What is an advanced persistent threat?

An APT is a sophisticated cyberattack during which a group of intruders gain access to a network and steal highly sensitive data over a prolonged period of time. The targets of APT attacks are usually large corporations and government networks.

The teams of cybercriminals that conduct advanced persistent threat campaigns usually have a solid financial background and expertise in managing elaborate cybercrime campaigns. They tend to spend a considerable amount of time researching, choosing, and detecting vulnerabilities within businesses and organizations. APT attacks can result in revenue or intellectual property losses, collapse of critical infrastructures, and damaged reputation.

Threat actors use all kinds of hacking techniques to get into a targeted network and stay inside as long as possible. An advanced persistent threat usually targets large organizations or government entities. These types of attacks are often orchestrated by hostile nations.

If you consider a regular cyberattack, it doesn’t last long. Hackers want to do their job and get out of a network without being caught. With an APT attack, it’s a whole different story. It can last for months and even years without anyone realizing they have an unwanted guest in their network.

Countries like North Korea, Russia, Iran, and China are known for spying on other nations and collecting intelligence. The Tardigrade malware is one of the recent examples of APT attacks. However, it’s still not clear who might be responsible for orchestrating it.

The stages of an advanced persistent threat attack include:

1. Getting access. Attackers gain access to a network by using spear phishing techniques or exploiting software vulnerabilities. They then deploy malware.
2. Establishing a backdoor. A backdoor and several other entry points are created. These entry points can be used in case the first one is detected.
3. Gaining administrative privileges. Once attackers can move freely around a network, they seek administrative access. This way, they can eavesdrop on all kinds of valuable data, which might be accessible to only certain high-level employees.
4. Stealing data. When hackers have comfortably established themselves inside a network, they start spying on a target. They can steal anything, from users’ passwords to state secrets.
5. Erasing tracks. After collecting the information they need, attackers may hide their tracks and abandon the infected network. However, they may also leave a backdoor in case they need it in the future.

Deep Panda

Deep Panda is a Chinese cyber espionage group that was first spotted in 2011. Two years later, Deep Panda entered the limelight after hacking Adobe and stealing 38 million users’ data, including names, passwords, and payment details. Hackers exploited a known software vulnerability, installed malware on Adobe web servers, and created a backdoor.

A couple of years later, the United States Office of Personnel Management (OPM) became another victim of Deep Panda. Criminals stole 22.1 million records, including the names, social security numbers, and addresses of government employees and their family members.

Researchers claim that cyberattacks against the OPM were conducted in two stages. It’s not known when the first attack happened, but the second one was discovered in 2014.

Lazarus group

The Lazarus group is a North Korean state-sponsored hacking organization known for multiple cyberattacks in at least 31 countries. Little is known about this group, but it targets large corporations like Sony, banks, and foreign governments.

During the COVID-19 pandemic, pharmaceutical companies became a common target of the Lazarus group. A wide range of AstraZeneca employees working on coronavirus research received malicious emails, but no data was compromised.

Helix Kitten

Helix Kitten, otherwise known as APT34 or OilRig, is an Iranian hacker group that has been operating since 2014, primarily in the Middle East.

In 2020, cybersecurity experts discovered that APT34 was targeting Westat, a US-based research company, which provides services to various enterprises and government agencies. Hackers used a phishing email that was masked as an employee satisfaction survey.

Ocean Buffalo

Ocean Buffalo is a Vietnam-based group of cyberattackers that exploit Vietnamese internal security issues and use various tactics to conduct economic and foreign intelligence espionage. Active since 2012, Ocean Buffalo has targeted mainly organizations located in Southeast Asian countries. However, hackers’ targets are moving towards the West.

Ocean Buffalo made the headlines when it targeted China’s Ministry of Emergency Management and the Wuhan provincial government during the COVID-19 pandemic. The hackers were aiming to collect intelligence on the COVID-19 crisis. The Ocean Buffalo group was also spotted targeting Android users in Asia in a campaign later called PhantomLance. They distributed spyware over different applications accessible through online app marketplaces.

Cozy Bear

Cozy Bear is a cyber espionage group believed to be acting on behalf of the Russian foreign intelligence services. These hackers are linked to various cyberattacks against foreign governments, businesses, and political organizations. Though Cozy Bear has been active since 2008, it gained widespread attention in 2016 because it breached the US Democratic National Committee’s (DNC) network during the presidential election.

The Cozy Bear group became known for their persistence and inconspicuous tactics. Their campaigns typically include spear-phishing and malware infiltrations to corrupt sensitive systems.

The chances of falling victim to advanced persistent threats can be significantly reduced with robust security measures. APT attacks are directed mainly at large enterprises, and it usually depends on their incentive to implement necessary tools for advanced persistent threat prevention. APT campaigns are versatile, and to tackle them, the whole body of the company should be constantly alert.

The most effective measures against APT attacks that enterprises can take include:

• Traffic monitoring. Monitoring traffic goinrtasKg in and out of the company’s network can prevent backdoor installation and stolen data extraction. Constant observation of the company’s data traffic keeps security personnel alert to any unusual behavior within the network. Enterprises are also recommended to use web applications and network firewalls that help identify internal traffic abnormalities.
• Allowlisting applications and domains. It helps control the domains users can access from the company’s network and applications they can install. However, one should still be alert at all times because even trusted domains can be put in jeopardy.
• Access control. Network points should be secured with multi-factor authentication (MFA). MFA requires users to provide at least two verification factors before accessing the company’s resources. Access to highly sensitive data should be accessible only to top-level personnel.
• Distribute credentials securely. User credentials shouldn’t be distributed via plain-text emails or instant messaging (where information may be kept in session logs).
• Train your staff. Cybersecurity awareness is still relatively poor, and many employees lack a proper understanding of digital risks.

Typically, employees are the soft spot that hackers exploit to get into the enterprise’s network. However, employees are not powerless to prevent advanced persistent threat intrusions. Here’s what they can do:

• Update your software on time. Postponing updates can be tempting, and many employees fall into this habit. Hackers often exploit known software vulnerabilities that have already been patched.
• Never click on suspicious links. Closely inspect every email you get and never rush into clicking on links or attachments. Phishing emails can be crafted extremely well and cybercriminals use social engineering techniques to make sure you open them.
• Use Threat Protection. By enabling NordVPN’s Threat Protection feature, users can protect themselves against high-risk websites where they might pick up malware and exploit kits. Threat Protection also blocks malicious ads and trackers and scans the files you download to make sure they are not malware in disguise.