energy and Utility Companies: Energy and utility companies are targeted to gain access to sensitive infrastructure information, such as power grid designs and control systems. Attacks against energy and utility companies are usually motivated by disruptions to critical infrastructure.
  • Technology Companies: Technology companies are targeted to gain access to proprietary information, such as source code and intellectual property. Intellectual property theft can result in significant financial losses and can also undermine the competitiveness of the target organization.
Recently Added Definitions