Malware Research Threat Database Advanced Persistent Threat (APT)

Advanced Persistent Threat (APT)

An Advanced Persistent Threat (APT) is a computer threat actor, most often operated or sponsored by nation-states. The aim of these groups aims at unauthorized access to computer networks for extended periods. The term may also be used for large-scale intrusions with specific targets in more recent cases.

The motivations behind threat actors of that level are most often political or economic. Major business sectors saw attacks by APTs with theft, spying, or disruption in mind. The affected sectors spanned defense, legal services, financial services, government, telecoms, industrial, and consumer goods, among others. Some of the groups with this concept in mind work with the more traditional steps, social engineering, infiltration, and intelligence efforts to gain physical access to networks. These attacks are performed to place malicious code on multiple computers with specific tasks in mind.

What Is the Definition of an APT?

The exact nature of an APT might vary, but the details and requirements remain the same:

Advanced – Meaning the operators behind the APT have a wide range of intelligence gathering capabilities to work with. Commercial and open-source intrusion techniques and technologies, intelligence gathering through state-operated means, and more may be a part of the APT’s arsenal. Although the attack’s elements may not be advanced, meaning that some of the components may be easy to exploit or find, the operators usually have access to advanced tools. Many APTs have either access to such tools or are capable of developing them within their organizational structure. Techniques and targeting methods are combined to maximize the compromise of a targeted individual or organization to slip through defenses and to maintain access over a long time. The professionalism exhibited by operators of this level shows a specific focus on operational security that separates them from the average hacker into a league of their own.

Persistent – The operators have a set of objectives to aim for, instead of just reaping information for financial gain. The difference is that these attackers are guided by the idea of monitoring, interaction, and action to achieve a clearly defined objective. That does not mean a set of constant attacks or malware updates; their work is often more insidious and slow. If the APT loses access to their target, they might attempt to gain access again, instead of moving on. One of the long term goals of an operator of this kind is to have unobstructed access to their target, contrasting to threats that aim at a variety of victims.

Threat – APTs are a threat because of their intent and advanced capabilities. Their attacks are performed by human intent, rather than automatically through the use of code. Their targets are specific and chosen through research and intelligence gathering. APTs are groups with skill, motivation, organization, and funding, backed by either states or other powerful groups.

Advanced Persistent Threats: What Are They, Really? – Source:

The Origins of Advanced Persistent Threats

Cases of targeted and socially engineered emails dropping Trojans to exfiltrate data were seen, and warnings were given by CERT organizations in the UK and US as far back as 2005. The method was popular in the 1990s, but it did not bear the name given today. The term ‘Advanced Persistent Threat’ was cited as used by the United States Airforce in 2006. It was Colonel Greg Rattray, who is accepted as having used the term for the first time.

What Are the Most Targeted Sectors of Public and Business Life?

There were many sources observing attacks that were likely affiliated with, or even acting as agents of sovereign states. Businesses with a high capacity of personally identifiable information have been at a high risk of being targeted by APTs. Examples of attacks could be seen in agriculture, telecommunications, technology, energy, transportation, manufacturing, financial institutions, higher education, and healthcare providers.

advanced persistent threat lifecycle chart
Advanced Persistent Threat Lifecycle – Source:

Advanced Persistent Threat Attack Progression

APT attacks may be broken down into stages, to understand better the way these threat actors operate in the digital world. The first step begins with:

Infiltration and Social Engineering

APT targets are usually infiltrated through the compromise of one of three ways: network resources, web assets, or authorized users. That is most often achieved through the use of several techniques. Malicious uploads are used with RFI and SQL injections, social engineering attacks such as spear phishing are used on the human element of an organization to get a foot in the door. These are all daily threats faced by large and small organizations, making adamant security a necessity. Infiltrators may work simultaneously to throw a DDoS attack against some targets, serving as a distraction for network personnel and a way to soften up security measures. Once the initial steps are taken, attackers move in to install a backdoor shell as fast as possible. The shell is a malware that allows network access and capabilities for remote operations flying under the radar. Backdoors may sometimes come masquerading as legitimate software.

advanced persistent threat operation
Operation Path of an Advanced Persistent Threat – Source:

Operation Expansion

Once the foothold has been established on a network, attackers spread their operations around the network. That involves moving up the organization’s hierarchy. Ideally, they would compromise staff members with the most access to sensitive data, gathering valuable information, such as employee data, financial records, product line information, research and development details, and more. Depending on the nature of the attack’s final goal, the gathered data may be sold to competitors of the victim company, altered to sabotage production, or even to take down entire organizations. If sabotage is the desired outcome, as was the case with the Stuxnet worm, this phase is used to either gain control of essential functions, or to manipulate them to cause maximum damage. Attackers may wipe entire databases within company servers or may sabotage network communications in a way that may take a long time to recover.

Data Extraction

While an APT is working to compromise the security of a victim, stolen information is often stored in secure locations inside the attacked network. When the data is collected in full, the cybercriminals move on to the last step – exfiltration. In most cases, that involves distractions for the affected organization’s security team, so information can be moved while they’re busy. That may take the form of a DDoS attack, a situation that forces security to scramble. Meanwhile, the APT operators transfer the collected valuable data and cover their tracks. In some cases, that involves wiping drives and data through malware to erase any possible traces of their presence.

What are the Possible Signs of an APT Attack?

Suspicious activity on organization networks may be a sign of an APT attack, seen in the following examples:

  • Unexpected Elevated Logons During Night TimeAPTs escalate from compromising a single machine to taking over entire networks within a short span, sometimes even down to a few hours. The attackers often do that by reading an authentication database, stealing credentials, and then reusing them. Once they learn which user or service account has elevated permissions and privileges, they go through the accounts to compromise assets within the network environment. A high volume of elevated logons during night time might be a sign of attackers working on the network, especially if that happens on multiple servers or high-value target computers.M
  • The Widespread Presence of Backdoor TrojansAPT operators often use backdoor Trojans to compromise computers within an exploited network. They often do this to ensure they can have easy access, even if the stolen login credentials are changed, and the victim takes measures. Trojans are sometimes combined with social engineering efforts, using the weaker human element within the security infrastructure to sneak a Trojan through the front door. This tactic is commonplace in most environments, helping to spread APT attacks with fewer difficulties for the threat actors.
  • Unexpected Information TransfersNoticing large and unexpected transfers of data from internal computers to external computers, be it server to client, network to network, or server to server might be a red flag. The data transfer may be limited, such as someone picking up an email from abroad, or it could be something more significant.
  • Unexpected Bundles of Data on the NetworkAPTs often work on placing stolen data on internal collection points before making a move to exfiltrate it outside a network. Large chunks of data in the size of gigabytes in places where that data should not be could be a sign of an intrusion, especially in formats not used by an organization.
  • Spear Phishing Campaigns Focused on Specific UsersOne of the visible signs that something is amiss may be focused spear-phishing campaigns aimed at a company’s employees. Those are often done through the use of document files, such as PowerPoint PPT files, Excel XLS files, MS Word files, PDF files, and more. Those are poisoned with malicious links and executable code that becomes the foot in the door for many threat actors. One of the most apparent signs that attackers are doing more than merely an average, run-of-the-mill attack against an organization or company is phishing emails aimed at specific employees within the hierarchy. Individuals being targeted by APTs often include high-value targets like CEOs, CFOs, CISO, and project leaders. These emails and messages often make use of information harvested through compromising lower-ranking team members or through social media accounts and other sources.

The emails behind the infected attachments and social engineering emails may be fake, but they may often contain keywords referring to ongoing projects, subjects, and other bits of information that give the attackers credibility and the chance to build trust with the victim. Information about ongoing projects or other team members, gossip, and anything else that might compromise security through human error may be exploited.

Focused, successful spear-phishing attacks on executives or project leaders are an ideal situation for the cybercriminals behind an APT, as that gives them elevated access to the organizational structure. If suspicious emails are being sent to people in critical positions, that might be an ongoing attack against your organization. Avoiding this potential first step is essential since cleaning up after an APT attack involves looking for backdoors and other complications that might be avoided through proper training and operational security.

Most Trending Advanced Persistent Threat (APT) in the Last 2 Weeks

# Threat Name Severity Level Alias(es) Detections
1. Kaolin RAT
2. Groove Ransomware
3. Muddling Meerkat APT
4. AcidPour Wiper
6. Logtu
7. Golden Chickens Criminal Group
8. Cycldek
9. KamiKakaBot
10. TinyTurla-NG Backdoor
11. Turla APT
12. Lotus Blossom APT
14. DDoSia Malware
15. 'MuddyWater' APT
16. Gelsemium APT
17. Pelmeni Wrapper
18. LuminousMoth APT
19. MagicWeb Malware
20. AllaKore RAT
21. RedDelta
22. MagicRAT
23. LightlessCan Malware
24. IDAT Loader
25. PIPEDREAM Malware
26. APT28
27. SPICA Backdoor
28. APT35
29. FIN11 APT
30. Lazarus APT

Last updated: 2024-05-26