What is an advanced persistent threat (APT)?

Which techniques are used in an APT attack?

To gain access, APT groups often use a variety of advanced attack methods, including social engineering techniques. To maintain access to the targeted network without being discovered, threat actors continuously rewrite malicious code to avoid detection and use other sophisticated evasion techniques. In fact, some APTs are so complex that they require full-time administrators to maintain the compromised systems and software in the targeted network.

Common techniques used during APT attacks include the following:

• Spear phishing. APT actors commonly use highly targeted spear phishing emails to fool people into divulging personal information or clicking on harmful links that can execute malicious code into their systems. These emails are skillfully written to appear authentic and tailored to the recipient.
• Zero-day exploits. APT actors often take advantage of zero-day vulnerabilities in software or hardware that have recently been discovered but not yet patched. By exploiting the vulnerabilities before they've been addressed, threat actors can easily gain unauthorized access to target systems.
• Watering hole attacks. APT actors use watering hole attacks to breach websites often accessed by their specific targets. By injecting malicious code into these websites, they can infect the systems of unsuspecting visitors.
• Supply chain attacks. Supply chain cyberattacks target a specific organization's supply chain, compromising software or hardware before it reaches the intended receiver. This enables APT actors to gain access to the victim's network.
• Credential theft. APT actors use methods such as keylogging, password cracking and credential phishing to obtain login credentials. Once they have legitimate credentials, they can navigate the network laterally and gain access to sensitive information.
• Command-and-control servers. Using C&C servers, APTs create communication routes between hacked systems and their network. This lets the attacker maintain control over the compromised network and exfiltrate data.
• Evasion strategies. To avoid being discovered by security systems, APT attackers often hide their operations using legitimate tools and processes, code obfuscation and anti-analysis measures.
• Living off the land. In this method, instead of using intrusive and direct malware deployments, attackers rely on using existing fileless malware and trusted applications to execute commands and hide malicious activity. These strategic attacks often blend in without detection.

What are the main motives and targets of an APT attack?

The motives of advanced persistent threat actors vary. For example, nation-state cyberthreats might target intellectual property (IP) or classified data to gain a competitive advantage in certain industries. Other target sectors often include power distribution and telecommunications utilities or other infrastructure systems, social media, media organizations, financial organizations, high tech and government agencies. Organized crime groups sponsor advanced persistent threats to gain information they can use to carry out criminal acts for financial gain.

Although APT attacks can be difficult to identify, data theft is never completely undetectable. Realizing that data has been exfiltrated might be the only clue an organization has that its networks are under attack. Cybersecurity professionals often focus on detecting anomalies in outbound data to see if the network has been the target of an APT attack.

Stages of an APT attack

APTs generally include the following five stages:

• Compromise. The remote attacker directly configures the malware so they can provide updates or new payloads.
• Process injection. The threat actor attaches themself to an existing application or process running in a system's memory.
• Cloaking. The threat actor tries to have as little effect on the host computer as possible while extracting what they need.
• Exfiltration. The attacker sends data back to the C&C server.
• Reignition. To remain operational, an APT must restart after the system is rebooted or if a system admin attempts to remove it.

Attackers take the following sequential actions following a typical APT attack lifecycle to gain and maintain ongoing access to a target:

1. Gain access. APT groups gain access to a target's network through the internet. Normally, they do this by inserting malicious software into the target through spear phishing emails or using an application vulnerability.
2. Establish a foothold. After gaining access to the target, threat actors use their access to do further reconnaissance. They use the malware they have installed to create networks of backdoors and tunnels to move around unnoticed.
3. Cover tracks. APTs often use advanced malware techniques, such as code rewriting, to cover their tracks and evade detection.
4. Gain even greater access. Once inside the targeted network, APT actors use methods such as password cracking to gain administrative rights. This gives them more control of the system and even deeper levels of access.
5. Move laterally. Once threat actors have breached their target systems and gained administrator rights, they can move around the enterprise network at will. They can also attempt to access other servers and secure areas of the network.
6. Stage the attack. The hackers centralize, encrypt and compress the data so they can exfiltrate it.
7. Take the data. The attackers harvest the data and transfer it to their system.
8. Remain undetected. Cybercriminals will repeat this process for long periods of time until they're detected, or they can create a backdoor so they can access the system again later.

Examples of advanced persistent threats

APTs are usually assigned names by the organization that discovered them, though many advanced persistent threat attacks have been discovered by more than one researcher, so some are known by more than one name.

APTs have been detected since the early 2000s, and they date back as far as 2003 when China-based hackers ran the "Titan Rain" campaign against U.S. government targets to steal sensitive state secrets. The attackers targeted military data and launched APT attacks on the high-end systems of U.S. government agencies, including the National Aeronautics and Space Administration and the Federal Bureau of Investigation. Security analysts pointed to the Chinese People's Liberation Army as the source of the attacks.

APT examples include the following:

• Lazarus Group. This North Korean state-sponsored APT has been active since 2009. It is potentially responsible for attacks including WannaCry in 2017, the Harmony Horizon bridge cryptocurrency theft in 2022 and a series of software supply chain attacks in 2024 and 2025.
• Gelsemium. This China-aligned APT targeted a Southeast Asian government for six months between 2022 and 2023. The cyberespionage group responsible has been operational since 2014. It initially exploited its target by installing web shells to perform basic reconnaissance.
• APT41. This APT targeted the proprietary information of technology and manufacturing companies using malware, including digitally signed kernel-level rootkits. The Chinese state-linked group, also known as Winnti, targeted companies in East Asia, Western Europe and North America from at least 2019 to 2021.
• APT37. Also known as Reaper, ScarCruft and Group123, this advanced persistent threat linked to North Korea is believed to have originated around 2012. APT37 has been connected to spear phishing attacks exploiting an Adobe Flash zero-day vulnerability.
• APT34. This advanced persistent threat group linked to Iran was identified in 2017 by researchers at FireEye (now Trellix) but has been active since at least 2014. The threat group has targeted companies in the Middle East with recent attacks against financial, government, energy, chemical and telecommunications companies.
• APT32. This Vietnamese APT group -- also known as OceanLotus, SeaLotus and Cobalt Kitty -- has been active since at least 2014. It focuses on organizations in Southeast Asia, particularly those with ties to the region's politics or economy. APT32 has been involved in espionage operations, leading campaigns against firms in the private sector, media outlets and government institutions.
• APT29. Russian advanced persistent threat group APT29, also known as Cozy Bear, has been linked to several attacks, including a 2015 spear phishing attack on the Pentagon, as well as the 2016 attacks on the Democratic National Committee.
• APT28. Trend Micro researchers identified APT28, the Russian advanced persistent threat group also known as Fancy Bear, Pawn Storm, Sofacy Group and Sednit Gang, in 2014. APT28 has been linked to attacks against military and government targets in Eastern Europe, including Ukraine and Georgia, as well as campaigns targeting the North Atlantic Treaty Organization and U.S. defense contractors.
• The Sykipot APT malware family. This malware exploited flaws in Adobe Reader and Acrobat. It was detected in 2006, with further attacks reportedly continuing through 2013. Threat actors used the Sykipot malware family as part of a long-running series of cyberattacks, mainly targeting U.S. and U.K. organizations. The hackers used a spear phishing attack that included links and malicious attachments containing zero-day exploits in targeted emails.
• The GhostNet cyberespionage operation. Discovered in 2009, this exploit was executed from China using spear phishing emails containing malicious attachments. The attacks compromised computers in more than 100 countries. The attackers focused on gaining access to the network devices of government ministries and embassies. These attacks enabled the hackers to control these compromised devices, turning them into listening and recording devices by remotely switching on their cameras and audio recording capabilities.
• The Stuxnet worm. This exploit, used to attack Iran's nuclear program, was detected by cybersecurity researchers in 2010. Although Stuxnet is not considered a cybersecurity threat today, it is still considered one of the most sophisticated pieces of malware ever detected. The malware targeted Siemens SCADA (supervisory control and data acquisition) systems and was spread with infected USB devices. The U.S. and Israel have both been linked to the development of Stuxnet. While neither nation has officially acknowledged its role in developing it, there have been unofficial confirmations that these countries were responsible for Stuxnet.

Characteristics of advanced persistent threats

Advanced persistent threats often exhibit certain characteristics reflecting the high degree of coordination necessary to breach high-value targets.

Common characteristics of APTs include the following:

• Sequential. Most APTs are carried out in multiple phases, reflecting the same basic sequence of gaining access, maintaining and expanding access, and attempting to remain undetected in the target network until the attack goals have been accomplished.
• Multiple points of compromise. Advanced persistent threats are also distinguished by their focus on establishing multiple points of compromise. They usually attempt to establish multiple points of entry to the targeted networks. This enables them to retain access even if the malicious activity is discovered and an incident response is triggered, enabling cybersecurity defenders to close one compromise.
• Specific goals and objectives. APTs have specific goals and motives, which can vary depending on the actors involved. These goals could involve conducting espionage, influencing political processes or stealing confidential information, financial data or IP. They might also involve interfering with business operations.
• Enhanced time frame. While conventional cyberattacks, such as ransomware, typically unfold within a relatively brief time frame, lasting days or weeks at most, APT attacks can span months or even years.
• Coordinated and well resourced. APTs are frequently carried out by threat actors with strong organizational and financial capabilities, such as state-sponsored, organized crime gangs or highly proficient hacker groups. They can create unique tools, carry out in-depth reconnaissance and plan intricate strikes.
• Expensive to carry out. The creation and proliferation of APTs can cost millions of dollars. Large, well-funded companies and groups of cybercriminals frequently choose to use APT attacks, as they are the most financially demanding type of cybercrime.
• Redundant points of entry. Once an APT has infiltrated a network, it often establishes multiple connections to its home servers, enabling the potential deployment of additional malware. This strategy ensures redundant entry points, mitigating the risk of closure by network administrators.
• Use of legitimate tools. APTs commonly use native system tools to evade detection. This approach is also called living off the land and enables threat actors to blend in with normal system activity, avoiding security alerts.

Detecting advanced persistent threats

Advanced persistent threats have certain warning signs, despite typically being hard to detect. An organization might notice certain symptoms after it has been targeted by an APT, including the following:

• Unusual activity on user accounts.
• Extensive use of backdoor Trojan horse malware, a method that enables APTs to maintain access.
• Odd or uncharacteristic database activity, such as a sudden increase in database operations involving massive quantities of data.
• A sudden increase in targeted spear phishing attempts.
• The presence of unusual data files or large clumps of files in unusual locations, which could indicate data that has been bundled into files ready to be exported to assist in the exfiltration process.

APTs can also be detectable if a network monitoring system recognizes the installed malware attempting to connect to its C&C system.

Detecting anomalies in outbound data is perhaps the best way for cybersecurity professionals to determine if a network has been the target of an APT attack. Focusing on controls that address each stage of the cyber kill chain can likewise provide an opportunity for early detection.

APT security measures

Defending against APT attacks is difficult. They often succeed, as the average time to detect them is typically measured in months.

To avoid and mitigate APTs, security teams must develop comprehensive security strategies. Key security measures the defend against APTs include the following:

• Patching network software and operating system (OS) vulnerabilities. Patching vulnerabilities in network software and OSes as soon as possible helps prevent attackers from exploiting known weaknesses.
• Securing remote connections. Encryption prevents unauthorized access to sites by thwarting potential intruders from exploiting these connections. Use multifactor authentication, virtual private networks and zero-trust network access.
• Filtering incoming emails. Filtering incoming emails is a key step in preventing spam and phishing assaults on a network, as it prevents suspicious emails from passing through.
• Prompt logging of security events. Logging security incidents as soon as they happen can improve allowlists and other security policies.
• Real-time traffic monitoring. Companies should monitor inbound and outbound traffic within the perimeter of their network to prevent backdoor installations and the extraction of stolen data.
• Setting up web application firewalls. Installing web application firewalls on network endpoints and edge networks can help protect web servers and web applications from infiltration.
• Implement threat hunting software. Proactive tools, such as threat hunting software, can help detect hidden APT activities by continually monitoring for any signs of compromise and suspicious network behavior.

Enterprise IT must stay vigilant to protect its data and networks from sophisticated and evolving cyberthreats. Learn to spot and prevent the top security threats confronting IT teams.