Many people think of cyberattacks as instantaneous strikes, starting and ending in the blink of an eye.
But while some certainly fit that description, others are more siege than blitz: sophisticated, strategic, and prolonged, aimed at specific targets and carried out over the course of weeks, months, or even years.
These so-called Advanced Persistent Threats, or APTs, are among the most notorious — and fascinating — facets of cybersecurity. So just what constitutes an APT, and what sets it apart from other types of cyberattacks?
What Is an Advanced Persistent Threat (APT)?
An Advanced Persistent Threat (APT) is a targeted, sustained cyberattack that uses sophisticated tactics to remain undetected in a system for extended periods of time.
APTs are meticulously planned, involving multiple stages and targeting high-profile or high-value individuals or organizations. The goal is generally to steal sensitive information from the target, though more destructive objectives like system corruption or data destruction are also commonly seen.
The Five Stages of an APT
Every APT is unique, but most of them follow the same basic five-stage structure.
Stage 1: Gaining Access
To gain initial access to the targeted system, attackers generally exploit one (or more) of three vectors: web apps and assets, network vulnerabilities, and human users.
Of the three vectors, humans are by far the most reliable, and the majority of APTs involve exploiting the human element. Attackers use a variety of social engineering techniques, especially phishing and spear phishing, to obtain the credentials and access they need.
A spear-phishing incident, or a series of them, is often the first indicator that an APT is being conducted. High-level employees or others with privileged system access may receive emails purporting to be from colleagues, contractors, or other trusted senders.
Stay One Step Ahead of Cyber Threats
But social engineering isn’t always necessary to commence an APT. Some begin by exploiting technological vulnerabilities, like improperly-configured networks, unpatched software, or compromised websites or web apps.
Stage 2: Establishing a Presence
Once the attacker has gained initial access to the system, the next step is to ensure that they maintain that access for as long as possible.
This usually involves installing a backdoor — a malicious, stealthy program that gives the attacker an easy way to return to the system, circumventing any security measures that may otherwise prevent future access.
Backdoors are often hidden deep in the system, in areas that aren’t typically scanned by antivirus software or accessed by administrators. But they can also hide in plain sight, Trojans masked as legitimate programs, plugins, or processes.
APT backdoors are meticulously crafted, often utilizing encryption and obfuscation to raise as little suspicion as possible. Once in place, they serve as secret tunnels that the attacker can use to get in and out remotely, complete with shells that can be used to navigate and control the system.
Stage 3: Going Deeper
With continued access now ensured by the backdoor, the APT can move on to stage 3: gaining deeper access to and control over the system.
Attackers use this time to explore the network, study its structure, map out the most important components, and decide on a final plan of attack. Lateral movement allows attackers to locate the most vulnerable parts of the system and exploit them by deploying password crackers, keyloggers, and other malicious tools.
Privilege escalation is a major component of this stage, as the attackers needs access to as much of the system as possible to craft the final attack. Thus, much time may be spent identifying and cracking administrator accounts or hunting for vulnerabilities that allow for privilege escalation.
Because stealth is of the utmost importance, this stage often takes the longest to complete as attackers move slowly, collecting what they need a little at a time so as to avoid drawing attention to themselves.
Stage 4: Staging the Attack
Having mapped the network and located the target information, attackers can now start preparing for the main event.
If the goal of the APT is to steal data, attackers often create a secret, encrypted zone where they can slowly amass the files they want, storing them up in a single, accessible location to simplify extraction.
When other goals like destruction or corruption are involved, this stage may entail setting up additional tunnels that provide more direct access to specific areas of the system. Attackers may also use this time to preload the system with malware that will be activated in the final stage.
Stage 5: Exfiltrating and Extracting
When the time finally comes to extract the stolen data, damage the system or otherwise complete the ultimate goal of the APT, the attackers need to move fast — and clean up after themselves.
First, attackers often set up a smokescreen to distract the victim. DDoS attacks are commonly used here, consuming the attention of the victim’s cybersecurity team while the real attack takes place.
Stolen data is usually compressed to reduce file size, reducing transfer times in the process. The attacker then initiates the transfer through one of the backdoor tunnels implemented in the previous stages, often utilizing additional means of obfuscation like proxies or VPNs.
At this point, dormant malware can be activated, directories can be wiped or corrupted, and any other destructive actions can be taken.
Assuming the attack hasn’t already been detected, attackers can then work to remove any forensic evidence of their presence: erasing data transfer logs, removing excess backdoors, and otherwise covering their tracks as best as they can.
However, in many cases, one stealthy backdoor is left in place so the attacker can return to the system even after the completion of the APT.
The majority of APTs are conducted for espionage purposes, whether in pursuit of trade secrets, intellectual property, government files, military intelligence, or any other type of sensitive, classified data. Once obtained, this data can be used by competitors or enemies for their own gain, sold to third parties, used for extortion purposes, or leaked to the public.
However, some APTs are carried out for monetary gain, targeting corporate financial systems, treasuries, banks, or cryptocurrency exchanges. Attackers may seek to steal finance-related credentials or banking records, or they may hold the victim’s system or files for ransom.
And some attackers conduct APTs as a form of “hacktivism”, using the attack to send a moral or ethical message to the target and/or the rest of the world. In these APTs, attackers may overwrite the victim’s website with their own materials or destroy the victim’s data.
Common APT Attackers and Targets
Most APTs are politically or economically motivated, carried out against large companies, organizations or governments. Though their complex nature usually requires a team of hackers, some APTs are conducted by talented lone attackers.
State-sanctioned APTs against enemy governments are becoming more commonplace as cyberwarfare in general escalates. Powered by the country’s best hackers and the government’s bountiful resources, these APTs can run for years without being detected.
Non-governmental terrorist groups also target governments with APTs. And both state-sanctioned and terrorist APTs can target private entities, especially political activists and organizations related to infrastructure, energy, and the media.
But private citizens also conduct APTs, often in tandem with each other as APT collectives or groups. These highly-skilled hackers are typically out for financial gain, so they target high-value companies and other organizations with data that can fetch a handsome price on the black market — or as a ransom.
Key APT Takeaways
- Advanced Persistent Threats (APTs) are prolonged, multi-stage cyberattacks that make use of sophisticated tools and techniques to infiltrate a specific victim’s system.
- APTs often begin with social engineering attacks like phishing, move on to backdoors and malware once initial access is gained, then remain low-key for extended periods of time while attackers survey the system and locate their desired data.
- As the APT draws to a close, attackers deploy DDoS attacks or other distractions while they transfer their data, damage systems, and carry out other payloads, leaving as little evidence behind as possible.
- Many APTs are used for espionage against rival corporations and enemy governments, though some are conducted by rogue hacker groups for financial gain — or by hacktivists to send a moral message.
- APTs differ from other cyberattacks in their complexity, their extended lifespans, and the high profile of their victims.
History of APTs
The term “Advanced Persistent Threat” was first used in 2006 by U.S. Air Force General Greg Rattray. Rattray coined the term so USAF analysts could discuss such threats and their characteristics with uncleared parties without having to reveal classified details about the threats.
However, the concept of APTs predates the term itself.
One of the earliest examples is Moonlight Maze, in which the U.S. government experienced a data breach that lasted three years. Classified naval codes, defense maps and research, military manuals and designs, troop configurations, and other critical data was stolen near-continuously from 1996 to 1999, with the culprit believed to be the Kremlin-sponsored hacking group Turla.
In 2003, another APT against the U.S. began, this time originating from China’s official hacking group, People’s Liberation Army Unit 61398, and dubbed Titan Rain. Titan Rain lasted at least three years and targeted agencies, including NASA and the FBI, as well as defense contractors like Lockheed Martin.
As the internet has become more ubiquitous, so too have APTs, especially state-sanctioned ones. Today, they’re a core component of cyberwarfare, used by — and against — most of the world’s superpowers on a continuous basis.
APTs by the Numbers
- There are at least 117 different APT groups currently active, with 89 of them backed by 18 different national governments.
- 63% of all known APT groups are backed by the Chinese and Russian governments.
- Russian APT group APT29 has the most vulnerabilities in its arsenal of any group: 53, more than double the 25 held by its closest competitor, China’s Winnti Group.
- Between 2019 and 2020, APT incidents against EU institutions and agencies increased by 60% — and between 2020 and 2021, they increased by a further 30%.
- In 2022, the APT protection market was worth nearly $7 billion, a figure that’s projected to surpass $15 billion by 2026.
The Stuxnet APT
In development since 2005 and first deployed in 2007, Stuxnet stealthily ravaged the computer systems at Iran’s nuclear facilities until 2010.
Believed to be the creation of the U.S. and Israeli governments, Stuxnet infected over 200,000 computers and caused physical damage to over 1,000 over its three-year lifespan. Though it was programmed to shut itself down in June 2012, it was still reportedly spreading throughout Iran as of December 2012.
The RSA APT
In 2011, cybersecurity company RSA announced that it had been the victim of an APT attack targeting data on its SecurID authentication technology. This data would allow the attackers to spoof SecurID authentication tokens, which were used by dozens of Fortune 500 companies.
Ten years later, in 2021, it was revealed that a Chinese state-sponsored hacking group, Unit 61398, was behind the APT and that the hack compromised systems at multiple defense contractors, including Lockheed Martin and Northrop Grumman.
What Is an Advanced Persistent Threat Attack? How APT Works? (Video)
"Amateurs hack systems, professionals hack people."
-- Bruce Schneier, a renown computer security professional