An advanced persistent threat (APT) is a stealthy

threat actor A threat actor or malicious actor is either a person or a group of people that take part in an action that is intended to cause harm to the cyber realm including: computers, devices, systems, or networks. The term is typically used to describe in ...

, typically a

nation state A nation state is a political unit where the state and nation are congruent. It is a more precise concept than "country", since a country does not need to have a predominant ethnic group. A nation, in the sense of a common ethnicity, may inc ...

or state-sponsored group, which gains unauthorized access to a

computer network A computer network is a set of computers sharing resources located on or provided by network nodes. The computers use common communication protocols over digital interconnections to communicate with each other. These interconnections are ...

and remains undetected for an extended period. In recent times, the term may also refer to non-state-sponsored groups conducting large-scale targeted intrusions for specific goals. Such threat actors' motivations are typically political or economic. Every major

business sector In economics, the business sector or corporate sector - sometimes popularly called simply "business" - is "the part of the economy made up by companies". It is a subset of the domestic economy, excluding the economic activities of general gov ...

has recorded instances of

cyberattack A cyberattack is any offensive maneuver that targets computer information systems, computer networks, infrastructures, or personal computer devices. An attacker is a person or process that attempts to access data, functions, or other restricte ...

s by advanced actors with specific goals, whether to steal, spy, or disrupt. These targeted sectors include government, defense,

financial services Financial services are the Service (economics), economic services provided by the finance industry, which encompasses a broad range of businesses that manage money, including credit unions, banks, credit-card companies, insurance companies, acco ...

legal services In its most general sense, the practice of law involves giving legal advice to clients, drafting legal documents for clients, and representing clients in legal negotiations and court proceedings such as lawsuits, and is applied to the professi ...

, industrial,

telecoms Telecommunication is the transmission of information by various types of technologies over wire, radio, optical, or other electromagnetic systems. It has its origin in the desire of humans for communication over a distance greater than that fe ...

, consumer goods and many more. Some groups utilize traditional

espionage Espionage, spying, or intelligence gathering is the act of obtaining secret or confidential information (intelligence) from non-disclosed sources or divulging of the same without the permission of the holder of the information for a tangibl ...

vectors, including social engineering,

human intelligence Human intelligence is the intellectual capability of humans, which is marked by complex cognitive feats and high levels of motivation and self-awareness. High intelligence is associated with better outcomes in life. Through intelligence, humans ...

and

infiltration Infiltration may refer to: Science, medicine, and engineering *Infiltration (hydrology), downward movement of water into soil *Infiltration (HVAC), a heating, ventilation, and air conditioning term for air leakage into buildings *Infiltration (me ...

to gain access to a physical location to enable network attacks. The purpose of these attacks is to install custom malware (malicious software). The median "dwell-time", the time an APT attack goes undetected, differs widely between regions.

FireEye Trellix (formerly FireEye and McAfee Enterprise) is a privately held cybersecurity company founded in 2022. It has been involved in the detection and prevention of major cyber attacks. It provides hardware, software, and services to investigat ...

reported the mean dwell-time for 2018 in the

Americas The Americas, which are sometimes collectively called America, are a landmass comprising the totality of North and South America. The Americas make up most of the land in Earth's Western Hemisphere and comprise the New World. Along with th ...

as 71 days,

EMEA EMEA is a shorthand designation meaning Europe, the Middle East and Africa. The acronym is used by institutions and governments, as well as in marketing and business when referring to this region: it is a shorthand way of referencing the two ...

as 177 days, and

APAC Apac is a town in Apac District in the Northern Region of Uganda. It is the 'chief town' of the district and the district headquarters are located there. The district is named after the town. Location Apac is located approximately , by road ...

as 204 days. Such a long dwell-time allows attackers a significant amount of time to go through the attack cycle, propagate, and achieve their objective.

Definition

Definitions of precisely what an APT is can vary, but can be summarized by their named requirements below: *''Advanced'' – Operators behind the threat have a full spectrum of intelligence-gathering techniques at their disposal. These may include commercial and open source computer intrusion technologies and techniques, but may also extend to include the intelligence apparatus of a state. While individual components of the attack may not be considered particularly "advanced" (e.g. malware components generated from commonly available do-it-yourself malware construction kits, or the use of easily procured exploit materials), their operators can typically access and develop more advanced tools as required. They often combine multiple targeting methods, tools, and techniques in order to reach and compromise their target and maintain access to it. Operators may also demonstrate a deliberate focus on operational security that differentiates them from "less advanced" threats. *''Persistent'' – Operators have specific objectives, rather than opportunistically seeking information for financial or other gain. This distinction implies that the attackers are guided by external entities. The targeting is conducted through continuous monitoring and interaction in order to achieve the defined objectives. It does not mean a barrage of constant attacks and malware updates. In fact, a "low-and-slow" approach is usually more successful. If the operator loses access to their target they usually will reattempt access, and most often, successfully. One of the operator's goals is to maintain long-term access to the target, in contrast to threats who only need access to execute a specific task. *''Threat'' – APTs are a threat because they have both capability and intent. APT attacks are executed by coordinated human actions, rather than by mindless and automated pieces of code. The operators have a specific objective and are skilled, motivated, organized and well funded. Actors are not limited to state sponsored groups.

History and targets

Warnings against targeted, socially-engineered emails dropping trojans to exfiltrate sensitive information were published by UK and US CERT organisations in 2005. This method was used throughout the early 1990s and does not in itself constitute an APT. The term "advanced persistent threat" has been cited as originating from the

United States Air Force The United States Air Force (USAF) is the air service branch of the United States Armed Forces, and is one of the eight uniformed services of the United States. Originally created on 1 August 1907, as a part of the United States Army Signal ...

in 2006 with Colonel Greg Rattray cited as the individual who coined the term. The

Stuxnet Stuxnet is a malicious computer worm first uncovered in 2010 and thought to have been in development since at least 2005. Stuxnet targets supervisory control and data acquisition ( SCADA) systems and is believed to be responsible for causing su ...

computer worm, which targeted the computer hardware of

Iran's nuclear program The nuclear program of Iran is an ongoing scientific effort by Iran to research nuclear technology that can be used to make nuclear weapons. Iran has several research sites, two uranium mines, a research reactor, and uranium processing facili ...

, is one example of an APT attack. In this case, the Iranian government might consider the Stuxnet creators to be an advanced persistent threat. Within the

computer security Computer security, cybersecurity (cyber security), or information technology security (IT security) is the protection of computer systems and networks from attack by malicious actors that may result in unauthorized information disclosure, the ...

community, and increasingly within the media, the term is almost always used in reference to a long-term pattern of sophisticated computer network exploitation aimed at governments, companies, and political activists, and by extension, also to ascribe the A, P and T attributes to the groups behind these attacks. Advanced persistent threat (APT) as a term may be shifting focus to computer-based hacking due to the rising number of occurrences.

PC World ''PC World'' (stylized as PCWorld) is a global computer magazine published monthly by IDG. Since 2013, it has been an online only publication. It offers advice on various aspects of PCs and related items, the Internet, and other personal tech ...

reported an 81 percent increase from 2010 to 2011 of particularly advanced targeted computer attacks. Actors in many countries have used cyberspace as a means to gather intelligence on individuals and groups of individuals of interest. The

United States Cyber Command United States Cyber Command (USCYBERCOM) is one of the eleven unified combatant commands of the United States Department of Defense (DoD). It unifies the direction of cyberspace operations, strengthens DoD cyberspace capabilities, and integr ...

is tasked with coordinating the US military's offensive and defensive

cyber Cyber may refer to: Computing and the Internet * ''Cyber-'', from cybernetics, a transdisciplinary approach for exploring regulatory and purposive systems Crime and security * Cyber crime, crime that involves computers and networks ** Conventi ...

operations. Numerous sources have alleged that some APT groups are affiliated with, or are agents of, governments of

sovereign state A sovereign state or sovereign country, is a polity, political entity represented by one central government that has supreme legitimate authority over territory. International law defines sovereign states as having a permanent population, defin ...

s. Businesses holding a large quantity of personally identifiable information are at high risk of being targeted by advanced persistent threats, including: *Higher education *

Financial institutions Financial institutions, sometimes called banking institutions, are business entities that provide services as intermediaries for different types of financial monetary transactions. Broadly speaking, there are three major types of financial insti ...

*Energy *

Transportation Transport (in British English), or transportation (in American English), is the intentional movement of humans, animals, and goods from one location to another. Modes of transport include air, land (rail and road), water, cable, pipeline, ...

*Technology *Health care *Telecommunications *Manufacturing *Agriculture A Bell Canada study provided deep research into the anatomy of APTs and uncovered widespread presence in Canadian government and critical infrastructure. Attribution was established to Chinese and Russian actors.

Life cycle

Actors behind advanced persistent threats create a growing and changing risk to organizations' financial assets, intellectual property, and reputation by following a continuous process or

kill chain The term kill chain is a military concept which identifies the structure of an attack. It consists of: * identification of target * dispatching of forces to target * initiation of attack on target * destruction of target Conversely, the idea o ...

: # Target specific organizations for a singular objective # Attempt to gain a foothold in the environment (common tactics include

spear phishing Phishing is a type of social engineering where an attacker sends a fraudulent (e.g., spoofed, fake, or otherwise deceptive) message designed to trick a person into revealing sensitive information to the attacker or to deploy malicious softwar ...

emails) # Use the compromised systems as access into the target network # Deploy additional tools that help fulfill the attack objective # Cover tracks to maintain access for future initiatives The global landscape of APT's from all sources is sometimes referred to in the singular as "the" APT, as are references to the actor behind a specific incident or series of incidents, but the definition of APT includes both actor and method. In 2013, Mandiant presented results of their research on alleged Chinese attacks using APT method between 2004 and 2013 that followed similar lifecycle: * Initial compromiseperformed by use of social engineering and

, over email, using zero-day viruses. Another popular infection method was planting malware on a website that the victim's employees will be likely to visit. * Establish footholdplant

remote administration software In computing, the term remote desktop refers to a software- or operating system feature that allows a personal computer's desktop environment to be run remotely off of one system (usually a PC, but the concept applies equally to a server or a ...

in victim's network, create net backdoors and tunnels allowing stealth access to its infrastructure. * Escalate privilegesuse exploits and password cracking to acquire administrator privileges over victim's computer and possibly expand it to

Windows domain A Windows domain is a form of a computer network in which all user accounts, computers, printers and other security principals, are registered with a central database located on one or more clusters of central computers known as domain controlle ...

administrator accounts. * Internal reconnaissancecollect information on surrounding infrastructure, trust relationships,

structure. * Move laterallyexpand control to other workstations, servers and infrastructure elements and perform data harvesting on them. * Maintain presenceensure continued control over access channels and credentials acquired in previous steps. * Complete missionexfiltrate stolen data from victim's network. In incidents analysed by Mandiant, the average period over which the attackers controlled the victim's network was one year, with longest – almost five years. The infiltrations were allegedly performed by Shanghai-based Unit 61398 of

People's Liberation Army The People's Liberation Army (PLA) is the principal military force of the People's Republic of China and the armed wing of the Chinese Communist Party (CCP). The PLA consists of five service branches: the Ground Force, Navy, Air Force, ...

. Chinese officials have denied any involvement in these attacks. Previous reports from Secdev had previously discovered and implicated Chinese actors.

Mitigation strategies

There are tens of millions of malware variations, which makes it extremely challenging to protect organizations from APT. While APT activities are stealthy and hard to detect, the

command and control Command and control (abbr. C2) is a "set of organizational and technical attributes and processes ... hatemploys human, physical, and information resources to solve problems and accomplish missions" to achieve the goals of an organization or en ...

network traffic associated with APT can be detected at the network layer level with sophisticated methods. Deep log analyses and log correlation from various sources is of limited usefulness in detecting APT activities. It is challenging to separate noises from legitimate traffic. Traditional security technology and methods have been ineffective in detecting or mitigating APTs. Active cyber defense has yielded greater efficacy in detecting and prosecuting APTs (find, fix, finish) when applying

cyber threat intelligence Cyber threat intelligence (CTI) is knowledge, skills and experience-based information concerning the occurrence and assessment of both cyber and physical threats and threat actors that is intended to help mitigate potential attacks and harmful eve ...

to hunt and adversary pursuit activities. Human-Introduced Cyber Vulnerabilities (HICV) are a weak cyber link that are neither well understood nor mitigated, constituting a significant attack vector.

APT groups

China

Since

Xi Jinping Xi Jinping ( ; ; ; born 15 June 1953) is a Chinese politician who has served as the general secretary of the Chinese Communist Party (CCP) and chairman of the Central Military Commission (CMC), and thus as the paramount leader of China, s ...

became

General Secretary Secretary is a title often used in organizations to indicate a person having a certain amount of authority, power, or importance in the organization. Secretaries announce important events and communicate to the organization. The term is derived ...

of the

Chinese Communist Party The Chinese Communist Party (CCP), officially the Communist Party of China (CPC), is the founding and One-party state, sole ruling party of the China, People's Republic of China (PRC). Under the leadership of Mao Zedong, the CCP emerged victoriou ...

in 2012, the Ministry of State Security gained more responsibility over cyberespionage vis-à-vis the

, and currently oversees various APT groups. According to security researcher Timo Steffens "The APT landscape in China is run in a 'whole country' approach, leveraging skills from universities, individual, and private and public sectors." *

PLA Unit 61398 PLA Unit 61398 (also known as APT 1, Comment Crew, Comment Panda, GIF89a, and Byzantine Candor) (, Pinyin: 61398 ''bùduì'') is the Military Unit Cover Designator (MUCD) of a People's Liberation Army advanced persistent threat unit that has be ...

(also known as APT1) *

PLA Unit 61486 PLA Unit 61486 (also known as Putter Panda) is a People's Liberation Army unit dedicated to cyberattacks on American, Japanese, and European corporations focused on satellite and communications technology. It is a unit that takes part in China's c ...

(also known as APT2) * Buckeye (also known as APT3) *

Red Apollo Red Apollo (also known as APT 10 (by Mandiant), MenuPass (by Fireeye), Stone Panda (by Crowdstrike), and POTASSIUM (by Microsoft)) is a Chinese state-sponsored cyberespionage group. A 2018 indictment by the United States Department of Justice c ...

(also known as APT10) * Numbered Panda (also known as APT12) *DeputyDog (also known as APT17) * Codoso Team (also known as APT19) * Wocao (also known as APT20) * APT 27 * PLA Unit 78020 (also known as APT30 and Naikon) * Zirconium (also known as APT31) * Periscope Group (also known as APT40) *

Double Dragon is a beat 'em up video game series initially developed by Technōs Japan and released as an arcade game in 1987. The series features twin martial artists, Billy and Jimmy Lee, as they fight against various adversaries and rivals. The origina ...

(also known as APT41, Winnti Group, Barium, or Axiom) * Tropic Trooper *

Hafnium Hafnium is a chemical element with the symbol Hf and atomic number 72. A lustrous, silvery gray, tetravalent transition metal, hafnium chemically resembles zirconium and is found in many zirconium minerals. Its existence was predicted by Dmitri M ...

* LightBasin (Also known as UNC1945) * Dragonbridge

Iran

Elfin Team Advanced Persistent Threat 33 (APT33) is a hacker group identified by FireEye as being supported by the government of Iran. The group has also been called Refined Kitten (by Crowdstrike), Magnallium (by Dragos), and Holmium (by Microsoft). History ...

(also known as APT33) * Helix Kitten (also known as APT34) * Charming Kitten (also known as APT35) * APT39 * Pioneer Kitten

Israel

Unit 8200 Unit 8200 ( he, יחידה 8200, ''Yehida shmone -Matayim''- "Unit eight - two hundred") is an Israeli Intelligence Corps unit of the Israel Defense Forces responsible for collecting signal intelligence (SIGINT) and code decryption. Military pu ...

North Korea

* Kimsuky *

Lazarus Group Lazarus Group (also known by other monikers such as Guardians of Peace or Whois Team ) is a cybercrime group made up of an unknown number of individuals run by the government of North Korea. While not much is known about the Lazarus Group, resea ...

(also known as APT38) * Ricochet Chollima (also known as APT37)

Russia

* Fancy Bear (also known as APT28) *

Cozy Bear Cozy Bear, classified by the United States federal government as advanced persistent threat APT29, is a Russian hacker group believed to be associated with one or more intelligence agencies of Russia. The Dutch General Intelligence and Securi ...

(also known as APT29) * Sandworm *

Berserk Bear Berserk Bear (aka Crouching Yeti, Dragonfly, Dragonfly 2.0, DYMALLOY, Energetic Bear, Havex, IRON LIBERTY, Koala, or TeamSpy) is a Russian cyber espionage group, sometimes known as an advanced persistent threat. According to the United States, the ...

FIN7 FIN7, also associated with GOLD NIAGARA, ITG14, and Carbon Spider, is a Russian criminal advanced persistent threat group that has primarily targeted the U.S. retail, restaurant, and hospitality sectors since mid-2015. A portion of FIN7 is run out ...

Gamaredon Gamaredon, also known as Primitive Bear and Actinium (by Microsoft) is a Russian advanced persistent threat An advanced persistent threat (APT) is a stealthy threat actor, typically a nation state or state-sponsored group, which gains unauthori ...

(also known as Primitive Bear) − active since 2013, unlike most APTs, Gamaredon broadly targets all users all over the globe (in addition to also focusing on certain victims, especially

Ukrainian Ukrainian may refer to: * Something of, from, or related to Ukraine * Something relating to Ukrainians, an East Slavic people from Eastern Europe * Something relating to demographics of Ukraine in terms of demography and population of Ukraine * So ...

organizations) and appears to provide services for other APTs. For example, the InvisiMole threat group has attacked select systems that Gamaredon had earlier compromised and fingerprinted. * Venomous Bear

Turkey

* StrongPity (also known as APT-C-41 and PROMETHIUM)

United States

Equation Group The Equation Group, classified as an advanced persistent threat, is a highly sophisticated threat actor suspected of being tied to the Tailored Access Operations (TAO) unit of the United States National Security Agency (NSA). Kaspersky Labs de ...