An advanced persistent threat (APT) is a stealthy computer network attack in which a person or group gains unauthorized access to a network and remains undetected for an extended period. The term's definition was traditionally associated with state sponsorship, but over the last few years there have been multiple examples of non-state sponsored groups conducting large-scale targeted intrusions for specific goals.
An APT may have either business or political motives. APT processes require a high degree of covertness over a long period of time. The "advanced" process signifies sophisticated techniques using malware to exploit vulnerabilities in systems. The "persistent" process suggests that an external command and control system is continuously monitoring and extracting data from a specific target. The "threat" process indicates human involvement in orchestrating the attack.
APT usually refers to a group, such as a government, with both the capability and the intent to target, persistently and effectively, a specific entity. The term is commonly used to refer to cyber threats, in particular that of Internet-enabled espionage using a variety of intelligence gathering techniques to access sensitive information, but applies equally to other threats such as that of traditional espionage or attacks. Other recognized attack vectors include infected media, supply chain compromise, and human intelligence and deception. The purpose of these attacks is to place custom malicious code on one or multiple computers for specific tasks and to remain undetected for the longest possible period. Knowing the attacker artifacts, such as file names, can help a professional make a network-wide search to gather all affected systems. Individuals, such as an individual adversary, are not usually referred to as an APT, as they rarely have the resources to be both advanced and persistent even if they are intent on gaining access to, or attacking, a specific target.
History and targets
Warnings against targeted, socially-engineered emails dropping trojans to exfiltrate sensitive information were published by UK and US CERT organisations in 2005. This method was used throughout the early 1990's and does not in itself constitute an APT. The term "advanced persistent threat" has been cited as originating from the United States Air Force in 2006 with Colonel Greg Rattray cited as the individual who coined the term. However, the term APT was used within telecommunications carriers years previously.
The Stuxnet computer worm, which targeted the computer hardware of Iran's nuclear program, is one example. In this case, the Iranian government might consider the Stuxnet creators to be an advanced persistent threat.
Within the computer security community, and increasingly within the media, the term is almost always used in reference to a long-term pattern of sophisticated computer network exploitation aimed at governments, companies, and political activists, and by extension, also to ascribe the A, P and T attributes to the groups behind these attacks. Advanced persistent threat (APT) as a term may be shifting focus to computer based hacking due to the rising number of occurrences. PC World reported an 81 percent increase from 2010 to 2011 of particularly advanced targeted computer attacks.
Actors in many countries have used cyberspace as a means to gather intelligence on individuals and groups of individuals of interest. The United States Cyber Command is tasked with coordinating the US military's offensive and defensive cyber operations.
Numerous sources have alleged that some APT groups are affiliated with, or are agents of, Governments of Sovereign states. Businesses holding a large quantity of personally identifiable information are at high risk of being targeted by advanced persistent threats, including:
- Higher education
- Financial institutions
A Bell Canada study provided deep research in to the anatomy of APTs and uncovered widespread presence in Canadian government and critical infrastructure. Attribution was established to Chinese and Russian actors.
Bodmer, Kilger, Carpenter and Jones defined the following APT criteria:
- Objectives – The end goal of the threat, your adversary
- Timeliness – The time spent probing and accessing your system
- Resources – The level of knowledge and tools used in the event (skills and methods will weigh on this point)
- Risk tolerance – The extent the threat will go to in order to remain undetected
- Skills and methods – The tools and techniques used throughout the event
- Actions – The precise actions of a threat or numerous threats
- Attack origination points – The number of points where the event originated
- Numbers involved in the attack – How many internal and external systems were involved in the event, and how many people's systems have different influence/importance weights
- Knowledge source – The ability to discern any information regarding any of the specific threats through online information gathering (you might be surprised by what you can find by being a little proactive)
Actors behind advanced persistent threats create a growing and changing risk to organizations' financial assets, intellectual property, and reputation by following a continuous process or kill chain:
- Target specific organizations for a singular objective
- Attempt to gain a foothold in the environment (common tactics include spear phishing emails)
- Use the compromised systems as access into the target network
- Deploy additional tools that help fulfill the attack objective
- Cover tracks to maintain access for future initiatives
The global landscape of APTs from all sources is sometimes referred to in the singular as "the" APT, as are references to the actor behind a specific incident or series of incidents, but the definition of APT includes both actor and method.
In 2013, Mandiant presented results of their research on alleged Chinese attacks using APT methodology between 2004 and 2013 that followed similar lifecycle:
- Initial compromise – performed by use of social engineering and spear phishing, over email, using zero-day viruses. Another popular infection method was planting malware on a website that the victim's employees will be likely to visit.
- Establish Foothold – plant remote administration software in victim's network, create net backdoors and tunnels allowing stealth access to its infrastructure.
- Escalate privileges – use exploits and password cracking to acquire administrator privileges over victim's computer and possibly expand it to Windows domain administrator accounts.
- Internal reconnaissance – collect information on surrounding infrastructure, trust relationships, Windows domain structure.
- Move laterally – expand control to other workstations, servers and infrastructure elements and perform data harvesting on them.
- Maintain presence – ensure continued control over access channels and credentials acquired in previous steps.
- Complete mission – exfiltrate stolen data from victim's network.
In incidents analysed by Mandiant, the average period over which the attackers controlled the victim's network was one year, with longest – almost five years. The infiltrations were allegedly performed by Shanghai-based Unit 61398 of People's Liberation Army. Chinese officials have denied any involvement in these attacks.
Previous reports from Secdev had previously discovered and implicated Chinese actors. 
- Advanced – Operators behind the threat have a full spectrum of intelligence-gathering techniques at their disposal. These may include computer intrusion technologies and techniques, but also extend to conventional intelligence-gathering techniques such as telephone-interception technologies and satellite imaging. While individual components of the attack may not be classed as particularly "advanced" (e.g. malware components generated from commonly available do-it-yourself malware construction kits, or the use of easily procured exploit materials), their operators can typically access and develop more advanced tools as required. They often combine multiple targeting methods, tools, and techniques in order to reach and compromise their target and maintain access to it. Operators may also demonstrate a deliberate focus on operational security that differentiates them from "less advanced" threats.
- Persistent – Operators give priority to a specific task, rather than opportunistically seeking information for financial or other gain. This distinction implies that the attackers are guided by external entities. The targeting is conducted through continuous monitoring and interaction in order to achieve the defined objectives. It does not mean a barrage of constant attacks and malware updates. In fact, a "low-and-slow" approach is usually more successful. If the operator loses access to their target they usually will reattempt access, and most often, successfully. One of the operator's goals is to maintain long-term access to the target, in contrast to threats who only need access to execute a specific task.
- Threat – APTs are a threat because they have both capability and intent. APT attacks are executed by coordinated human actions, rather than by mindless and automated pieces of code. The operators have a specific objective and are skilled, motivated, organized and well funded. Note that actors are not limited to state sponsored groups.
There are hundreds of millions of malware variations, which makes it extremely challenging to protect organizations from APT. While APT activities are stealthy and hard to detect, the command and control network traffic associated with APT can be detected at the network layer level with sophisticated methods. Deep log analyses and log correlation from various sources is of limited usefulness in detecting APT activities. It is challenging to separate noises from legitimate traffic. Traditional security technology and methods have been ineffective in detecting or mitigating APTs. Active cyber defence has yielded greater efficacy in detecting and prosecuting APTs (find, fix, finish) when applying cyber threat intelligence to hunt and adversary pursuit activities.
- Advanced volatile threat
- Chinese intelligence activity abroad
- Cozy Bear (also known as APT29)
- Cyber spying
- Fancy Bear (also known as APT28)
- Kill chain
- Operation Aurora
- Operation Shady RAT
- PLA Unit 61398
- Proactive Cyber Defence
- Tailored Access Operations
- Unit 8200
- Maloney, Sarah. "What is an Advanced Persistent Threat (APT)?". Retrieved 2018-11-09.
- Dr. Sam Musa. "Advanced Persistent Threat - APT".
- "Anatomy of an Advanced Persistent Threat (APT)". Dell SecureWorks. Retrieved 2012-05-21.
- "Are you being targeted by an Advanced Persistent Threat?". Command Five Pty Ltd. Archived from the original on 2011-04-06. Retrieved 2011-03-31.
- "Search for malicious files". Malicious File Hunter. Retrieved 2014-10-10.
- "The changing threat environment ..." Command Five Pty Ltd. Archived from the original on 2012-07-24. Retrieved 2011-03-31.
- "Assessing Outbound Traffic to Uncover Advanced Persistent Threat" (PDF). SANS Technology Institute. Retrieved 2013-04-14.
- "Introducing Forrester's Cyber Threat Intelligence Research". Forrester Research. Archived from the original on 2014-04-15. Retrieved 2014-04-14.
- "Advanced Persistent Threats: Learn the ABCs of APTs - Part A". SecureWorks. SecureWorks. Retrieved 23 January 2017.
- Olavsrud, Thor. "Targeted Attacks Increased, Became More Diverse in 2011". PCWorld.
- "An Evolving Crisis". BusinessWeek. April 10, 2008. Archived from the original on 10 January 2010. Retrieved 2010-01-20.
- "The New E-spionage Threat". BusinessWeek. April 10, 2008. Archived from the original on 18 April 2011. Retrieved 2011-03-19.
- "Google Under Attack: The High Cost of Doing Business in China". Der Spiegel. 2010-01-19. Archived from the original on 21 January 2010. Retrieved 2010-01-20.
- "Under Cyberthreat: Defense Contractors". BusinessWeek. July 6, 2009. Archived from the original on 11 January 2010. Retrieved 2010-01-20.
- "Understanding the Advanced Persistent Threat". Tom Parker. February 4, 2010. Retrieved 2010-02-04.
- "Advanced Persistent Threat (or Informationized Force Operations)" (PDF). Usenix, Michael K. Daly. November 4, 2009. Retrieved 2009-11-04.
- Ingerman, Bret. "Top-Ten IT Issues, 2011". Educause Review.
- "APT0 Study on the Analysis of Darknet Space for Predictive Indicators of Cyber Threat Activity" (PDF).
- Sean Bodmer; Dr. Max Kilger; Gregory Carpenter; Jade Jones (2012). Reverse Deception: Organized Cyber Threat Counter-Exploitation. McGraw-Hill Osborne Media. ISBN 978-0071772495.
- "Outmaneuvering Advanced and Evasive Malware Threats". Secureworks. Secureworks Insights. Retrieved 24 February 2016.
- EMAGCOMSECURITY (9 April 2015). "APT (ADVANCED PERSISTENT THREAT) GROUP". Retrieved 15 January 2019.
- "APT1: Exposing One of China's Cyber Espionage Units". Mandiant. 2013.
- "China says U.S. hacking accusations lack technical proof". Reuters. 2013.
- "GhostNet" was a large-scale cyber spying operation" (PDF).
- "What's an APT? A Brief Definition". Damballa. January 20, 2010. Archived from the original on 11 February 2010. Retrieved 2010-01-20.
- Gartner Best Practices for Mitigating Advanced Persistent Threats
- Bell Canada, Combating Robot Networks and Their Controllers: PSTP08-0107eSec 06 May 2010 (PSTP)
- Prepare for 'post-crypto world', warns godfather of encryption
- Defence Research: The Dark Space Project APT0
- Gartner: Strategies for Dealing With Advanced Targeted Attacks
- FireEye: Advanced Persistent Threat Groups
- XM Cyber: Remote file infection by an APT attack example
- Secdev, “GhostNet” was a large-scale cyber spying operation discovered in March 2009
- Secdev, “Shadows in the Cloud”. A complex ecosystem of cyber espionage that systematically targeted and compromised computer systems in India, the Offices of the Dalai Lama, the United Nations, and several other countries.