What is an APT?
An Advanced Persistent Threat (APT) is a sophisticated cyber threat where an attacker tries to intrude a target network stealthily and maintain long-term access to the infrastructure inside the target network, exfiltrating the crucial information. The main goals of APTs are espionage, hacktivism, financial gains, or destruction. In this blog, you will understand the life cycle of an APT, how APT works, and some examples of notorious APT groups.
The attackers behind the APTs typically operate as groups and have specific common goals and understanding, which they aim to achieve by a collaborated "slow and steady" approach, which is often successful. APT groups have both the capability and the will to cause catastrophic damage to the organizations. The offenders operating APTs are usually experts, passionate, planned, and experienced cybercriminals with strong financial backing and access to a wide range of intelligence-gathering techniques. Government, defense, crypto mining, banking, financial services, legal services, industrial, telecoms, consumer products, and a variety of other industries are among the victims of the APT attacks in recent times.
The European Union Agency For CyberSecurity (ENISA)in its Joint Publication – Boosting Your Organization’s Cyber Resiliencementioned that “In its Threat Landscape Report Volume 1, CERT-EU, the CERT of all the EU institutions, bodies, and agencies (EUIBAs), reported the number of attacks conducted by Advanced Persistent Threats (APTs) against EUIBAs increased by 60% in 2020 compared to 2019. These attacks further increased by 30% in 2021, bringing the total number of significant incidents experienced by EUIBAs to 17, up from only 1 in 2018.” APTs are considered the most severe cyber threats to any company since it is challenging to detect the presence of APTs inside the network. APT groups will generally prefer long-term access to the target network/machine to carry out a more specified mission.
How does an APT Attack Work?
An APT attack employs a variety of tactics and attack methodologies. However, a typical APT attack comprises 3 broad Phases: Infiltration, Persistence & Lateral Movement, and Execution.
The phase of an APT attack where an attacker leverages all possible tools and techniques and gains access to the target organization’s network/hosts is considered as infiltration phase. Every APT group employs a unique strategy to defeat the target's defenses. However, in most APT attacks, to achieve their malicious goals, the perpetrators first identify the critical public resources of the target firm. Then the attackers employ various information-gathering techniques to identify any potential vulnerabilities in the network, website, or other target resources from which they can obtain access. Additionally, attackers will also leverage information obtained from the internet and social media to identify potential victims for social engineering attacks including spear-phishing attacks to gain access to the victim’s internal network. Many advanced persistent threats (APTs) are increasingly exploiting zero-day vulnerabilities in unpatched systems. APT hackers utilize a variety of attack tactics to obtain the initial access to the target network including:
· Zero-day Exploits
· Social Engineering Techniques
· Spear Phishing Campaigns
· Remote File Inclusion (RFI)
· SQL Injection
· Cross-Site Scripting (XSS)
· Domain Name System (DNS) Tunnelling attacks
Persistence & Lateral Movement:
Attackers try to grow their control within the network after gaining initial access. In this stage, attackers try to deploy notorious malware such as backdoors to stealthily exploit other network hosts and gather critical/sensitive internal information including asset details, usernames, account privileges, passwords, etc. Deploying custom malware is crucial for any APT as it allows the intruders to maintain access while remaining undetected. The APTs often create additional entry points to ensure that the attack can continue even if a compromised point is found and closed.
At this stage, the perpetrator has reliable and long-term network access. While security controls are unaware of the threat, the intruder can begin completing the intended attack objective. If the goal is to steal data, attackers encrypt it and store it in bundles on a network segment with very little activity.
After expanding the footprints inside the target network and gathering the crucial information, APTs execute their intended objectives at this stage. These objectives can range from exfiltration to destruction of the sensitive data, blocking access to the authorized personnel, disrupting the entire network, financial exploitation, public shaming and sabotaging the business, using as a bot for DDoS attacks, etc. Attackers will always be extremely cautious while performing the activities at this stage. For performing sensitive data exfiltration, attackers gather and store all the collected sensitive information at someplace and then distract the security professionals by performing large-scale Distributed Denial of Service (DDoS) attacks. Amidst the chaos, when the cyber security personnel is busy defending against DDoS attacks, the attackers sneakily exfiltrate the collected sensitive data to their cloud. The intention and motive of the APT attack will be revealed in the execution phase of the attack.
Examples of Advanced Persistent Threats (APTs)
Here are some of the examples of the notorious APTs/APT groups of recent times:
“APT19 is a Chinese-based threat group that has targeted a variety of industries including defense, finance, energy, pharmaceutical, telecommunications, high tech, education, manufacturing, and legal services. In 2017, a phishing campaign targeted seven law and investment firms. Some analysts track APT19 and Deep Panda as the same group, but it is unclear from open-source information if the groups are the same.” - MITRE ATT&CK ID [G0073]
“APT28 is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165. This group has been active since at least 2004.” - MITRE ATT&CK ID [G0007]
“APT29 is a threat group attributed to Russia's Foreign Intelligence Service (SVR). They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. APT29 reportedly compromised the Democratic National Committee starting in the summer of 2015. In April 2021, the US and UK governments attributed the SolarWinds supply chain compromise cyber operation to the SVR; public statements included citations to APT29, Cozy Bear, and The Dukes.” - MITRE ATT&CK ID [G0016]
“APT32 is a suspected Vietnam-based threat group that has been active since at least 2014. The group has targeted multiple private sector industries and foreign governments, dissidents, and journalists with a strong focus on Southeast Asian countries like Vietnam, the Philippines, Laos, and Cambodia. They have extensively used strategic web compromises to compromise victims.” - MITRE ATT&CK ID [G0050]
How to Defend Against Advanced Persistence Threats (APTs)?
Advanced Persistent Threat (APT) attacks are increasing at a tremendous pace. It is extremely difficult and time-consuming for organizations to detect and respond to these APTs using conventional tools and techniques. NetSecurity’s ThreatResponder, with its diverse capabilities, can help your team detect the most advanced cyber threats including APTs, zero-day attacks, and ransomware attacks. It can also help automate incident response actions across millions of endpoints, making it easy, fast, and hassle-free.
Want to try our ThreatResponder, cutting-edge Endpoint Detection & Response (EDR) security solution in action? Click on the below button to request a free demo of our NetSecurity’s ThreatResponder platform.
The page's content shall be deemed as proprietary and privileged information of NETSECURITY CORPORATION. It shall be noted that the contents of this page are copyrighted by NETSECURITY CORPORATION. Any violation/misuse/unauthorized use of this content "as is" or "modified" shall be considered illegal subjected to articles and provisions that have been stipulated in the General Data Protection Regulation (GDPR) and Personal Data Protection Law (PDPL).