← Back to home

Advanced Persistent Threat

Right. You want to know about the digital ghosts in the machine. Don't expect a comforting bedtime story. This is the architecture of how a system, or a nation, gets quietly dismantled from the inside out. Pay attention.

Set of stealthy and continuous computer hacking processes

An advanced persistent threat (APT) is a term people in suits use to describe a threat actor, usually a state or a group on its payroll, that slips into a computer network like a whisper and stays there. For a long, long time. They aren't there to smash and grab; they're there to live in your walls, watch you, and wait for the perfect moment to take what they want. They remain undetected for an extended period, which should tell you everything you need to know about your expensive security software. [1] [2] More recently, the label has been generously applied to non-state-sponsored groups, provided they're organized, ambitious, and conduct large-scale, targeted intrusions for goals more specific than just petty theft. [3]

The motivations are as old as time: politics and money. [4] There isn’t a major business sector that hasn’t been touched by these actors. They’ve run their hands through government secrets, defense blueprints, financial services, legal services, industrial designs, telecoms infrastructure, and even the recipes for your favorite consumer goods. [5] [6] [7] They don't just steal; they spy, and they disrupt. Some of these groups are sophisticated enough to blend the old world with the new, using classic espionage techniques like social engineering, human intelligence, and physical infiltration to get someone inside a building. Once a person is physically present, enabling a network attack becomes trivial. The ultimate goal is almost always the same: to install custom malware that becomes their eyes and ears inside your fortress. [8]

And if you think your mobile device is a safe haven, you're adorably naive. APTs targeting mobile and cloud infrastructure are a legitimate, growing concern. They can penetrate these systems to eavesdrop on your calls, steal your data, and tamper with whatever information you thought was private. [9]

The time these threats go undetected, what the industry calls "dwell-time," is embarrassingly long. A report from FireEye in 2018 pegged the median dwell-time in the Americas at 71 days. In EMEA, it was 177 days. And in the APAC region, a staggering 204 days. [5] That’s more than half a year. Imagine what someone with malicious intent and unfettered access could accomplish in that time. They can walk through every stage of their attack cycle, spread their influence across your entire network, and achieve their objectives before you even notice the door was unlocked.

Definition

The precise definition of an APT is debated by people who have too much time on their hands. It can be summarized by breaking down its name, which is, I'll admit, annoyingly descriptive.

  • Advanced – This doesn't necessarily mean they're using alien technology. It means the operators have a full spectrum of intelligence-gathering techniques. This includes commercially available and open-source hacking tools, but can extend to the full intelligence apparatus of a nation-state. While some individual components, like malware made from a DIY kit, might not seem "advanced," the operators can access or develop more sophisticated tools as needed. They are methodical, combining multiple targeting methods, tools, and techniques to breach a target and maintain their foothold. What truly sets them apart is a fanatical devotion to operational security, a discipline that separates them from the common digital vandal. [3] [10] [11]

  • Persistent – These actors have specific, long-term objectives. They aren't opportunists grabbing what they can. They are guided by external entities with a clear mission. This persistence manifests as continuous, patient monitoring and interaction, not a constant barrage of attacks. A "low-and-slow" approach is far more effective. If they lose access, they don't give up. They try again, and they usually succeed. One of their primary goals is to maintain access over the long haul, unlike a common criminal who just needs to get in, steal the jewels, and get out. [10] [12]

  • Threat – An APT is a threat because it possesses both capability and intent. These attacks are orchestrated by coordinated, thinking human beings, not by mindless, automated code. The operators are skilled, motivated, organized, and—most importantly—well-funded. And no, they are not exclusively state-sponsored groups anymore. The line has blurred. [3] [10]

History and targets

Warnings about targeted, socially-engineered emails dropping trojans to steal sensitive information aren't new. UK and US CERT organizations were publishing advisories on this back in 2005. The method itself dates back to the early 1990s and, on its own, isn't an APT. The term "advanced persistent threat" reportedly originated within the United States Air Force in 2006, [13] with a Colonel Greg Rattray often credited as the one who coined it. [14] They needed a name for the ghost they couldn't catch.

The Stuxnet computer worm is the poster child for an APT attack. It wasn't just malware; it was a precision-guided digital weapon designed to physically sabotage the hardware in Iran's nuclear program. From the perspective of the Iranian government, the creators of Stuxnet were, without a doubt, an advanced persistent threat. [15]

In the computer security community, and now increasingly in the media, the term is almost exclusively used to describe long-term, sophisticated campaigns of computer network exploitation. The targets are predictable: governments, major corporations, and political activists. By extension, the A, P, and T attributes are ascribed to the groups behind these attacks. [16] The focus has shifted heavily to computer-based hacking simply because the frequency of these incidents is exploding. PC World reported an 81 percent jump in advanced targeted attacks from 2010 to 2011 alone. [17]

Actors in countless countries have embraced cyberspace as a cheap and effective means to gather intelligence on individuals and groups they find... interesting. [18] [19] [20] It's no secret that major world powers are in this game. The United States Cyber Command, for instance, exists to coordinate the US military's offensive and defensive cyber operations. [21]

Numerous sources have alleged, with varying degrees of subtlety, that some APT groups are either affiliated with or are direct agents of governments of sovereign states. [22] [23] [24] Any business holding a large quantity of personally identifiable information is a target. The list is long and not at all surprising: [25]

A study from Bell Canada dug deep into the anatomy of APTs and found their presence was widespread across Canadian government and critical infrastructure. The attribution pointed squarely at Chinese and Russian actors. [28]

Life cycle

The actors behind these threats pose a growing, evolving risk to an organization's financial assets, intellectual property, and reputation. [29] They follow a continuous, methodical process—a kill chain, if you like dramatic terms:

  1. Targeting: They select specific organizations to pursue a singular objective.
  2. Foothold: They attempt to gain entry. Common tactics include spear phishing emails that look legitimate enough to fool a tired employee.
  3. Access: They use the compromised system as a beachhead to pivot deeper into the target network.
  4. Deployment: They deploy additional tools to help them achieve their ultimate goal.
  5. Stealth: They cover their tracks meticulously to maintain access for future operations.

In 2013, Mandiant published a detailed report on alleged Chinese attacks that used the APT methodology between 2004 and 2013. [30] The life cycle they observed was a masterclass in patience:

  • Initial compromise – This was often achieved through clever social engineering and spear phishing emails armed with zero-day viruses. Another favorite tactic was to compromise a website the target's employees were likely to visit and plant malware there. [31]
  • Establish foothold – Once inside, they planted remote administration software, creating network backdoors and tunnels that allowed them stealthy, persistent access to the infrastructure.
  • Escalate privileges – Using a combination of exploits and password cracking, they worked their way up the ladder, acquiring administrator privileges on local machines and eventually aiming for the holy grail: Windows domain administrator accounts.
  • Internal reconnaissance – With elevated access, they began to map the network, collecting information on the surrounding infrastructure, trust relationships, and the Windows domain structure. They learned the network better than the people who were paid to manage it.
  • Move laterally – They expanded their control, moving from one workstation to another, from server to server, harvesting data as they went.
  • Maintain presence – They ensured their access was durable, securing the channels and credentials they had acquired.
  • Complete mission – Finally, they exfiltrated the stolen data from the victim's network, often in small, hard-to-detect streams over a long period.

In the incidents Mandiant analyzed, the average time the attackers maintained control over a victim's network was one year. The longest was nearly five years. [30] These infiltrations were attributed to a Shanghai-based group known as Unit 61398 of the People's Liberation Army. Chinese officials, predictably, denied any involvement. [32] This wasn't the first time, of course. Earlier reports from Secdev had also discovered and implicated Chinese actors. [33]

Mitigation strategies

There are tens of millions of malware variations out there. [34] This makes protecting an organization from a dedicated APT group exceptionally challenging. Your standard defenses are built to stop a battering ram, not a ghost that can walk through walls.

While APT activities are designed to be stealthy, their command and control network traffic can sometimes be detected at the network level, but it requires sophisticated methods. Sifting through deep log analyses and correlating logs from various sources is of limited use; it's like trying to find a single grain of black sand on a black beach. Traditional security technology is largely ineffective against these threats. [35]

A more effective approach is active cyber defense. This involves applying cyber threat intelligence to actively hunt for adversaries within your own network. It's a shift from building higher walls to having better guards. [36] [37] Of course, the weakest link is, and always will be, human. Human-Introduced Cyber Vulnerabilities (HICV) remain a poorly understood and poorly mitigated attack vector, which is just a clinical way of saying people will always click on things they shouldn't. [38]

APT groups

Here is a partial, ever-growing list of the named actors. The names are often assigned by security firms, adding a bit of theatrical flair to the whole affair.

China

See also: Cyberwarfare and China, Chinese information operations and information warfare, and Chinese intelligence activity abroad

  • PLA Unit 61398 (also known as APT1)
  • PLA Unit 61486 (also known as APT2)
  • Buckeye (also known as APT3) [39]
  • Red Apollo (also known as APT10)
  • Numbered Panda (also known as APT12)
  • APT15 (also known as Vixen Panda or Ke3chang) [40]
  • DeputyDog (also known as APT17) [41]
  • Dynamite Panda or Scandium (also known as APT18, a unit of the People's Liberation Army Navy) [42]
  • Codoso Team (also known as APT19)
  • Wocao (also known as APT20) [43] [44]
  • APT22 (aka Suckfly) [45]
  • APT26 (aka Turbine Panda) [46]
  • APT 27 [47]
  • PLA Unit 78020 (also known as APT30 and Naikon)
  • Zirconium [48] (also known as APT31, Violet Typhoon, or the Wuhan Xiaoruizhi Science and Technology Company) [49] [50] [51]
  • APT40
  • Double Dragon [52] (also known as APT41, Winnti Group, Barium, or Axiom) [53] [54]
  • Spamouflage (also known as Dragonbridge or Storm 1376) [55] [56]
  • Hafnium [57] [58]
  • LightBasin [59] [60] (Also known as UNC1945)
  • Tropic Trooper [61]
  • Volt Typhoon [62]
  • Flax Typhoon [63]
  • Charcoal Typhoon (also known as CHROMIUM) [64] [65]
  • Salmon Typhoon (also known as SODIUM) [64] [65]
  • Salt Typhoon (also known as GhostEmperor or FamousSparrow) [66] [67]
  • Liminal Panda [68]
  • MirrorFace [69]
  • Mustang Panda (also known as UNC6384) [70] [71]
  • UNC3886 [72]
  • Phantom Taurus [73] [74]

Iran

  • Charming Kitten (also known as APT35)
  • Elfin Team (also known as APT33)
  • Helix Kitten (also known as APT34)
  • Pioneer Kitten [75]
  • Remix Kitten (also known as APT39, ITG07, or Chafer) [76] [77]

North Korea

Russia

Turkey

  • StrongPity (also known as APT-C-41 or PROMETHIUM) [82]

United States

Uzbekistan

Vietnam

India

  • APT-C-35 [87]
  • Appin [88]
  • Bahamut
  • Confucius
  • Hangover Group
  • ModifiedElephant
  • Patchwork
  • SideWinder
  • Scybers
  • Urpage

Naming

Multiple organizations tracking these groups often assign different names to the same actor. This is because separate researchers have their own data and their own assessments, leading to a confusing and often overlapping taxonomy. Companies like CrowdStrike, Kaspersky, Mandiant, and Microsoft all maintain their own internal naming schemes. [89]

  • CrowdStrike assigns animal names based on the presumed nation-state or category. Iran-based groups are "Kittens," while financially motivated cybercrime groups are "Spiders." [90] This system is so popular that other companies sometimes adopt it, as when Check Point named a group "Rampant Kitten." [91]
  • Dragos prefers to name APT groups after minerals. [89]
  • Mandiant uses numbered acronyms like APT, FIN, and UNC, giving us memorable names like FIN7. Proofpoint (TA) and IBM (ITG, Hive) use similar systems. [89]
  • Microsoft used to use names from the periodic table, often in all caps (e.g., POTASSIUM). In April 2023, they decided that was too nerdy and switched to a weather-based schema, giving us names like "Volt Typhoon." [92]

It's all a branding exercise. A way to put a face on the faceless. Don't get too attached to the names; focus on the methods.