What are advanced persistent threats (APT) and how can you steer clear of them?

Kamile Viezelyte
Cybersecurity Content Writer
Advanced Persistent Threats

Cyberattacks are not all one-and-done deals. Some cybercriminals prefer to play the long game – they lurk and gather information over time before dealing the massive final blow. Advanced persistent threats (APT), our topic today, are exactly such long ploys – they’re used to infiltrate a device and slowly collect its most sensitive data.

Falling victim to prolonged attack campaigns can be detrimental to a business, so it’s crucial to know the most effective defenses against them. Let’s look at how advanced persistent threats work, how they differ from other cyberattacks, and what you can do to keep your company safe.

Advanced persistent threat lifecycle

Unlike malware, phishing emails, or other dangers lurking online, an advanced persistent threat isn’t a single tool or action. The term describes a series of processes that include the infiltration and extraction of sensitive information from a device or a system. Its scale means that catching advanced persistent threats is a delicate process, and they may go unnoticed until it’s too late.

Given the intricate nature of APTs and the complexity of their execution, these tactics are usually used by more experienced cybercriminals. Governments, law firms, and financial institutions are particularly popular targets as they handle highly valuable confidential data. The attackers tend to go after classified personal and financial information, intellectual property, patents, and other data that may be used for blackmail or ransom. Motives behind APTs include espionage and cyber warfare.

Advanced persistent threats require a lot of preparations ahead of the true strike. The attackers must first establish their targets and research them thoroughly, learning both about the organization’s internal structure and the employees. The preparation stage helps find the target’s weak links, such as poor password policies, insufficient on-site security, or outdated software use.

Once the background information is gathered, testing begins. The attackers want to ensure they enter and leave the system with the stolen data unnoticed, and they must go through trial and error to succeed. This thorough preparation makes advanced persistent threats stand out as some of the most sophisticated attacks, requiring expert teams to dismantle them and prevent or undo the damages. The execution itself consists of three advanced persistent threat steps.

Once the background work is done and the test runs have succeeded, cybercriminals initiate the first stage of the lifecycle – infiltration. Depending on the nature of the attack, they can infiltrate the system in different ways. Phishing to acquire employees' login credentials is a common strategy, as is using malicious email attachments that infect the system once downloaded and opened. Regardless of the actual strategy, the goal is to breach the defense systems and weaken the security measures in place.

As soon as the hackers have established their presence in the now-infected system, it’s time for them to settle in and spread their roots. This step is usually known as escalation – a crucial stage for gathering intel and inching to the much-desired data. As they escalate, cybercriminals will acquire employee credentials, override security protocols, and establish backdoors to enter and exit the systems unnoticed, even if their key operation is compromised. They can attempt to reuse the backdoors in the future after evolving their tactics and striking the system again.

With the jackpot uncovered and the valuable data gathered, attackers can start the final phase of their operation – extraction. The backdoors from step two can be advantageous here, as the goal is to exfiltrate all the stolen information undetected. The biggest challenge here is distracting any uncompromised security systems. To achieve this, cybercriminals may rely on code obfuscation – creating a code that’s difficult for humans and computers to understand and disassemble – or distributed denial of service (DDoS) attacks.

How do APTs differ from other threats?

The hint is in the name here – advanced persistent threats aren’t crafted like viruses you can easily quarantine. Instead, they’re deeply hidden in the system, quietly combining several threats that would be a challenge to contain on their own to maximize the damage. They’re not quite the “mother of all threats,” but they’re certainly close – especially for small-scale companies that can be eroded from within by tactics that APT attackers employ.

Advanced persistent threats combine the worst that cyber criminals have to offer, all packaged into one – Trojan viruses infiltrating the systems, denial of service attacks to distract the security team, and mass phishing campaigns to get hold of as many login credentials as possible. One such attack could cause irreparable harm to a company, while the whole package is a destructive force. Worst of all, the amount of work put into every stage of the APT lifecycle means they’re difficult to detect, and the damage is harder to undo.

What tactics are employed in an APT attack?

As we’ve established, the process of setting up and executing is complex and multifaceted. Different stages of the process employ different tactics to optimize the potential retrieval of data and exploit as many blind spots as possible. The goal is to simultaneously overwhelm the system’s security measures and pass through them undetected. Common tactics used during an advanced persistent threat attack include:

  • Phishing. Social engineering techniques reign supreme even in the most sophisticated schemes, so it’s unsurprising that phishing is employed in APT attacks. In this instance, spear phishing is the popular choice – this type of attack targets a specific person to access sensitive information required to get inside the system.

  • Credential theft. This tactic often goes hand in hand with phishing attempts. The goal is to overtake as many login credentials within the organization as possible to maximize the possible theft scale.

  • DoS and DDoS attacks. These two types of denial-of-service attacks are used as a distraction technique. By overwhelming the server traffic with artificial requests, attackers distract the security team and can sneak deeper into the system undetected.

  • Zero-day exploits. Zero-day vulnerabilities are bugs or other weaknesses in a system that have been noticed by an attacker but haven’t been patched yet. This strategy is a gambit for hackers because it requires a fast pace to execute. If executed in time, it can be used for espionage or extraction.

  • Trojans. Coopting their name from the ancient Greek myth, Trojan viruses pretend to be legitimate apps and, upon being opened, attack your system from within. They may be used to weaken the defensive systems, create backdoors, or grant remote control of the infected device.

  • Code obfuscation. This is the process of creating a program that uses code so complicated neither people nor computers can effectively read or decipher it. This tactic helps cybercriminals escape the system in the final stages of an APT attack undetected, as the security tools are too preoccupied with the impossible code.

Advanced Persistent Threat examples

Some of the biggest advanced persistent threats were years-long projects, attesting to the complexity of such attacks. Some APT groups have been around for over a decade, targeting high-profile subjects and companies, often in politically charged schemes. Many such groups are considered state-sponsored, while others may form on their own volition.

One of the oldest named attacks is Titan Rain, which started in 2003 and lasted several years. While the attacks that targeted the computer systems of various US-based organizations originated in China, the specific group was never identified or named. Nevertheless, the APT space is associated with a few notorious groups associated with cyber espionage, warfare, and hacktivism.

The APT group names that you see in the news are rarely official. Unlike other cybercrime groups that may pick a moniker, APT groups are identified and named by cybersecurity and cyberintelligence agencies. Therefore, you may see the same group referred to by a different name. For example, Microsoft’s naming taxonomy assigns climate terms based on the presumed region of the attack, whereas CrowdStrike uses animal names, i.e., “Typhoon” and “Panda” for China or “Sandstorm” and “Kitten” for Iran, respectively.

Fancy Bear (Forest Blizzard, APT28)

Fancy Bear is a Russian-based cyber espionage group. Although it wasn’t officially identified until 2014, it’s been engaged in advanced persistent threat attacks since at least 2007. The primary exploitation used by APT28 is zero-day vulnerabilities. Over the years, the group has been associated with Russian military intelligence and has been part of active cyber warfare following Russia’s invasion of Ukraine in 2022. They’ve also notably targeted the German parliament in a six-month APT in 2014 and interfered in presidential elections in France and the US.

Lazarus (Diamond Sleet, APT38)

Lazarus is an allegedly North Korean cyber warfare group. Its earliest confirmed APT attack, Operation Troy, dates back to 2009 and lasted until 2012. The group targeted the South Korean government with a stream of DDoS attacks. In recent years, Lazarus gained more notoriety for attacks against cryptocurrency exchanges, digital casinos, and traditional financial institutions.

Helix Kitten (Hazel Sandstorm, APT34)

Helix Kitten is assumed to be an Iranian cybercriminal group. It has a history of targeting financial and telecommunications industries, particularly in the Middle East, and relies heavily on social engineering techniques in its attacks. Its targets often overlap with those hit by Refined Kitten, another APT group assumed to be from Iran. However, it’s unclear whether the two groups work in tandem.

APT security measures

Preparing defenses against advanced persistent threats requires businesses to think ahead and stay on top of the most recent breach strategies. In some instances, an organization may only start working on its security measures after the infiltration phase of the attack, meaning that its reaction has to be quick and rely on robust tools to prevent broach escalation.

Here are some of the tools and tactics that your advanced persistent threat defense system should include:

  • Routine software updates and patches – due to the prominence of zero-day exploits, it’s crucial to keep your software up-to-date to close any potential vulnerabilities.

  • Secure private networks – unencrypted networks open up gateways for cybercriminals to sneak in. Ensure your organization uses encrypted network access, like NordLayer, to secure your company resources.

  • Web Application Firewalls (WAF) – firewalls help protect your web servers from potential infiltration attempts by monitoring web traffic in your organization, detecting suspicious activity, and blocking threats.

  • Breach and Attack Simulations (BAS) – running simulations helps ensure your security team is ready to tackle an incoming threat. It also ensures your tools are up-to-date and ready to handle robust cybercriminal tactics.

  • Live monitoring – it’s simpler to open a backdoor passage when the security team isn’t looking. Ensure that your company is always monitoring inbound and outbound network traffic to detect and block suspicious and malicious activity instantly.

  • Centralized password policies – password exploits help cybercriminals access organization accounts and, by extension, their jackpot – sensitive data and resources. By enforcing a password policy in your organization, you can ensure that everyone follows the protocol and uses strong login credentials. The policies can also account for potential data breaches and help reset affected accounts faster.

  • Employee training – to account for the human error factor, all employees should be aware of and stick to correct cybersecurity practices. Ensure your teams have regular online security training and follow the company guidelines.

How can NordPass help you stay protected?

Perhaps the scariest thing about advanced persistent threats is their ability to infiltrate a system undetected. This simply means that you need to reinforce your first line of defense to prevent cybercriminals from breaching your systems in the first place. Even if you suspect you’re under attack, you can work on reinforcing your APT cybersecurity protection.

You may have noticed a trend already – many APT attacks involve social engineering techniques and rely on human error to succeed in the early stages. This makes protective measures surprisingly easy – implementing a secure password management system in your organization can be a life-changer.

The NordPass Enterprise password manager lets you set up a robust company-wide password policy, ensuring everyone adheres to the highest security standards. The Enterprise plan is compatible with major identity authentication services, enabling secure and instant single sign-on (SSO) access. If you suspect any malicious activity from within, you can easily revoke access to sensitive information or reassign it to a different employee. If you suspect that your sensitive data has been compromised, you can use the Data Breach Scanner to track your company credentials, domains, and credit card information.

Get in touch with our team to learn more about how NordPass Enterprise helps your organization stay secure in the face of advanced persistent threats.

Subscribe to NordPass news

Get the latest news and tips from NordPass straight to your inbox.