An advanced persistent threat (APT) is a sophisticated, sustained cyber attack executed by a well-resourced organization (e.g., nation-states and criminal syndicates) and usually focused on a specific target. Advanced persistent threats are complex and large-scale with an extended duration. The initial breach is often followed by a prolonged waiting period, during which the attackers monitor activity and move laterally to expand their positions across an organization.
The tactics of an advanced persistent threat vary. In some cases, sensitive data is slowly exfiltrated. In others, the attack is one massive blow. The objectives of advanced persistent threats fall into several groups:
- Cyber espionage
- Destruction and disruption (e.g., infrastructure or networks)
- Extortion
- Financial theft
- Hacktivism
Targets of Advanced Persistent Threats
Advanced persistent threat targets vary. They typically target organizations and industries with valuable data, sensitive information, or assets of strategic importance. These targets can range from government entities to private corporations, and they are often selected based on the attackers’ geopolitical, economic, or financial objectives. The following are common APT targets.
Critical infrastructure
When the objectives are to disrupt essential services or gather intelligence for potential future attacks, common targets for APTs are organizations in the energy, water, healthcare, transportation, and telecommunications sectors.
Educational and research institutions
Because universities and research institutions often work on government-funded projects related to defense, energy, and healthcare, they are valuable targets for cyber espionage.
Energy sector
Another reason the energy sector is a target for APTs is that disrupting oil, gas, and electricity can have wide-reaching economic and political impacts.
Financial institutions
Financial institutions are targeted to facilitate financial gain or to destabilize economies by stealing funds, capturing personal banking information, or gaining access to financial networks (e.g., SWIFT).
Government and defense agencies
APT attacks target sensitive government and military information, including classified intelligence, defense technologies, and diplomatic communications.
Media groups
Media organizations are targeted by APTs to manipulate public perception, spy on journalists, or disrupt the flow of information.
Political organizations
APTs target political parties and election infrastructure to gather intelligence, spread disinformation, or interfere with the political process.
Private organizations
Organizations in sectors such as aerospace, manufacturing, and pharmaceuticals hold valuable intellectual property (IP) and trade secrets. APTs target these for economic gain, especially in industries critical to national security.
Technology and telecommunications companies
APTs are used to target technology and telecommunications companies because they often hold valuable intellectual property (IP), research, and technology data that can be used for economic advantage or national security purposes.
Components of an advanced persistent threat
An advanced persistent threat is differentiated by its three distinct components. Other threats may have one or two of these, but all three are required to qualify as an advanced persistent threat.
Advanced
An advanced threat is powered by a group that has the capability to develop exploits customized to:
- Take advantage of a specific target’s environment and vulnerabilities
- Attack using publicly available exploits at scale
- Leverage a combination of the two
Another aspect that makes these attacks advanced is extremely sophisticated intelligence-gathering capabilities.
Persistent
In the context of an advanced persistent threat, persistent means that the attack has a specific objective, as opposed to being driven by opportunity or part of a widely cast net. The persistent nature of these threats makes them particularly menacing, because the adversary has the support and commitment to pursue the attack until they have achieved their goal. Persistence also means that the attacker can and will commit the time needed to execute a long-term, multi-phased attack.
Threat
What makes this a threat is that it is not simply malware unleashed and left to execute without human intervention. An advanced persistent threat may use malware, but humans are directly involved in its execution, progress, and actions.
With advanced persistent threats, technology is tightly coupled with human intervention and oversight to execute sophisticated exploits and ensure that the mission is successfully accomplished.
Perpetrators have a specific objective and are skilled, motivated, organized, and well-funded. Actors are not limited to state-sponsored groups.
A brief history of advanced persistent threats
In 2005, the U.K. and the United States Computer Emergency Readiness Team (a division of the Department of Homeland Security) organizations published warnings about highly sophisticated, dedicated attacks targeting sensitive information. While cyber attacks were not new, this level of complexity differed from the past.
The term advanced persistent threat originated from the United States Air Force in 2007, with Colonel Greg Rattray cited as the individual who coined the term.
Back in 2007, I coined the term ‘Advanced Persistent Threat’ to characterize emerging adversaries that we needed to work with the defense industrial base to deal with... Since then, both the APT term and the nature of our adversaries have evolved. What hasn’t changed is that in cyberspace, advanced attackers will persistently go after targets with assets they want, no matter the strength of defenses.
Colonel Greg Rattray, United States Air Force
Examples of advanced persistent threats
Several of the most famous advanced persistent threats include the following. Although some were identified before the term came into use, these are still considered to be examples of advanced persistent threats.
The Cuckoo’s Egg
The Cuckoo’s Egg advanced persistent threat was one of the earliest cited. This attack on military research establishments was perpetrated by West German hackers. The Cuckoo’s Egg APT penetrated networked computers to steal secrets related to the Strategic Defense Initiative (SDI), nicknamed the “Star Wars” program, including classified defense data, military and research communications, and strategic research from SDI contractors.
Moonlight Maze
Moonlight Maze was a large-scale cyber espionage campaign. This advanced persistent threat targeted U.S. government agencies, including the Department of Defense, NASA, military contractors, and the Department of Energy, as well as universities and research labs involved in military research. Another early example of nation-state APTs, Moonlight Maze, was attributed to Russia. The attackers infiltrated computer systems, stealing vast amounts of sensitive data, including classified military information, research, and maps.
Titan Rain
Titan Rain was a series of cyber attacks that targeted U.S. government agencies, defense contractors, and private companies. Although the Chinese government denied involvement, the attacks were attributed to Chinese state-sponsored hackers.
This advanced persistent threat focused on stealing sensitive information, including military data, intellectual property, and technology secrets. The attackers infiltrated systems at organizations like Lockheed Martin, NASA, and Sandia National Laboratories, accessing critical defense-related information.
Sykipot
Sykipot was a cyber espionage campaign attributed to Chinese hackers. The Sykipot advanced persistent threat used sophisticated employed spear phishing emails containing malicious attachments, links to an infected website, and zero-day exploits to gain access to secure networks.
Once inside, the attackers exploited vulnerabilities in smart card technology that enabled them to bypass authentication systems and steal intellectual property. This APT targeted U.S. defense contractors and government agencies as well as U.K. companies.
GhostNet
GhostNet was another large-scale cyber espionage operation believed to be linked to Chinese hackers, with the Chinese government denying involvement. This advanced persistent threat campaign primarily focused on political and diplomatic institutions and targeted political, economic, and media targets in over 100 countries, including the Dalai Lama's offices.
GhostNet used spear phishing emails containing malicious attachments that loaded a Trojan horse that executed commands from a remote command and control system, which downloaded additional malware to take full control of the compromised system. This APT used audio and video recording devices to monitor communications at the locations of the compromised systems.
Operation Aurora
The Operation Aurora advanced persistent threat used a zero-day exploit to install a malicious Trojan horse named Hydraq to steal information. This cyber attack was also attributed to the Chinese government, though this was denied, and targeted major U.S. companies (e.g., Google, Adobe, and Intel).
The objective was to steal intellectual property, corporate data, and source code. Hackers used sophisticated spear phishing techniques to exploit vulnerabilities in web browsers, allowing them to gain access to corporate networks.
The targeted organizations did not initially publicize the attack, with Google as the exception. Google revealed the attack after discovering that the hackers had also targeted human rights activists’ Gmail accounts.
RSA Attack
The RSA advanced persistent threat attack targeted RSA Security, a leading provider of two-factor authentication solutions. The attackers, believed to be state-sponsored, used a spear phishing email with a piece of malware named PoisonIvy, which at the time was a widely available remote access Trojan.
The malware exploited an Adobe Flash vulnerability that was embedded in an attached spreadsheet in a malicious Excel file. The malware was used to compromise RSA’s network. Once inside, they stole sensitive data related to data relating to RSA SecurID tokens, RSA’s authentication technology, which are used by numerous organizations for secure authentication. This breach had severe implications, as attackers could potentially use the stolen data to bypass security measures at RSA’s clients, including defense contractors and government agencies.
Stuxnet
Stuxnet was a groundbreaking advanced persistent threat that was designed to target industrial control systems (ICS), specifically those managing Iran's nuclear centrifuges at the Natanz facility. Widely attributed to a joint U.S.-Israeli operation, although both countries deny it, Stuxnet was engineered to sabotage Iran’s nuclear program by causing physical damage to its centrifuges while making the sabotage appear as normal operations.
This is one of the first known cyber attacks to successfully cause physical damage to infrastructure. Stuxnet was also the first known piece of malware to include a programmable logic controller (PLC) rootkit that was used to program the APT to erase itself on a specific date.
Flame
Flame was a sophisticated advanced persistent threat that primarily targeted Middle Eastern countries and infected more than 1,000 systems in Iran, Israel, Sudan, Syria, Lebanon, Saudi Arabia, and Egypt. This APT is believed to be state-sponsored, possibly by the same actors behind Stuxnet.
Flame was designed for extensive information gathering. It was spread over local networks and via USB sticks and could record audio, capture screenshots, log keystrokes, and intercept network traffic. Flame was also capable of stealing contact information from any nearby Bluetooth®-enabled devices.
This APT was used to spy on government ministries, educational establishments, and individuals, with a focus on geopolitical intelligence. Flame's complexity, size, and ability to remain undetected for years made it one of the most advanced APT tools ever discovered. Its discovery highlighted the increasing use of cyber tools for espionage and intelligence gathering.
The lifecycle of an advanced persistent threat
An advanced persistent threat is comprised of several methodical steps that can be taken in quick sequence or spread out over a long period of time to help evade detection. Following are the main execution stages for an advanced persistent threat.
Gain access or infiltration
After selecting a target, an advanced persistent threat gains entry to its targets through three primary vectors—authorized users, network resources, or web assets. The target is breached using several approaches (sometimes complemented by a distributed denial of service (DDoS) attack to create distraction), including:
- Application vulnerabilities
- Phishing emails
- Spear phishing
- Ransomware
- Remote file inclusion (RFI)
- Social engineering
- SQL injection
- Trojans masked as legitimate software
- Watering hole attacks
- Zero-day exploits
Establish a foothold
Once a target has been breached, the attackers create a network of backdoors and tunnels that allow them to traverse systems undetected. Often, malware is designed to cover any tracks left by attackers as they move about. They also establish remote access to the network with command-and-control (CnC) servers.
Expand and escalate
After establishing a foothold, the attackers deepen access and increase control with lateral movements, infiltrating additional servers, other secure parts of the network, and other networks. Once inside, they use keyloggers and brute-force attacks to obtain privileged account information that enhances their privileges.
Launch attack and extract information
When the desired access has been obtained, the attackers begin the exfiltration process, which usually entails centralizing, encrypting, and compressing information to expedite extraction and avoid detection. This is not the end of the attack for most advanced persistent threats. In many cases, the threat remains hidden in the background, either waiting to stage another attack or quietly continuing to siphon off data.
Mitigating advanced persistent threats
Due to the scale and complexity of advanced persistent threats, mitigation requires a multi-faceted approach that leverages most elements of an organization's security program and end users.
Among the cybersecurity and intelligence solutions that can be used to mitigate advanced persistent threats are:
- Access controls that employ the principle of least privilege
- Application and domain whitelisting
- Data security analytics
- Encryption
- Endpoint protection
- Intrusion detection
- Malware detection
- Network microsegmentation
- Patching network software and operating system vulnerabilities
- Penetration testing
- Technical intelligence, such as indicators of compromise (IOCs) used in concert with a security information and event manager (SIEM)
- Traffic monitoring
- Web application firewalls (WAF)
Awareness and preparation are key to an effective advanced persistent threat response
By their nature, advanced persistent threats are highly creative and effective at targeting vulnerabilities. Effective defenses against advanced persistent threats require a strong security posture and a holistic approach to security. Every possible point of entry, machine and human, must be accounted for and defended.
This attack surface is extensive, but a wealth of systems and services are available to help with the defense. However, these must be coupled with a heightened awareness of all human vectors to prevent or mitigate the potentially catastrophic outcomes of an advanced persistent threat.
