APT Attacks: Targets & Tactics

Photo by Frederic Köberl on Unsplash

What are APTs?

An Advanced Persistent Threat (APT) is a sophisticated, sustained cyberattack where an intruder establishes a hidden presence within a network to steal sensitive data over an extended period. These attacks are carefully planned, designed to infiltrate specific organizations, evade existing security measures, and operate covertly. APT attacks require high customization and sophistication, with well-funded and experienced cybercriminals targeting high-value organizations utilizing advanced evasion techniques (CrowdStrike, Imperva, Coursera).

China, Russia, and Iran are known to have APT groups conducting APTs with China and Russia reportedly connected to nearly 63% of all known APT groups worldwide. Some commonly known names for APT groups based on their country of origin are Pandas for Chinese APT actors, Bears for Russian APTs, and Kittens for Iranian APTs (Malwarebytes). These APT groups target high-value entities like governments, large corporations, or critical infrastructure, with some famous examples being the Equation Group, Lazarus Group, and Stuxnet (SoftwareLab).

CrowdStrike tracks over 150 adversaries worldwide, including nation-states, cyber-criminals, and hacktivists, showcasing the diverse landscape of APT actors. Some examples of APTs include:

• PLA 61398 (APT 1) and PLA 61486 (APT 2) linked to China,
• Fancy Bear (APT 28) associated with Russia,
• Helix Kitten (APT 34) tied to Iran,
• the Lazarus Group (APT 38) representing North Korea,
• the Equation Group linked to the USA,
• Silence and Carbanak Group (Heimdal Security), non-state actors.
• Cozy Bear & Duke, Office Monkeys (APT 29),
• Lazarus Group, Guardians of Peace, HIDDEN COBRA (APT 38)

APT groups and their origins reveal a complex range of cyber threats. Understanding their characteristics and motivations is crucial for effective cybersecurity strategies.

Targets of APTs

The targets of APTs include high-value organizations like nation states, large corporations, entities in the healthcare industry such as pharmaceutical companies, academia, medical research organizations, and local governments (CISA, Kaspersky). The healthcare sector is particularly vulnerable to APT attacks due to its reliance on generally outdated technology to store and transmit sensitive patient information, making them prime targets for APT actors aiming to gather bulk personal information, intellectual property, and intelligence (Sharmila et al.).

There have been instances of Advanced Persistent Threat (APT) attacks on Energy facilities where threat actors targeted sensitive information such as details on the design of state-of-the-art energy technologies or the exact locations of critical energy infrastructure like power plants or pipelines. These attacks are calculated and planned well in advance, with extensive research on the target network and the specific organization being targeted, making them a credible threat to national security (ProPrivacy). The energy sector faces a discerning increase in APT group activity, making it a prime target for organizations and nation-states seeking to gain a competitive advantage through obtaining valuable information on energy technologies and practices (Hunt And Hackett).

In the healthcare sector, an example of an APT attack had involved a sophisticated cyber intrusion targeting a hospital’s network with the intention of stealing sensitive patient information, such as medical records and personal data. This attack was carried out over an extended period of time, with the perpetrators conducting thorough research on the hospital’s network and operations to maximize the impact of their breach (ProPrivacy). By gaining access to patient information, the attackers could potentially sell this data on the dark web for financial gain or use it for identity theft purposes. Such a breach could not only result in serious legal and financial consequences for the hospital but could also disrupt essential medical services, putting patient lives at risk. To prevent such incidents, conducting comprehensive APT assessments is crucial to identify and mitigate potential threats, safeguarding patient information and ensuring the continuity of essential medical services (Sharmila et al.).

Performing APT Attacks

The life cycle of APTs involves a series of processes that include infiltration and extraction of sensitive information from a device or system. APTs are complex and sophisticated tactics used by experienced cybercriminals, often targeting entities like governments, law firms, and financial institutions to gain valuable confidential data for motives such as espionage and cyber warfare. The attackers aim to establish footholds within the IT infrastructure of targeted organizations, persistently carrying out their objectives over an extended period while adapting to defenders’ efforts to resist them (CSRC). APTs differ from other cyberattacks by being long-term strategies that involve slowly collecting sensitive data before delivering a significant blow, making detection challenging until it’s too late (NordPass).

APTs utilize a variety of tactics during their complex and multifaceted attack stages. These tactics include:

• infiltration to gain a foothold within the targeted organization,
• distraction with concurrent DDoS attacks,
• installation of backdoors for continuous access,
• escalation/expansion of access,
• extraction of stolen data ideally without detection,
• deployment of white noise tactics or additional Distributed Denial-of-Service (DDoS) attacks to divert attention,
• data exfiltration using tunneling techniques or encrypted channels,
• maintaining persistence within the network through backdoors, trojans, and malware.

All of these tactics allow for the attackers or APT group to gain long-term access into their targeted systems (NordPass, Emsisoft, Hacker One).

Mitigating APT Attacks

APTs can be detected through various methods such as monitoring for an increase in sophisticated spear phishing emails targeting employees with high-level access, implementing routine software updates and patches to close vulnerabilities, ensuring secure private networks through encrypted network access, utilizing Intrusion Detection and Prevention Systems (IDS/IPS) to monitor network traffic, conducting regular check-ups on logs and network activity, and watching for any unusual behavior from users or end devices (Comparitech, NordPass, Malwarebytes).

As discussed earlier in the article, the primary targets of APT attacks are usually large organizations and governments. As a result, individuals aren’t generally at risk of APTs. Organizations, on the other hand, are at risk. To mitigate APTs, organizations should implement a multi-layered security strategy encompassing both prevention and response mechanisms. Much like every other time I discuss this topic, this includes conducting thorough risk assessments to identify valuable and vulnerable assets, establishing robust security policies for handling sensitive data and managing user privileges, regularly reviewing and updating security policies, promptly patching vulnerabilities through routine software updates and patches, using secure private networks with encrypted access, and staying alert to the evolving threat landscape to adapt defenses accordingly (Sigma Cyber Security, NordPass, Hacker One).

Advanced Persistent Threats (APTs) represent sophisticated and sustained cyberattacks designed to infiltrate specific organizations, evade security measures, and steal sensitive data covertly. With well-funded and experienced cybercriminals behind them, these attacks require high customization and pose significant risks to high-value entities, including governments, large corporations, and critical infrastructure.

References

• CISA. APT Groups Target Healthcare and Essential Services. Retrieved from https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-126a
• CSRC. advanced persistent threat — Glossary. Retrieved from https://csrc.nist.gov/glossary/term/advanced_persistent_threat
• Comparitech. What is an Advanced Persistent Threat (APT), With Examples. Retrieved from https://www.comparitech.com/blog/information-security/advanced-persistent-threat/
• Coursera. What Is an Advanced Persistent Threat?. Retrieved from https://www.coursera.org/articles/advanced-persistent-threat
• Emsisoft. The Complete Guide to Advanced Persistent Threats Advanced Persistent Threats, Explained. Retrieved from https://www.emsisoft.com/en/blog/44815/the-complete-guide-to-advanced-persistent-threats/
• Hacker One. Advanced Persistent Threat: Attack Stages, Examples & Mitigation. Retrieved from https://www.hackerone.com/knowledge-center/advanced-persistent-threats-attack-stages-examples-and-mitigation
• Hunt And Hackett. Cybersecurity for the Energy sector. Retrieved from https://www.huntandhackett.com/sectors/energy
• Imperva. What is APT (Advanced Persistent Threat) | APT Security. Retrieved from https://www.imperva.com/learn/application-security/apt-advanced-persistent-threat/
• Kaspersky. What Is an Advanced Persistent Threat (APT)?. Retrieved from https://www.kaspersky.com/resource-center/definitions/advanced-persistent-threats
• Malwarebytes. APT Attacks: Exploring Advanced Persistent Threats. Retrieved from https://www.malwarebytes.com/blog/business/2023/05/apt-attacks-exploring-advanced-persistent-threats-and-their-evasive-techniques
• NordPass. What is an advanced persistent threat (APT)?. Retrieved from https://nordpass.com/blog/advanced-persistent-threats/
• ProPrivacy. What is APT? | Definition of “Advanced persistent threat”. Retrieved from https://proprivacy.com/guides/apt-definition
• Sharmila et al. Advanced Persistent Threat Assessment. Retrieved from https://link.springer.com/chapter/10.1007/978-981-99-6906-7_33
• Sigma Cyber Security. Understanding Advanced Persistent Threats: Updated Intelligence Tactics. Retrieved from https://sigmacybersecurity.com/understanding-advanced-persistent-threats-updated-intelligence-tactics/
• SoftwareLab. What is an Advanced Persistent Threat (APT)? In-Depth Guide. Retrieved from https://softwarelab.org/blog/what-is-an-advanced-persistent-threat/