What Are Advanced Persistent Threats (APTs)?

What Are the Characteristics of Advanced Persistent Threats (APTs)?

APTs are quite different from opportunistic attacks like broad-spectrum phishing, which tend to rely on mass exploitation tactics and can be carried out even by unskilled actors. Some of the defining traits of APTs are:

• Highly targeted nature: APTs are carefully built to breach specific organizations, industries, individuals, or governments. Their targets usually possess valuable or sensitive data the attackers can manipulate, destroy, or sell.
• Long-term presence: APTs are designed to stay undetected inside a network for months or even years. This gives attackers time to carefully analyze their target as well as increase the value and volume of their attack.
• Stealth and evasion: APTs use techniques that basic security measures overlook. Some of the most common strategies are encryption, masquerading as legitimate code or apps (spoofing), and self-rewriting (polymorphism).
• Nation-state or organized crime backing: APTs are often sponsored by government or underworld entities pursuing political agendas, competitive advantages, or profit. Threat actors can use these resources to access specialized tools and exploits.

How Advanced Persistent Threats Work

APTs follow a staged life cycle to infiltrate a target, establish control, and avoid detection. The key stages are:

1. Reconnaissance: Attackers collect intel on their target to find the ideal angle of attack. This can include details on the target's network, apps, users (e.g., names, login credentials), partners, etc.
2. Initial compromise: Attackers gain access to the target network, often through social engineering (e.g., spear phishing emails, business email compromise), zero day exploits, or watering hole attacks.
3. Establishing a foothold: Attackers deploy malware such as remote access trojans (RATs) or backdoors, enabling them to regain access if their original entry point is closed.
4. Privilege escalation: Attackers use stolen login credentials or exploit internal security flaws (e.g., lax access policies, misconfigurations) to gain high-level permissions or admin access.
5. Lateral movement: Attackers use their new privileges to move through the network and remain undetected, further strengthening their foothold while they navigate the environment.
6. Data exfiltration: Attackers transfer valuable data (e.g., intellectual property, financial records, customer information) to an outside location they control. Often, they encrypted the data or embed it in legitimate traffic to avoid detection.
7. Covering tracks: To maintain access to the network and continue evading detection, attackers may change or delete logs, change timestamps, and more.
    

Emerging APT Tactics, Techniques, and Procedures (TTPs)

In addition to those mentioned above, APT groups continue to innovate new techniques to circumvent established APT security methods.

Abuse of Cloud Services

APT groups are increasingly abusing legitimate cloud services such as GitHub and Dropbox to perform stealthy attacks. These services feature native encryption, making it easy for APTs to stay hidden as they employ tactics like:

• API abuse, exploiting trusted software integrations to bypass security controls
• Webhooks abuse, exploiting automated app-to-app communications to hide their location
• Dead drop resolvers, exploiting cloud storage to protect the location of their malicious infrastructure
• Payload hosting, storing malicious payloads on platforms that uses and security tools trust

Abuse of Social Media

APT actors are also using social media as cover for sophisticated social engineering techniques, dead drops, and more. By posing as recruiters and security researchers on platforms like LinkedIn and X (Twitter), they can conduct portions of their attacks in plain sight.

Learn more in the ThreatLabz Encrypted Attacks Report.

Who Launches Advanced Persistent Threats?

APT attackers largely fall into one of a few categories:

• Nation-state actors
• Hacktivist groups
• Cybercriminal organizations
• Externally motivated insiders

The actors behind APTs are highly skilled hackers, usually with ample resources and financial backing that give them access to advanced methods and tools. Their sponsors can be organized criminal enterprises out for profit, but are primarily nation-state groups involved in cyber espionage. Groups based in China, Iran, North Korea, and Russia are regularly linked to high-profile APT campaigns.

Real-World Examples of APT Attacks

APTs present an active and growing threat. Some recent incidents include:

• North Korean remote workers in the West: North Korean threat actors have been using social engineering, GenAI, and stolen data—including source code, personal data, and crypto wallets—to secure remote work opportunities in Western countries.
• Kimsuky (APT43): This DPRK-backed threat group uses various techniques, including malicious Chrome extensions, to steal login credentials, tracking data, and more from South Korean think tanks, government agencies, and schools.
• Earth Baku (APT41): This China-based threat actor uses the stealthy DodgeBox loader to deliver MoonWalk backdoor malware. Originally known for targeting organizations in Southeast Asia, the group has expanded its efforts to the EMEA region as well.

Meanwhile, other less recent APT attacks have left notorious legacies behind:

• SolarWinds attack (2020): Russian nation-state actors deployed trojanized updates to the SolarWinds Orion software, enabling them to install malware on the systems of roughly 18,000 SolarWinds customers, including agencies of the US government.
• Stuxnet (2010): Allegedly part of a covert cyber sabotage operation, this worm malware disrupted industrial processes in Iranian nuclear facilities, critically damaging an estimated 1,000 nuclear centrifuges.
• Operation Aurora (2009): China-backed threat actors used a zero day exploit in the Internet Explorer web browser to steal data from dozens of large companies, including Adobe, Google, and Yahoo. The incident led Google to discontinue operations in China.

Impacts of These Campaigns

APT attacks can have major repercussions, and data breaches are only the beginning. In the aftermath of a breach, victims can face financial losses as well as legal, regulatory, and reputational consequences, sometimes charting a very long road to recovery.

If an APT disrupts critical operations or systems, it can lead to interruptions in supply chains, manufacturing, or essential utilities, or even cause broader political or economic turmoil. The Operation Aurora and Stuxnet attacks in particular showcase how APTs can contribute to long-term sociopolitical and geopolitical tensions.

How to Detect and Defend Against APTs

APT groups expertly design their attacks to be difficult to detect—but it's not impossible. Defending against APTs requires a robust, proactive security architecture that delivers:

• Complete visibility: Continuous monitoring eliminates blind spots across endpoints, networks, and clouds to detect suspicious activity.
• Anomaly detection: AI-powered tools can identify unusual patterns, such as abnormal traffic flows or disguised attempts to exfiltrate data.
• Integrated threat intelligence: Real-time threat intelligence links external data to internal activity, enabling quicker identification of APT-specific tactics.
• Proactive threat hunting: Expert threat hunters can seek activities like privilege escalation or lateral movement before they trigger automated alerts.
• Advanced detection tools: Tools like endpoint detection and response (EDR), intrusion detection systems (IDS), and sandboxes can uncover signs of APT behavior that traditional tools miss.
• Zero trust architecture: Least-privileged access controls and continuous verification of identities and devices minimize the risks of lateral movement or escalation.
   

How Zscaler Addresses APTs

Zscaler unites essential capabilities with a cloud native zero trust architecture and advanced analytics for comprehensive APT security. Our approach combines:

• Full inline traffic inspection: Our cloud native proxy architecture inspects all inbound and outbound traffic, including TLS/SSL-encrypted traffic, with infinite scale.
• Inline cloud sandbox analysis: Our AI-powered sandbox delivers unlimited, latency-free inspection and real-time verdicts to block threats before they reach endpoints.
• Expert threat intelligence: Our ThreatLabz threat research team actively tracks the world's most sophisticated APT groups to understand emerging trends and tactics.