What are Advanced Persistent Threats (APT attacks)?
An Advanced Persistent Threat is a
sophisticated (rarely) multi-staged attack carried out by skilled and well-organised threat actors such as organised cybercrime syndicates and nation-state actors.
The majority of the times, Advanced Persistent Threats (APT) are nothing more than a fancy name with much more media frenzy around the topic of cyber attacks. The underlying weaknesses exploited by threat actors remain similar to what’s reported by penetration testing organisations in day to day penetration testing and security assessment projects.
Understanding Advanced Persistent Threats
From lone cybercriminals pulling off simple scams to organised threat actor groups seeking financial gains, the world has seen the advancement of cyberspace crimes. In the late 2000s, the most alarming of all cyber threats surfaced; Advanced Persistent Threats, also called APTs, the nature of the threat itself is in the name. They are advanced. The cyber security world is now constantly on its toes, racing to keep up with the ever-present threats that these new adversaries pose.
As an enterprise, understanding the malicious nature and threat of APTs is crucial to your cyber security defence. Advanced Persistent Threat apt adopt highly sophisticated and stealthy infiltration techniques. Their goal is to maintain access to networks for the most prolonged period without being detected.
This piece will look at advanced persistent threats, their attributes, APT groups, and how to prevent attacks from APTs.
Advanced Persistent Threats
We can consider advanced persistent threats through 2 different lenses; the attack vectors and the perpetrators.
As an attack vector, APTs are
Sophisticated and covert cyber-attacks launched at specific organisations for security against unauthorised access to their networks.
APTs either steal sensitive data, disrupt the system or destroy infrastructure. These attacks are launched persistently over an extended period of time. They are carried out by highly skilled cyber experts and avoid detection by anti-malware software and intrusion detection systems.
Usually, APT targets include:
- Government agencies holding sensitive data
- Universities, colleges, research programmes
- Critical infrastructure organisations
- Large enterprises, corporates and start-ups
As perpetrators, APTs are
Coordinated threat actor teams, often with links to nation-states and goals that meet the nation states’ interests. These APT groups create well-thought plans that target specific industries, governments and individuals to access sensitive data and systems.
APTs achieve this by conducting clandestine attacks against privileged users within a network. Once they gain access to the environment, APTs multiply their operations within the system. They do all this while maintaining a low profile to avoid detection and maintain access to the network.
Most often, APT actors are state-sponsored groups. However, in recent times, they could also be backed by non-state groups with specific goals.
Advanced quality of techniques of APTs
APTs are unique in regards to the advanced quality of techniques they use and the consistency of their attacks. Organisations that have suffered advanced persistent threats attacks must always remain on guard because advanced persistent threat attacks could reoccur or sometimes persistent backdoors are left in the systems allowing connectivity. Even more, attackers may be aware of weaknesses that remain unaddressed by the organisation and that could be a way to enter again.
APT groups typically have political or economic motives. They are known to target governments and major industry sectors. Thus, healthcare, telecommunications, defence, financial, high tech, and media sectors are constantly targeted. Government institutions and security bodies are also high-value targets. The way Advanced Persistent Threats work is in line with cyber kill-chain methodology.
Stealth defines an advanced persistent threat apt. Still fresh in our memories, the SolarWinds attack is an excellent example of an advanced persistent threat attack. The infiltration of the top IT company went unnoticed for over 9 months, with the threat actors gaining access to the networks of top US agencies and corporations.
Advanced persistent threat attacks compromise their victims’ systems over an extended period, doing everything to remain undetected by security programmes.
APT attacks are known to have gone undetected for as long as five years.
The life cycle of an APT
We can separate an APT lifecycle into 4 broad stages of the hacking process: background survey, infiltration, establishing foothold and data exfiltration.
1. Conduct background survey
APT attacks are well thought out campaigns that take a lot of time to plan – possibly months. The recon process reflects their slow and steady nature before infiltration attempts.
Attackers invest time in researching their targets. Like a lion on a hunt, they study their victim, the victim’s environment and effective attack points. They also look out for potential chinks in their target’s armour in the first stage.
Advanced persistent threats are known for zero-day attacks. They identify zero-day vulnerabilities unique to a particular enterprise to ensure they deliver a debilitating attack tailored to it.
APT actors develop advanced vectors to deploy in their attack. When targeting a corporation, APTs typically zone in on an official with privileged access as the point of entry.
In the second stage, advanced persistent threats employ social engineering techniques like spear-phishing emails or planting malware in compromised sites to gain initial access.
Once successful, attackers install custom malware in the system. This malware enables them to create backdoors and tunnels through which they move around the network undetected.
3. Establishing foothold
To secure access and expand their reach within the system, attackers escalate their privileges in the third stage. They employ techniques such as brute force passwords, creating new users and exploiting system misconfigurations to gain access to admin privileges.
Attackers when achieve this, gain unchecked control over the computer network, which allows them to access more sensitive data. They move laterally to penetrate other servers and databases in the network. They also work on remaining undetected.
4. Data exfiltration
Having gained unhindered access to the system, in the fourth stage, attackers study the network, understanding how it functions and noting any additional vulnerabilities. They move laterally through the organisation’s network, amassing and stealing data at access points within the system.
The threat actors also strengthen their control over the system by securing stolen credentials to have continued access to the network. The attackers then exfiltrate the amassed data from the organisation’s network, while ensuring to erase their tracks. Some APT vectors go as far as destroying the network infrastructure, all in a bid to escape detection.
Once they achieve the objective, attackers can either remain within a system with stealth or exit it. When they leave, they usually keep backdoors open for future access.
Attributes of Advanced Persistent Threat APT
Below, we will list and explain the significant, specific traits to recognise and understand APTs. These features will better prepare organisations against a potential APT attack.
1. Premeditated attack
APT attack don’t ‘just happen’. When advanced persistent threat actors gain access into a system, they already know what they want to access, destroy or steal.
APT actors will keep hitting a system until it is compromised to achieve its objective. These attacks have blueprints and detailed processes, and they target specific people for specific purposes.
2. Long-term presence
Advanced persistent threat actors work to remain in a network for a long time. They are not opportunistic, one-time players. They create opportunities for themselves using zero-day malware and vectors precisely because they want to retain access to your system.
They use these long, unchecked periods of access and activity to study the network environment, learn how it works, discover additional vulnerabilities, create backdoors, and harvest sensitive data.
3. Stealthy operations
Advanced persistent threats are known for their stealth. These covert attacks can go unnoticed for weeks, months and even years.
The average APT dwell-time (the period before detection) is over 80 days, more than enough time for attackers to steal sensitive information and cover their tracks.
Criminals behind these attacks expend a lot of effort to carry out sophisticated operations right from infiltration to data exfiltration. They move slowly and cautiously to prevent detection, harvesting data only after gaining a solid foothold in the network.
4. Huge resource investments
From malware to human resources, the most sophisticated APT cost a fortune. Even the simplest of APT attacks may require a budget of thousands of dollars. A single APT attack is often a result of weeks and months of planning and custom-malware development.
Custom-built malware are the product of skilled, high-value cybercriminals and threat actors. Apart from equipment and tools, sponsors must also bear the cost of attacker fees.
5. Advanced tools and strategies
The malware, resources and techniques deployed to infiltrate are always sophisticated updates on traditional exploits or custom-made. Social engineering techniques adopted when launching an advanced persistent threat apt and detection evasion are refined, modern, and complex.
6. Detection evasion
Having up-to-date antivirus software and spam filters is hardly enough to keep your organisation safe from malicious sophisticated cyber attacks. APT usually introduce zero-day exploits and malware that help them easily bypass your security controls to gain access to the network.
Advanced Persistent Threat; groups & their exploits
Over the years, malicious cyber crime teams, labelled as advanced persistent threats, have been discovered and classified using various ranking systems. Such classifications include countries of origin or attack tools and techniques used. Some groups have been operational as far back as the early 2000s.
While the most reported nation-states supported actors have links to Iran, China, Russia, North Korea and Vietnam, many more groups exist with ties to Western countries. Here are some advanced persistent threat apt groups;
1. APT35 (a.k.a. Charming Kitten)
The Iranian government supports this cyber-espionage group. Its operations are focused primarily on collecting strategic intelligence. They target media, telecommunications organisations and government sectors in the Middle East, U.S., and Western Europe.
APT35 typically employs spear phishing as its initial compromise tactic. The team uses baits relating to job postings or calls to secure passwords. Security professionals have also observed APT35 using stolen credentials from previous operations to gain access to new attacks.
2. APT41 (a.k.a Double Dragon, Winnti Group)
With its operations going as far back as 2012, the China-backed group has targeted over 100 large organisations in about 14 countries.
Cyber warfare campaigns of APT41 have attacked corporations in the telecommunications, high-tech and healthcare sectors where China has interests. They are known to swipe intellectual property and even assault with ransomware.
APT41 is a unique group as it displays two distinct concerns; espionage interest and financially motivated attack. The espionage is state-supported, but the financial hacks trend closer to the group’s interests.
APT41 employs traditional social engineering tools such as spear phishing, but they deploy multiple sophisticated and unique malware pieces to compromise systems once inside the target network.
3. APT38 (a.k.a. BlueNorOff)
This highly skilled group is linked to North Korea.
APT38 has been credited with conducting the largest cyber heists. Labelled as a sub-unit of the infamous Lazarus Group, APT38 carries out financial attack and illegally transfer money using custom malware. They usually target South Korean and U.S. financial institutions and corporations.
Microsoft accused APT38 actors of deploying the 2017 WannaCry ransomware worm that infected over 300,000 computers in 150 countries.
Once it gained initial access to the computer, the ransomware encrypted the user’s data, requiring bitcoin payment to decrypt the data.
These APT actors are aggressive in their operations and are comfortable destroying data and victims networks during their attack.
4. APT29 (a.k.a. Cozy Bear)
This Russian criminal group has targeted Western Europe and U.S. governments, and the diplomatic sectors. We can trace its operations as far back as 2010.
Cozy Bear carried out a spear-phishing attack against the Pentagon in August 2015. This attack caused the Pentagon’s Joint Staff unclassified email system and Internet access to be shut down for over two weeks.
The threat group uses social media sites like Twitter to relay commands and take out data from compromised networks. They also engage in the theft of data and intellectual property.
How to preempt APT attacks
Contrary to popular belief, no organisation is safe from APT attack. APTs now increasingly infiltrate small organisations connected to the supply-chain of their target corporations/institutions. The networks of SMEs are easily compromised because they don’t invest in robust security architectures.
Below are some effective prevention strategies that organisations should adopt and critical warning signs to look out for:
It is no more about preventive measures, it’s about a proactive approach to ensure what if this happens, what if one system is compromised and how to make an attacker’s life difficult to increase the difficulty and decrease the likelihood of lateral movement, further infiltration. Your security teams should prepare controls around ‘limiting the attack impact’, ‘reducing the likelihood’ and ‘preventing threats where possible’ to align with the defence in-depth approach.
Updates and software patches as soon as they are released.
Many APTs take advantage of lack of patching and to a small extent zero-day exploits. Update all your security software and resources to ensure you have the latest protection available.
The Principle of Least Privilege
Follow the least privilege principle in line with the defence in-depth approach. Only grant employee access where necessary, and this access should be time-bound. Closely monitor accounts of former employees and third-party vendors. Ensure to delete them and remove access as quickly as possible.
Authentication & Authorisation
Implement strong authentication and authorisation controls such as two-factor authentication for all internet-facing assets, privileged access management and just in time privileges.
Passwords are one of the most vital factors when considering the security of an organisation. It includes insecure information storage practices and password policies enforcement through group policy, applications and the assets in use.
Perform regular audits against your passwords such as statistical analysis, Active Directory security assessments to help your organisation improve security posture every few months.
Implement strong logging and monitoring tools such as IDS, IPS , firewalls, endpoint protection
With APT attacks, time is of the essence; the earlier you can detect intrusions, the earlier you can protect your data from unauthorised access and return your network to a secure state. Host-based intrusion detection systems are an effective tool against detection and blocking threats. Detect and monitor anomalies. Pay attention to unusual login activity at odd hours of the day when employees would naturally not be accessing their systems.
Keep an eye out for egress traffic and your sensitive data on the web
APTs tend to accumulate data within a network while harvesting before exfiltrating to their home server. If you notice large aggregates of data or activity in a location your company doesn’t naturally store data, then you are likely compromised and under an APT attack.
Educate employees on APT threats such as social engineering.
Help your employees understand the importance (and risks) that their online activities can pose for the company. Cyphere offers tailor-made cyber security certifications and workshops that will help prepare your SME and employees against common attacks.
While you can never make your business impregnable against all the threats including advanced persistent threats, adopting a robust security defence structure and educating employees on cyber security best practices, to secure data is an essential step in the right direction.
Get in touch to discuss your security concerns and know how we can help you find your blind spots.
Shahrukh, is a passionate cyber security analyst and researcher who loves to write technical blogs on different cyber security topics. He holds a Masters degree in Information Security, an OSCP and has a strong technical skillset in offensive security.