The Advanced Persistent Threat (APT)

If you spend much time reading about cybersecurity, it is common to come across the term Advanced Persistent Threat, or APT. Sometimes, the term is applied to cyberattacks, while other times the term applies to cybercrime groups with a number (i.e. APT-41).

The term may seem self-explanatory, but it’s worth exploring what it means and why it may be applied to groups with a number.

What Is an APT?

In broad terms, an APT describes a sophisticated, complex, well researched cyberattack by nation-states or organized crime groups. The intent is to either steal data or keep a system under surveillance over a long period of time.

The threat is called advanced because it takes skill and resources to properly plan, design, and execute a cyberattack that goes undetected and allows attackers long-term access to systems.  While phishing attempts are considered to be opportunistic in nature, APT attacks are highly targeted, methodical attacks that typically map to the stages of the Cyber Kill Chain defined by Lockheed Martin.

It's called a persistent threat because of the long-term time frames involved. The attackers persist on your systems rather than conducting a smash-and-grab attack. Typically, the attackers have a specific goal in mind.

APTs were traditionally associated with nation-state groups intent on stealing defense, government, and industrial secrets for political or corporate espionage. However, organized crime groups are increasingly using APTs. Organized criminals have financial motives; they want to steal IP (intellectual property) or data that they can monetize by selling it a third sell to a third party.

Many groups - nation-state or cybercrime - employ highly skilled individuals whose sole job is to hack into specific organizations. Once they get access, they set about their duties for their employer or sponsor. They begin planting code to disrupt operations or manufacturing (as was the case with Stuxnet and the Iranian nuclear laboratory hack), accessing secret, classified, or confidential information (as was the case with the German hack and an attempted hack on the Australian parliament ), stealing industrial or defense secrets (as was the case with the Naval Warfare Center hack), or planting backdoor access allowing them access at a later date.

The groups and people behind APT attacks are often tracked down and almost never arrested as threat actors from another country very rarely step onto U.S. soil.  It's practically guaranteed that they will get away with their attacks. That is why they keep on attacking - there are little or no consequences to their actions.

Of course, this does not mean they want to be detected. Detection would undo all of their hard work infiltrating businesses and governments. The best APT groups prefer to hack into IT systems and networks and operate under the security team’s radar. They usually avoid making any noise through log events, error messages, or disruption to service.

Notorious APT Groups

Cybersecurity groups in the U.S. private and governmental sectors track APT groups and their activity. Here are three of the most common ones, their codenames, and origin. Their codenames are often created by the organizations who first began to track the groups, although some groups name themselves before they are assigned an APT group code or other codename.

APT1 (Comment Crew)

Suspected of being a cyber espionage division working for the People's Liberation Army in the General Staff Department of the Chinese government, they are known by their military designator as Unit 61398 and carry the distinction of  being one of the first APT groups to be tracked. They were active, attacking over 140 institutions, between 2004 and 2010. In 2014 five members of the Comment Crew were indicted by the U.S. Department of Justice for the theft of confidential information and intellectual property from U.S. businesses.

APT17 (Deputy Dog)

APT17, a cyberespionage group, targets and conducts  intrusions on the networks of private and public organizations around the world. They are believed to be linked to or employed by businesses an officer for the Ministry of State Security, China’s civilian spy agency.  A white hat group of unknown cybersecurity analysts named Intrusion Truth unmasked the identities (known as doxing) of two members and the officer in 2019.  APT 17 is associated for the breach on Marriott International of 2018 when the PII for 500 million hotel customers was exposed. 

APT29 (Cozy Bear)

APT29 is suspected to be directly attributed the Russian Foreign Intelligence Service. This group targets government, energy and healthcare organizations in search of intelligence that can greatly benefit the Russian government. This APT group, along with APT 28 aka Fancy Bear, were accused of the 2015 hack of the Democratic National Committee. Very recently, they were implicated by the U.S., British and Canadian governments of utilizing spear-phishing campaigns to pilfer intelligence on COVID -19 vaccines.

As mentioned earlier, APT groups are advanced in that they like to craft custom malware for their work rather than leverage known vulnerabilities for which countermeasures may already exist. That way, if their actions are detected, it is more difficult for security teams to determine it’s an APT attack rather than the usual hacker or known malware they can recognize.

But how do you detect a silent, unknown threat?

Detecting Advanced Persistent Threats

Because they can be so proficient and stealthy, APT groups at work can be hard to detect. Their tools, techniques and procedures differ from your everyday cybercrime hacker. Plus, they leave behind different kinds of footprints. But there are telltale signs to watch for that can indicate an APT attack is underway on your business.

Unexpected Data Flow

Large and unscheduled data flowing from internal systems to an external (or internal) system can be an indicator of compromise (IOC) caused by data exfiltration. This is becoming harder to detect because lots of data flows are concealed with a VPN and encrypted by HTTPS. For this reason, many organizations automatically block unapproved HTTPS traffic and use deep packet inspection to inspect the traffic.

If an organization isn’t doing this, they will likely miss data being exfiltrated. To spot this sign, you need to know what your existing data flow looks like and develop a baseline that you can use to spot unexpected data flows.

Hidden Backdoors

After hacking you, APT attackers love to install backdoors into your systems to give them privileged access whenever they want to get back in. They do this because they like to retain access to systems as long as they can so they can continue to gather data and intelligence on an organization.

System backdoors are the fourth-most common detected threat.  It’s malware that installs backdoors into systems has been found in everything from pirated software to music CDs. The best way to detect a backdoor your security software misses is to watch network traffic for spikes. Use a firewall to monitor inbound and outbound data flows between applications for unusual traffic, which could indicate attackers leveraging a backdoor to access your systems.

Spike in After Hours Activity

A sure sign something is wrong is lots of after-hours activity on systems while the regular team of employees is at home asleep. Because many attackers live on the far side of the world, they will often log in at unusual times. If you see any out-of-hours activity across networks, secure systems, and privileged access data stores, investigate further.

It is surprising how many attackers keep normal working hours in their local time zone. They sometimes do this because they know fewer people will be around to notice them, but this activity will show up in your logs unless the attackers have privileged access to your logs and delete their tracks.

Spear Phishing

Another telltale sign is well-researched spear-phishing attacks against senior executives or employees and using information that the attackers could only glean from having access to your systems or research from social media and the internet.

For example, they may send a malware-laden document attachment to a CEO with text that makes it look and feel like it's a regular communication from a member of their team about a project they are working on. The goal is to get executives to click on the attachment, which will deploy malware onto their systems.  Employees are tricked by such emails, start checking the other elements identified above. It could indicate an APT hacker dwelling in the system.


References: Netenrich  - Apt 1 Comment Crew – Know Your Threat Actor ZDnet. – APT Doxing Group Expose Apt 17 as Jinan Bureau of Chinas Security Ministry National Review : Russian Hackers Tried to Steal COVID – 19 Vaccine Research, Intel Officials Claim Infosecurity Magazine: