APT stands for 'Advanced Persistent Threat', and it's really important to know what these are and how you can prevent them for infiltrating your network.
This guide will look at the ins and outs of APTs, why they're so dangerous, and what effects they can have if they compromise your cybersecurity defenses.
What is an APT?
As mentioned just above, the acronym stands for 'Advanced Persistent Threat'. This is a general term applied to hacker-driven malware attacks that go on to maintain a presence on a network for an extended period of time, usually in order to mine extremely sensitive data.
APTs are calculated assaults usually directed towards large corporations or organizations responsible for housing a lot of sensitive information, often planned months or even years in advance with extensive research on the target network and the company or institution using it.
The scale of such an operation, as well as the information that can be obtained, means that APTs are at the very least state-sponsored and in some cases even carried out by a wing of a given government, be that covertly or explicitly.
What sort of data do APTs retrieve?
ATP attacks sometimes target specific reams of data that hold great political, economic and social importance. These pointed APT attacks may be instigated by groups wanting to obtain patents, algorithms or trade secrets – like how a state-of-the-art weapon is designed, or the exact location of a missile silo.
However, it might be a simple desire to obtain all the data on a given system – hacking into a government's servers and retrieving all their staff's personal information would constitute a very dangerous breach, for example.
Some APTs try to achieve the complete opposite, and look to delete files en masse to disrupt or destroy the ability of the target organisation to function as it would have prior to the attack. In political terms, APTs present a golden opportunity for regimes to put their enemies on the back foot whilst retaining plausible deniability.
Isn't this the same as standard malware?
Not quite. APTs are a different animal altogether. They're much, much more complex than any malware one might run into in the wild. APTs are specifically designed to attack government and corporate networks secured by the toughest intruder prevention systems ever developed.
Standard malware, on the other hand, will usually be created and disseminated with unsuspecting, computer illiterate targets in mind. Many victims of run-of-the-mill malware attacks won't even have basic virus protection installed on their computer.
Another important distinction rests in the 'persistence' of APTs – standard malware often helps hackers or scammers secure what they came for and run, whereas APTs are designed to retrieve information from a network over an ongoing period of time. It could be weeks, months or years.
How do they get into secure networks?
Although spear-phishing, whaling and various other 'click the link' methods are the most commonly used, APT attacks have been instigated using:
- Remote file inclusion.
- SQL injections/other code injection techniques.
- DNS tunnelling.
- Social engineering strategies.
- Advanced utilisation of zero day epxloits or system weaknesses.
- Infection via physical malware.
Examples of known APTs
The most recent examples of Advanced Persistent Threats can be attributed to North Korea and Russian organizations heavily linked to their state machinery.
Last November, Microsoft confirmed that more than one group of hackers tried to steal vaccine secrets from a string of companies in France, Canada, India, the USA and South Korea running clinical trials. They found that the infamous Russian espionage group Fancy Bear – which UK cybersecurity firms determine is sponsored by the Russian Government – were behind some of these attacks.
Other Kremlin-linked cyber-espionage groups like Cozy Bear have successfully infiltrated networks owned and used by the Democratic National Committee, The State Department and The White House in recent years. One such APT remained undetected for almost a year in the DNC's system.
The Lazarus group (also known as Zinc) from North Korea – of which very little information about them is known – were also identified as perpetrators of the vaccine theft attempt. A group that Microsoft calls Cerium, also thought to be from North Korea, were the third entity that attempted to steal data. More recently, hackers from the hermit kingdom have been accused of trying to break into vaccine developer Pfizer's systems.
A slightly older example is Stuxnet, a worm that was used to take down Iran's nuclear programme by destroying the centrifuges that enrich uranium, is widely considered to have been invented by US and Israeli intelligence agencies for this exact purpose. It then spiraled out of control and started infecting computers outside of Iran's nuclear base, something which is thought to have happened after the Israel modified the codes. Now-president Joe Biden, at the time, was said to be incensed by this.
How APT attacks take place: step-by-step
- Infiltration – The target network is infiltrated using some sort of common malware strategy, like phishing. Cerium did this by posing as the WHO.
- Consolidation – The software tries to find further vulnerabilities in the system and set up network backdoors so if the security hole it snuck through is closed, the attack can continue.
- Permeation – Slowly, the malware will deepen its access to different parts of the network, moving up the chain of command until they most classified, secure individual's devices are compromised and administrator rights are gained.
- Continuation – The malware will then continue to work its way round the rest of the network, wreaking as much havoc and collecting as much information is possible, which will be securely stored within the network by the threat actors.
- Withdrawal – A decoy DDoS attack may be actioned to distract security personnel as the desired data is deleted, corrupted, or ex filtrated out of the network. The attack is complete. Depending on the nature of the attack, some APTs may persist indefinitely, whilst others will purposefully leave no trace of their presence.
Recognizing that a network has been infected
As we've covered, APTs are designed to be incredibly hard to spot and difficult to deal with. Network backdoors the malware may have created may be numerous and quite obscured from view.
Obviously, if you cannot find reams of sensitive information – either it's suddenly disappeared or has been moved to a different, unusual place within the network – start looking into whether you're inadvertently housing an APT pronto. Similarly, large files being compressed and prepped for exportation should send alarm bells ringing.
Another sign is strange logins at unusual times of the day, particularly outside of work hours. If you're a system or network administrator, you should be able to monitor all devices attempting to log into your network. Suspicious login times – or just way more logins than you'd expect relative to your network size – should both prompt further investigation.
Another telltale sign is the presence of Trojans and the sorts of smaller pieces of malware associated with a larger attack. Standard security tools may pick these up without properly identifying the much larger, more pernicious threat lurking in the background.
What you should do if you discover an APT
If you find an APT on your system or network, there's a few (non-ordered) steps you'll need to take to rid yourself of the malware and in turn the APT:
- Try to ascertain the attacker's main objectives.
- Shut down or close off the infected endpoints.
- Attempt to remove the malware present in the network.
- Disable all remote access to the network.
- Revoke the admin privileges of hacked or compromised accounts.
- Instigate a password reset across the entire network.
- Restore your infected drives from a remote backup.
- Inform the people whose data has been compromised.
- Collect images, data and records of and about the attack.
How to prevent APT attacks
The first principle of protecting yourself against an ATP attack is making sure that the individuals using your network have sufficient threat-detection training and understand what they're looking for when it comes to threats.
Remember, the malware has to find some sort of initial way into the system, which will likely be through an unsuspecting network user clicking some sort of phishing link in an email or other electronic correspondence. This is how most APTs start. Therefore, regularly updating staff on the increased sophistication of phishing emails and reminding them to stay vigilant will go a long way to mitigating the chance of one of them clicking a dodgy link and bringing your whole system down.
The second would be to make sure all your system software is up to date. After all, the APT actors will be attempting to exploit some sort of vulnerability in your network – so why give them the opportunity? The most up-to-date systems include the most up-to-date security patches.
General network monitoring is another must, as this can help to prevent the opening of backdoors, suspicious admin activity and essentially spot and record all other types of suspicious behavior. Alongside this, regular password changes and login monitoring are vital, as is only installing applications from a whitelist.
If you really think your business may be an imminent target, it might also be advisable to set up an incidence response team and playbook.
Firewalls are often dubbed useless against APTs but can prove useful if installed internally on a network to make it more difficult for the threat actors to move around. Operating on a principle of least privilege – that users on a network should only have access to the bare minimum they need to complete their job – represents another pre-emptive step that could limit the damage caused by an APT if your network is attacked. External firewalls surrounding the network may also identify application-layer attacks and fire off various other warning signs.