Advanced Persistent Threats (APTs) are prolonged targeted cyberattacks. During this type of attack, intruders access the network and attempt to remain undetected for as long as possible. This allows the bad actor to access intellectual property and other sensitive information or disrupt critical services like utilities. While these threats tend to target organizations in defense, manufacturing, and the financial industry, any organization has the potential to be vulnerable.
It is believed that the term APT was coined by the United States Air Force in 2006, and was effective at defining the criteria to differentiate between an APT and an attack by an “ordinary” threat actor:
The attack needs to be advanced in the sense that the group consists of highly skilled individuals that are able to utilize rich research and development resources to thoroughly understand its target and develop its own tools and malware, while often exploiting zero-day vulnerabilities.
The attack will also be persistent meaning that it has specific goals and will be executed against a defined target, with one of the goals being permanent access to the victim, for future use or until the end goal is achieved. Several tools might be used against the target until it will be successfully infiltrated. This kind of operation might occur over a period of years without being detected by the victim.
Advanced persistent threats emerged in the early 2000s. For example, the Sykipot APT malware family targeted U.S. and U.K. organizations by leveraging flaws in Adobe products from 2006–2013. The targeted organizations included government agencies, telecommunications companies, and defense contractors.
The resources required for an APT attack to be successful creates the assumption that APT groups are state-sponsored and are part of a country’s espionage apparatus, with the goals of the attack being correlated with the needs of the state. Attributing a group to a state is considered best-effort practice as attribution is extremely difficult, with groups proactively deploying tactics to throw off researchers (false flag operations).
APT groups are often named with a number (e.g. APT 2) or with an adjective followed by an animal name. The chosen animal will be tied to the APT’s country of origin. For example, Chinese APT groups will often have the word “panda” in their name (Gothic Panda, Aurora Panda) while Russian APT group names will incorporate the word “bear” (Venomous Bear, Cozy Bear). Some groups are also called after the malware strain they use in their attacks (e.g. Turla).
The goals of various APT groups are different and historically are very diverse. One goal may be espionage and information gathering. For example, Energetic Bear (aka Dragonfly), an APT group that is believed to be of a Russian origin, was detected several times in the networks of critical infrastructure vendors such as a power plant in Ukraine and an Aerospace vendor in the UK. Although the presence in the network could’ve been used to harm the victims, it seems that the goal of EnergeticBear was just to be present and gather the information that the operating state requires (although the gathered information may later be used for a future attack).
Another goal may be to inflict damage on the target. For instance, the computer worm Stuxnet that was allegedly created by the Israeli Unit 8200 in cooperation with the US Equation Group (which is believed to be part of the NSA). The worm was delivered with a malicious USB stick and spread to Siemens industrial control systems. The attack was successful in slowing down Iran’s nuclear program, reportedly ruining a fifth of Iran’s nuclear centrifuges.
Another example of havoc ran by an APT group is the infamous WannaCry attack that started in May 2017, wiping approximately 200,000 computers across the globe and causing billions of dollars in damage. The attack was attributed to the North Korean APT group Lazarus.
Objectives tend to be wide and have included tracking journalists and activists (Iran linked group Charming Kitten aka APT35), meddling in elections (Russia linked group Fancy Bear aka APT 28), and even bank heists (allegedly by the aforementioned North Korean Lazarus group).
APTs may use one or more of the following attack vectors to compromise its targets:
Once a victim is compromised, the attacker’s deployment can vary. They may deliver a made-in-house malware that is tailored for the specific target, they could use a commonly available malware or deploy by living-off-the-land, an approach that utilizes dual-use tools that are already present in the network to minimize the possibility of being detected.
Some examples of malware families used by APT groups:
APT groups are here to stay. In fact, every few weeks there is news of a new APT operation being detected. Just recently it came to light that APT groups linked to China and Vietnam are spreading Covid-19 themed phishing, APT groups have been known to attempt breaching the World Health Organization to gain information on vaccines, testing, and treatments, while a Russian APT group is attacking institutions related to Covid-19 research and vaccine development to steal intellectual property.
Defending against APTs requires a multilayered approach, including:
APTs represent a critical cybersecurity threat that organizations can’t afford to ignore. With the risk of having all their private data exposed, Deep Instinct offers a robust prevention-focused solution to APTs that prevent them from being able to infiltrate in the first place.