by peter


Advanced Persistent Threat Explained


Risk Rating: HIGH
Likelihood: 3/5
Impact: 5/5


To be the focal point of an Advanced Persistent Threat means you are going to have something that they need. This could be a trade secret, you manufacture something they want to use, or you have the dirty laundry of another target. Typically, an APT is going to target an organisation to get information.

Advanced Persistent Threat Overview

In 2003 hackers based in China began a series of far-ranging cyberattacks against U.S government targets with the aim of stealing sensitive state secrets, in an operation nicknamed Titan Rain by U.S investigators. The hackers’ focus was on military data and included Advanced Persistent Threat attacks on high-end systems of organisations such as NASA and the FBI. The level of sophistication used in the attacks led Adam Paller, SANS Institute research director, to state “no other organisation could do this if they were not a military”. The attacks caused some friction between the U.S and Chinese governments. Many security analysts pointed the finger at the Chinese military (People’s Liberation Army) as the source of the attacks.

In 2006, the Sykipot attacks leverage vulnerabilities in Adobe Reader and Acrobat and are part of a long-running series of cyberattack campaigns aimed primarily at U.S and U.K organisations including defense contractors, telecommunications companies and government departments. The attackers consistently used targeted emails containing either a link or malicious attachment containing zero-day exploits. This point of entry method to corporate and government systems, known as spear-phishing, is the most commonly used tactic in Advanced Persistent Threat attacks.

GhostNet is the name that researchers gave to a large scale cyber-espionage operation that was first detected in 2009. Carried out in China, the attacks were successful in compromising computers in over 100 different countries with a focus on infiltrating network devices associated with embassies and government ministries. The operations were largely viewed as China’s attempts to position itself as leaders of an emerging “information war”. These attacks were characterised by their frightening capability to control compromised devices, turning them into listening devices by remotely switching on their camera and audio-recording functions.

Considered at the time to be one of the most sophisticated pieces of Malware ever detected, the Stuxnet Worm was used in operations against Iran in 2010. Its complexity indicated that only nation state actors could have been involved in its development and deployment. A key differential with Stuxnet is that, unlike most viruses, the worm targets systems that are traditionally not connected to the internet for security reasons. It instead infects Windows machines via USB keys and then propagates across the network, scanning for Siemens Step7 software on computers controlling a PLC (programmable logic controllers). The operations were designed to provide the hackers with sensitive information on Iranian industrial infrastructure.

In 2015, security experts connected state-sponsored attackers working for the Chinese government to one of the most notable data breaches in U.S. history — the attack on the U.S. Office of Personnel Management (OPM). The attack on OPM compromised over 4 million records, including information on current, former and prospective federal government employees, as well as their family members, foreign contacts and even psychological information.

In the same year, 2015, an Advanced Persistent Threat attack affecting the US Government’s Office of Personnel Management has been attributed to what’s being described as on-going cyberwar between China and the U.S. The latest rounds of attacks have been referred to using a variety of different codenames, with Deep Panda being among the most common attribution. The attack on OPM in May 2015 was understood to have compromised over 4million US personnel records with fear that information pertaining to secret service staff may also have been stolen.

What you need to know

An advanced persistent threat (APT) is a highly advanced, covert threat on a computer system or network where an unauthorized user manages to break in, avoid detection and obtain information for business or political motives. Typically carried out by criminals or nation-states, the main objective is financial gain or political espionage. While APTs continue to be associated with nation-state actors who want to steal government or industry secrets, cyber criminals with no particular affiliation also use APTs to steal data or intellectual property.

The single best defense against an Advanced Persistent Threat is continual monitoring of your information assets through a 24x7x365 Security Operations Center and regular holistic Cyber Security Testing.

How the attack happens

An Advanced Persistent Threat usually consists of highly advanced tactics, including a fair amount of intelligence gathering, to less sophisticated methods to get a foothold in the system (e.g., malware and spear phishing). Regardless, various methodologies are used to reach and compromise the target in question and to maintain access.

The most common plan of attack is to escalate from a single computer to an entire network by reading an authentication database, learning which accounts have the appropriate permissions, and then leveraging said accounts to compromise assets. APT hackers will also install backdoor programs (like Trojans) on compromised computers within the exploited environment. They do this to make sure they can gain re-entry, even if the credentials are changed later.

Attack Sources

Most Advanced Persistent Threat groups are affiliated with, or are agents of, governments of sovereign states. An APT could also be a professional hacker working full-time for the above. These state-sponsored hacking organizations usually have the resources and ability to closely research their target and determine the best point of entry.