What is an Advanced Persistent Threat (APT)?
An advanced persistent threat (APT) is a cyberattack in which the threat actors gain unauthorized access to a network or system with the intention that they remain undetected for a prolonged period of time. This allows them to monitor activity, exfiltrate documents, and maintain surveillance for as long as they want.
Maintaining the deception, avoiding detection, and monitoring the compromised system requires significant dedication, human resources, and possibly custom malware. Custom malware may also be used to compromise the target system in the phase of the attack. This indicates the very high level of technical capability these threat actors possess.
They also have sufficient manpower to maintain an active APT.
Who is Behind APT Attacks?
Traditionally, state-sponsored hacking groups and collectives were the only organizations capable of mounting an APT. Many of these organizations are known to exist. Through careful attribution based on digital fingerprinting and other intelligence techniques, many of the APT attacks have been identified as originating from the same culprits again and again. These are known as APT groups.
However, it is not unknown for suitably sophisticated cyber groups, backed by organized crime groups, to perpetrate APT attacks. There have been suspicions, too, that large, technical organizations have been coerced into performing APT attacks on behalf of their mother state.
APT Target Types
A worrying development in APT attacks has seen infrastructures such as power stations, communications, hospitals, financial institutions, chemical plants, electronics companies, manufacturing, aerospace, automotive, and healthcare targeted.
These attacks do not attempt to gather intelligence, they try to take over and remote control the compromised infrastructure and run it in such a way as to cause it to fail. The motive for an APT can be either financial, political, or industrial espionage, and in some cases can also be classed as cyber warfare.
To attack infrastructure in this way requires the threat actors to obtain access to the programmable logic controllers (PLCs), which control the actuators that, in turn, regulate the processes within the enrichment plant, water purification plant, or other critical targets. Because the PLCs are all network-addressable, compromising the main network gives the threat actors access to these devices.
Camouflaging Attacks
Sometimes APTs can launch attacks at a much wider target than a single network, organization, or infrastructure installation. An attack attributed to Sandworm, an APT with affiliations to the Russian military, was aimed at any company in Ukraine that used MeDoc accounting software – which was most of them.
The 2017 attack was a fake ransomware attack, utilizing a malware called NotPetya. It operated just like regular ransomware malware, but it didn’t have the ability to be decrypted. There was no unique ID for each network, and the decryption code was purposefully flawed.
It was actually a massive attack designed to destroy data and cripple operational capability in as many Ukrainian companies as possible, disguised as a regular malware attack. These types of attacks are rare, but it does show that you don’t need to be a military, infrastructure, or otherwise significant target to be caught in the crossfire of cyber warfare.
Once malware is released into the wild, it is very difficult to control. NotPetya is still claiming victims – including outside of Ukraine. Norsk Hydro was hit by NotPetyta in late 2019, with estimated losses running to USD 40 million.
Run Silent, Run Deep
APT hackers are very highly skilled and have all the resources they need provided to them. Because the majority of them are engaged in state-sponsored activities, they are immune to arrest. The United States, the United Kingdom, Iran, Iraq, Israel, Russia, China, North Korea, and Vietnam all have extremely cyber-capable offensive and defensive intelligence wings. Note, offensive as well as defensive.
The crux of most APT attacks is remaining undetected. This is the very opposite of an attack such as a ransomware attack, where you know you’ve been compromised because a message tells you that you’ve been hit and you need to pay a ransom. A successful APT hacker exploits a vulnerability to gain access to your system. They retrieve the information they need, or they plant subtle, behind-the-scenes malware such as rootkits and keyloggers. With that part of the mission completed, they slip quietly out again. But they now have the ability to return – undetected – whenever they want.
An APT attack is often run with a light touch strategy. The attackers can afford to take their time. They can operate in a way that doesn’t generate a lot of curious or suspicious events in the system logs or cause unusual types of network traffic.
To gain access to your network APTs use exploits for well-known vulnerabilities or, more rarely, for vulnerabilities they have discovered themselves. Although most APTs can generate custom code to exploit vulnerabilities, where they can, they use known methods and recognized techniques. They prefer these methods because if they are detected, it makes attribution of the attack much harder.
They may also use malware delivered by email as the first phase of infiltration.
Warning Signs to Watch For
Because of the long-term nature of APT attacks, the threat actors will go to extraordinary lengths to remain undetected. These are some indicators that you probably should do a careful examination of your servers and network.
Administrator Log-ins at Strange Times
APT attacks can spread rapidly from the initial compromised computer to their actual target systems. The target computers are usually those with the most sensitive and protected data on them, requiring the user to have elevated or administrative-type privileges. To obtain these privileges, the threat actors use any one of the privilege escalation techniques available to them.
One way is to extract authentication tables from the memory of the compromised server and crack them offline on the threat actors’ computers. They can then select a suitably privileged account to access the restricted information or to create a covert, privileged account they will then use for that purpose.
Because APT groups are likely to be in a different time zone than you are – or literally on the other side of the world – you might see administrator log-ins at strange times.
Rootkits, Trojans, and Backdoor Malware
The APT threat actors often install rootkits or other backdoor malware to ensure they can always regain access even if the user accounts they are using are disabled.
Trojans deployed through email phishing attacks account for most initial compromises. Scan regularly for all types of malware.
Unexpected Data Transmissions
Watch out for large, unexpected movements of data either internally or externally. Also, look for sudden drops in available disk space. It is common for threat actors to consolidate all the information they wish to exfiltrate into a single massive compressed file.
That means making copies of the original data and placing them in a single location, then creating the compressed file. This will lead to a sudden drop in disk space, probably measured in the order of gigabytes. Also, be wary of compressed files in formats your organization may not normally use, like “.RAR” and “.7z” archives.
Will an APT Group Ever Target You?
APT groups usually target military, political, and critical infrastructure installations, so it would be extremely unlikely that an APT group would attack a typical business enterprise.
But it can and does happen. If you are in the supply chain to the actual target they want to compromise, but that target is too tightly protected, they may infect you with malware that won’t trigger until it senses it is on the end target’s network. The idea is that you may unwittingly infect the actual target by visiting them with an infected laptop, email, or other communication paths.
And, as we have seen, it is easy to get caught up as collateral damage in a disguised attack. APT attacks have been mounted, such as NotPetya, that attack any susceptible organizations as well as the real target, to try to mask the actual intent of the attack.