What Is an Advanced Persistent Threat?

An advanced persistent threat (APT) is a concealed or disguised cyberattack. During an APT, bad actors gain unauthorized access to a network, evading detection for an extended period. The US Department of Defense coined the term “advanced persistent threat” in the early 21st century to describe cyber espionage campaigns, particularly those conducted by China against US national security interests [1]. Read on to gain a deeper insight into advanced persistent threats, including strategies to defend against them. 

Strengthening your cybersecurity expertise for career advancement? Consider earning credentials with industry leader IBM through the IT Fundamentals for Cybersecurity Specialization. In as little as one month, you can gain experience with risk management, cybersecurity frameworks, and intrusion detection systems.

specialization

IT Fundamentals for Cybersecurity

Launch your career in Cybersecurity. Acquire the knowledge you need to work in Cybersecurity

4.6

(5,440 ratings)

61,449 already enrolled

Beginner level

Learn More

Average time: 1 month(s)

Learn at your own pace

Skills you'll build:

database vulnerabilities, networking basics, Cyber Attacks, Cybersecurity, Operating System Security, Cybersecurity Controls, Physical Threats and Controls, Cybersecurity Threats, Laws and Regulations, Risk Management, Cybersecurity Compliance, Cybersecurity Standards, Cybersecurity Framework, Linux, Windows, MacOS, User Accounts, Virtualization, User (Computing), Operating Systems, Directory and File Management, Intrusion Detection Systems, Network Configuration, Endpoint Security, Network Security, Firewall Configuration

Read more: Cybersecurity Terms: A to Z Glossary

What’s the motive behind an advanced persistent threat (APT)?

APTs have varied motivations, including acquiring large sums of money, compromising critical infrastructure, or accessing intellectual property. For example, state-sponsored attackers, often backed by governments, launch APTs to acquire military intelligence. On the other hand, organized crime syndicates back advanced persistent threat attacks to pursue financial profits. In essence, both rogue criminal groups and national governments orchestrate APTs. 

Characteristics of advanced persistent threats

APTs differ from conventional cyberattacks in several ways. Primarily, APTs are covert, targeted, and relentless. 

1. Covert 

Unlike typical cyberattacks, APT actors adopt a subtler approach that instantly creates chaos and turmoil by disrupting systems. They remain dormant during the initial infection to avoid raising alarms in the target network. The prolonged dormancy, lasting anywhere from a few days to several years, allows threat actors to silently observe, gather information, and execute a sophisticated, long-term attack.

2. Targeted 

APTs operate with a clear objective, armed with knowledge of a target’s security vulnerabilities. These attacks are meticulously designed to penetrate the specific defenses of the target through sophisticated, custom-made malware, among other cyber weapons. Substantial resources, including financial support, go into crafting a single attack.

3. Relentless

APTs create several entry points into a target organization's networks and systems. With multiple points of compromise, APT initiators can evade or delay incident response efforts, allowing them to maintain their foothold in the network.

What are some known attack pathways utilized in APT campaigns?

Spear phishing, rootkits, and zero-day vulnerabilities are three commonly exploited attack vectors by APTs. Let's take a closer look at each.

1. Spear phishing

Spear phishing is a focused effort to pilfer privileged users' credentials. A privileged user is identified following an extensive search for potential infiltration points. Keyloggers or social engineering approaches such as deceptive emails may be leveraged in a phishing attack to coerce individuals into revealing their credentials.

2. Rootkits

Rootkits are stealthy malicious programs that give APT actors remote control over a target system via command-and-control servers. Often introduced through email phishing, rootkits create hidden access points within an infected system, allowing APT groups to discreetly infiltrate an organization's network.

3. Zero-day vulnerabilities

A zero-day vulnerability is an undiscovered security flaw within software applications or operating systems. Since zero-day vulnerabilities are unknown to the software manufacturer or security teams, no defense or patch is in place to mitigate the risks they pose. This lack of preparedness aids potential exploitation by APT groups.

course

Cyber Threats and Attack Vectors

Data breaches occur nearly every day. From very large retailers, down to your fantasy football website, and anywhere in between, they have been compromised ...

4.7

(661 ratings)

30,961 already enrolled

Beginner level

Learn More

Average time: 11 hour(s)

Learn at your own pace

Skills you'll build:

Cyberattacks, Network Security, Security Engineering, Computer Networking, Cloud Computing

5 stages of an advanced persistent threat

APT attacks are sophisticated breaches that weaponize advanced techniques. Their effectiveness is largely due to the multiple steps each follows to systematically gain access to sensitive information. A successful APT attack unfolds in a series of five stages: 

1. Securing access

APT attacks begin by creating multiple access points into a target network. Attackers may secure these access points through privileged user credentials, phishing emails, and zero-day vulnerabilities, among other attack vectors. 

2. Infiltration 

After gaining initial access, attackers establish remote network access to the compromised system(s) through malicious software. Additionally, the perpetrators set up an outbound connection with the target network’s command-and-control servers to control the compromised system(s). At this point, attackers may use custom-developed malware to maintain and hide their covert presence within the targeted network. 

3. Lateral movement

Attackers utilize brute force attacks and other network vulnerabilities to extend their control over the target network to identify and access sensitive systems. Subsequently, backdoors and tunnels are set up for lateral movement within the network and transfer data as needed.

4. Initiating the attack

Upon broadening their foothold, APT attackers identify valuable data they intend to exploit and move it to a secure location within the network. The data may undergo encryption and compression to facilitate easy transfer during the exfiltration phase.

5. Data exfiltration 

Efiltration marks the last stage of an advanced persistent threat. During this stage, attackers extract the sensitive data from a target network’s compromised system(s) using tunneling techniques or encrypted channels. If the exfiltration goes unnoticed, attackers might linger within the network and await opportunities for subsequent attacks. 

Infamous APT groups

The following are examples of some prominent state-sponsored APT groups. The presumed end goals of all three—APT 29, APT 14, and APT 35—are data theft and cyber espionage. 

1. Cozy Bear (APT29) 

The APT 29 group, Cozy Bear, leverages social media and cloud storage sites to transmit commands and exfiltrate data from compromised networks. These commands are typically concealed within images with encrypted data.

2. Anchor Panda (APT 14)

The APT 14 or Anchor Panda group uses a customized simple mail transfer protocol (SMTP) mailer tool for dispatching spear-phishing messages. The messages are artfully crafted to give the impression of being sent from trustworthy organizations.

3. Phosphorus and Newscaster Team (APT 35)

The APT35 group primarily relies on spear-phishing to compromise an organization’s critical systems. The group is also known for utilizing compromised accounts and credentials obtained from prior successful attacks.

How to identify an advanced persistent threat?

Being aware of the warning signals of APTs can help you keep your data secure or stop an attack before it goes too far. Here are some indicators of an advanced persistent threat: 

1. Unusual data activity 

Suspicious connections to external devices, unusual data transfers between them, or any atypical increases in data traffic across your network are indicators of an APT attack. Remember, APT attackers identify and move target data and assets to a specific location before transferring them to an external server for future use.

2. Dubious files 

Look for peculiar data files in your system. These unusual data files can indicate a sophisticated and organized attempt to exfiltrate sensitive information from your network.

3. Irregular logins

A noticeable uptick in uncommon logins can be a telltale sign of an APT attack. These logins frequently occur at unconventional hours, possibly due to attackers operating in different time zones. 

Deepen your understanding of cybersecurity with IBM’s Introduction to Cybersecurity Tools and Cyber Attacks course, available on Coursera. Intended for beginners, this course is designed to help you comprehend the types and motives of modern-day cyberattacks. Upon completion, gain a shareable certificate to include in your resume, CV, or LinkedIn profile.

course

Introduction to Cybersecurity Tools & Cyberattacks

According to a recent IBM report, cyberattacks have surged 71%! This alarming statistic highlights a huge demand for cybersecurity professionals. This IBM ...

4.6

(16,145 ratings)

464,833 already enrolled

Beginner level

Learn More

Average time: 11 hour(s)

Learn at your own pace

How to protect against advanced persistent threats?

Along with recognizing the signs of APTs, you can also take proactive measures to help prevent them. Below are some tactics to strengthen your defenses against APTs:

1. Whitelisting

Utilize whitelisting to designate a specific set of applications or domains as secure. This way, your network will exclusively permit traffic originating from the applications and domains you've specified on your list, lowering the risk of infiltration by APT groups.

2. Vulnerability scanning 

Keep your software up-to-date by applying patches as soon as vulnerabilities are identified. Furthermore, performing routine vulnerability scans can aid in identifying potential weaknesses before malicious actors can exploit them.

3. Multi-factor authentication 

Incorporating two-factor or multi-factor authentication introduces an extra layer of security, drastically reducing the likelihood of credential theft.

Build your cybersecurity expertise with Coursera.

Launch your career in cybersecurity with IBM's Cybersecurity Analyst Professional Certificate. In as little as four months, you'll learn to manage database vulnerabilities, perform penetration testing, and conduct forensics.

professional certificate

IBM Cybersecurity Analyst

Launch your career as a cybersecurity analyst . Build job-ready skills for an in-demand role in the field, no degree or prior experience required.

4.7

(12,979 ratings)

237,102 already enrolled

Beginner level

Learn More

Average time: 4 month(s)

Learn at your own pace

Skills you'll build:

Cybersecurity Compliance, Database Queries, Malware Protection, Security Management, Digital Forensics, Cyber Attacks, Network Security, Email Security, Threat Detection, Vulnerability Management, Cybersecurity, Computer Security Incident Management, Artificial Intelligence, Incident Response, Threat Modeling, Security Awareness, Vulnerability Assessments, Penetration Testing, Cybersecurity Case Study Analysis, Human Factors (Security), Threat Management, Multi-Factor Authentication, Cybersecurity Threats, Identity and Access Management, Authentications, Security Controls, Cybersecurity Controls, Authorization (Computing), Distributed Denial-Of-Service (DDoS) Attacks, Physical Threats and Controls, Risk Management, Compliance Management, Payment Card Industry (PCI) Data Security Standards, Auditing, IT Service Management, Regulatory Compliance, Cybersecurity Framework, NIST 800-53, Business Ethics, Open Web Application Security Project (OWASP), Laws and Regulations, Information Technology Infrastructure Library, Control Objectives for Information and Related Technology (COBIT), General Data Protection Regulation (GDPR), Cybersecurity Standards, Governance Risk Management and Compliance, ISO/IEC 27001, Command-Line Interface, Cloud Security, Virtualization, User (Computing), Windows Servers, File Systems, Operating Systems, Directory and File Management, Systems Administration, Mac OS, Linux, Windows, MacOS, Linux Servers, User Accounts, Firewall, Linux, Virtual Machines, Microsoft Windows, Cloud Computing, Intrusion Detection and Prevention, Security Testing, Certification exam practice, CompTIA CySA, Cyber Security Assessment, CompTIA Security+, Network Architecture, Cyber Threat Intelligence, Vulnerability Scanning, Cryptography, Cyber Threat Hunting, Penetration Test, Encryption, Application Security, Code Review, Natural Language Processing, Generative AI, Security Information and Event Management (SIEM), Incident management, Security Information and Event Management (SIEM), Anomaly Detection, Incident Management, Artificial Intelligence (AI), Hardening, Data Security, Information Systems Security, Computer Security Awareness Training, Information Security (INFOSEC), Browser Compatibility, Cyberattacks, Digital Evidence Handling, Data Integrity, Cybersecurity Incident Management, Security Analysis and Reporting, Resume, Business Research, Interviewing Skills, Professional Networking, Branding, Applicant Tracking Systems, LinkedIn, Market Research, Presentations, Cybersecurity Careers, job interviews, Talent Recruitment, Recruitment, Compensation Strategy, Writing, Negotiation, Company, Product, and Service Knowledge, Portfolio Management, Communication, Social Media, Job Search Strategies, Endpoint Security, Cyber Security Strategy, Secure Coding, Digital Network Architecture, Data Governance, Intrusion Detection Systems, Network Routing, Endpoint Detection and Response, General Networking, Wireless Networks, Dynamic Host Configuration Protocol (DHCP), Local Area Networks, Computer Networking, TCP/IP, Network Protocols, Network Configuration, Data Loss Prevention, Firewall Configuration, Network Analysis, Networking Hardware, Network Planning And Design, Databases, Database Security, Database injection vulnerabilities, Relational Databases, NoSQL, SQL, Database Design, Password policies, Database Management, User profiles, Role-Based Access Control (RBAC), Stored Procedure, Database auditing models, Technical Support and Services, Information Technology, CompTIA Certifications, ISC2 certifications

Or, get started with the online course Introduction to Cybersecurity Tools & Cyberattacks to learn how to recognize different threat actors and malware, plus enact preventative measures.

course

Introduction to Cybersecurity Tools & Cyberattacks

According to a recent IBM report, cyberattacks have surged 71%! This alarming statistic highlights a huge demand for cybersecurity professionals. This IBM ...

4.6

(16,145 ratings)

464,833 already enrolled

Beginner level

Learn More

Average time: 11 hour(s)

Learn at your own pace