Understanding APTs

Advanced Persistent Threat (APT)

This knowledgebase article will support a fundamental understanding of:

• A fundamental understanding of Advanced Persistent Threats (APTs)
• How APTs work and how they are applied by threat actors
• Examples of APTs and the threat actors associated with them
• How APTs leverage exploited vulnerabilities

Advanced Persistent Threats (APTs) are ongoing attacks where malicious actors gain unauthorized access to systems then linger for an extended period of time. They prioritize stealth to evade detection so that they can remain in the compromised system longer, enabling them to do more damage and exfiltrate more data. By understanding what an APT is and how attackers can exploit system vulnerabilities to gain initial access, organizations can implement risk mitigation strategies.

What is an advanced persistent threat (APT)?

An advanced persistent threat (APT) is a prolonged and strategic cyber attack by highly skilled threat actors. Attackers start by gaining unauthorized access to the target network so they can exfiltrate data over an extended period. APTs require planning since they often use sophisticated techniques.

When categorizing an attack as an APT, some typical features include:

• Maintaining access for a long time, sometimes years
• Using advanced tools and techniques, like zero-day exploits or credential harvesting
• Blending into legitimate network traffic to avoid detection
• Focusing on high-value targets, like government agencies, defense contractors, or enterprises
• Stealing data, like intellectual property, rather than causing direct damage

What are the Stages of an APT attack?

APTs are structured and stealthy operations that seek to compromise critical networks and their data. Across each step of the attack, security teams have an opportunity to thwart the malicious actors.

Reconnaissance and initial access

During the reconnaissance phase, the attackers typically look for vulnerabilities that they can use to gain unauthorized access. These vulnerabilities can be in software, hardware, and firmware. Additionally, in cloud-native environments, attackers can use stolen or leaked credentials as a way to gain this initial access.

Unlike broader attacks that take a pray and spray approach, APTs use tailored tools or take a targeted focus, like understanding an organization’s technology stack to look for weaknesses or crafting specialized social engineering attacks.

Establish a foothold

Attackers use various techniques to maintain access so they can continue to operate while evading detection, including using:

• Backdoors: using existing vulnerabilities to maintain an unauthorized access point
• Rootkits: malicious software on machines that allows attackers to perform remote actions or steal data

The threat actors create the additional entry points so that they can access the compromised system if the organization remediates the initial attack vector.

Escalate privileges

After creating their own entry points, attackers explore the organization’s networks to identify critical assets, like databases. During this process, they gather additional credentials so that they can gain privileged access that allows them to target high-value assets and deploy advanced malware to disguise their activity.

Move laterally

Lateral movement is when the attackers expand their control by accessing different infrastructure components, like workstations or servers. As with the earlier stages, they often deploy additional entry points using backdoors or malware so they can continue to explore networks and exploit additional vulnerabilities.

Exfiltrate data

Once the attackers reach their targets, they begin to steal sensitive data or intellectual property, sending it to their command and control (C2) servers. To hide exfiltration, they may deploy additional attacks to distract defenders, like using ransomware or a Distributed Denial of Service (DDoS) attack.

Complete objectives

When attackers have completed their objectives or worry about being caught, they exit the system and remove evidence of their existence. These exit strategies can include:

• Erasing log data
• Removing backdoor or malware
• Manipulating audit trails

What are the main motives and targets of an APT attack?

Unlike conventional cyber attacks, APT actors, who are often affiliated with nation-state groups, focus on espionage rather than network destruction.

The main motives underlying APT attacks include:

• Intellectual Property Theft: Stealing confidential data, such as product designs or business strategies.
• Surveillance: Gathering intelligence on competitors or foreign entities.
• Economic Advantage: Undermining a competitor’s business operations through unauthorized access.

Since APT attacks require highly technical skills, they often target organizations and industries that create, maintain, or store sensitive data, including:

• Large Corporations: repository of valuable data.
• Defense and Aerospace Industries: access to sensitive defense technologies.
• Government Agencies: strategic intelligence on policy and diplomatic matters.
• Critical Infrastructures: data about energy grids and financial systems.

What are examples of APT Groups?

APT groups are the cybercriminal organizations responsible for deploying the attack. An APT group may claim responsibility for an attack or be categorized by external parties, like MITRE ATT&CK, because a set of attacks uses similar tactics, techniques, and procedures (TTPs).
Some examples of these APT groups include:

• APT31: suspected Chinese cyber espionage actor that exploited vulnerabilities in Java and Adobe Flash to compromise environments when targeting governmental entities, financial services, defense contractors, engineering, telecommunications, media, and insurance companies
• APT37: North Korean state-sponsored cyber espionage group that exploits known vulnerabilities in Hangul Word Processor and Adobe Flash and zero-day vulnerabilities when targeting chemical, electronics, manufacturing, automotive, and healthcare organizations across South Korea, Japan, Vietnam, and the Middle East
• CyberAv3ngers: suspected Iranian Government Islamic Revolutionary Guard Corp (IRGC)-affiliated group that targeted programmable logic controllers (PLCs) in 2023
• Inception: cyber espionage group targeting various industries and governmental entities across Russia, the US, and Europe
• Machete: suspected Spanish-speaking cyber espionage group that focuses on Latin America, targeting high-profile organizations like government entities, intelligence services, military units, telecommunications companies, and power companies
• Metador: cyber espionage group targeting telecommunication companies, internet service providers (ISPs) and universities across the Middle East and Africa since 2022
• Moonstone Sleet: cyber espionage operation using fake companies and personas to deploy social engineering attacks since 2023
• Patchwork: cyber espionage group targeting diplomatic entities, government agencies, and think tanks since 2015
• RedCurl: suspected Russian-speaking threat actor engaging in corporate espionage against travel agencies, insurance companies, and bank across Ukraine, Canada, and Kingdom
• Thrip: espionage group that uses custom malware and “living off the land” techniques when targeting satellite communications, telecommunications, and defense contractor companies across the US and Southeast Asia

How APT Groups Use Vulnerabilities to Gain Initial Access

Unlike financially motivated cybercriminals who often purchase exploits on the dark web, APT groups often have the skills, experience, and advanced tools necessary to deploy sophisticated techniques.

Spear-phishing attacks

Spear-phishing attacks send malicious emails to specific targets, tricking them into clicking on a malicious link. Attackers can use this process to steal sessions tokens which enables them to compromise applications that have a broken access control vulnerabilities arising from:

• Failure to invalidate stateful session identifiers on the server after users log out
• Long-lived stateless JWT tokens that extend an attackers opportunity to use them
• Lack of OAuth standards for revoking long-lived JWTs

Unpatched software

Once attackers know that a vulnerability exists, they look for ways to use it as part of their attacks. For example, in 2024, 23.6% of known vulnerabilities were exploited on or before they were published. Additionally, between 2014 and 2023, attackers exploited 1.1% of vulnerabilities listed in VulnCheck’s Known Exploited Vulnerabilities (KEV).

Zero-day attacks

APT groups are more likely to exploit previously unknown vulnerabilities in zero-day attacks than other cybercriminals because they have the financial, tooling, and skill resources to find these weaknesses. Organizations often need to wait for vendors or security researchers to publish the vulnerabilities, leaving them at risk. In some cases, the vendors may not realize that the vulnerability exists until attackers exploit it. For example, in 2024, VulnCheck offered advanced warnings for nine zero-day vulnerabilities.

Supply chain attacks

Every organization uses technologies which means that a vulnerability in a vendor’s environment can impact its customers. Even more challenging, attackers increasingly target vulnerabilities in the software supply chain as developers use third-party components. Tracing all these components and their dependencies becomes overwhelming which gives APT groups an opportunity to find and exploit vulnerabilities.

Understanding Vulnerability Exploits to Reduce APT Risks with VulnCheck

VulnCheck Exploit & Vulnerability Intelligence enables you to understand the state of vulnerability exploitation by combining technical vulnerability data with open source intelligence to understand how attackers, like APT groups, are acting in the real world. Unlike other vulnerability databases or vulnerability management solutions, VulnCheck includes the latest information about a wider range of vulnerabilities, including those found in open source packages and dependencies and those in mobile, Internet of Things (IoT), and operational technology (OT) devices - and more.

VulnCheck Vulnerability Intelligence provides vulnerability enrichment with insights into vulnerability risk and severity by tracking vendor and government advisories to provide the context you need to prioritize remediation activities.