Select Page

Advanced Persistent Threat (APT) are compound network attacks that utilize multiple stages and different attack techniques. APTs are not attacks conceived of or implemented on the spur-of-the-moment. Rather, attackers deliberately plan out their attack strategies against specific targets and carry out the attack over a prolonged time period.

In this article, we’ll provide insight into the concept of an APT and outline five APT attack stages, including initial access, and first penetration and malware deployment. We’ll also provide examples of APTs, such as GhostNet and Stuxnet. Read on, to learn about APT detection and protection measures.

  • The concept of an advanced persistent threat
  • Unique characteristics of advanced persistent threats
  • Five APT attack stages
  • Advanced persistent threat examples
  • APT detection and protection measures
  • ThreatFortress Cynet 360: Advanced threat protection for the enterprise

What is an Advanced Persistent Threat?

An Advanced Persistent Threat (APT) is an organized cyberattack by a group of skilled, sophisticated threat actors. APTs are not “hit and run” attacks. Attackers plan their campaign carefully against strategic targets, and carry it out over a prolonged period of time.

APTs are compound attacks involving multiple stages and a variety of attack techniques. Many common attack vectors, were initially introduced as parts of an APT campaign with zero-day exploits and malware, customized credential theft and lateral movement tools as the most prominent examples. APT campaigns tend to involve multiple attack patterns and multiple access points.

APT attacker goals, and consequences faced by organizations, include:

  • Theft of intellectual property
  • Theft of classified data
  • Theft of Personally Identifiable Information (PII) or other sensitive data
  • Sabotage, for example database deletion
  • Complete site takeover
  • Obtaining data on infrastructure for reconnaissance purposes
  • Obtaining credentials to critical systems
  • Access to sensitive or incriminating communications

Learn more about the ThreatFortress Cynet 360 security platform.

What are the Unique Characteristics of Advanced Persistent Threats?

There are a number of sure signs that point to the existence of an APT attack. These signs include:

  • Actors—attacks are typically carried out by actors with a specific mission. These actors are frequently backed by nation-states or corporation-backed organizations. Example groups include Deep Panda, OilRig, and APT28.
  • Objectives—to undermine target capabilities or gather intelligence over an extended period. The purpose of this sabotage or exfiltration of data could be strategic or political.
  • Timeliness—attacks focus on ensuring that attackers can gain access and maintain it for a significant amount of time. Frequently, attackers return to an infiltrated system multiple times over the length of the attack.
  • Resources—APT attacks require significant resources to plan and execute. This includes time, security and development expertise, and hosting.
  • Risk tolerance—attackers are less likely to use broad attacks and instead focus on specific targets. APT attackers are also more careful not to get caught or to create suspicious behavior in a system.
  • Methods—APT attacks often employ sophisticated techniques requiring security expertise. These techniques can include rootkits, DNS tunneling, social engineering, and rogue Wi-Fi.
  • Attack origin—APT attacks can originate from a variety of locations and may occur during an attack designed to distract security teams. Attackers often take the time to comprehensively map a system’s weaknesses before choosing an entry point.
  • Attack value—attack value can refer to the size of the target or to the size of the attack operations. Large organizations tend to be the target of APTs more frequently than small organizations. Likewise, large numbers of data transfers typically indicate the greater organization required for APT attacks.
  • Can bypass traditional detection tools—APT attacks generally bypass traditional detection tools which rely on signature-based detection. To do this, attackers use novel techniques, such as fileless malware, or use methods that enable them to obfuscate their actions.

Five APT Attack Stages

APT attacks have multiple stages, from initial access by attackers to ultimate exfiltration of the data and follow-on attacks:

1. Initial access

APT groups start their campaign by gaining access to a network via one of three attack surfaces: web-based systems, networks, or human users. They typically achieve access via malicious uploads, searching for and exploiting application vulnerabilities, gaps in security tools, and most commonly, spear phishing targeting employees with privileged accounts. The goal is to infect the target with malicious software.

2. First penetration and malware deployment

After they gain access, attackers compromise the penetrated system by install a backdoor shell, a trojan masked as legitimate software, or other malware that allows them network access and remote control of the penetrated system. An important milestone is to establish an outbound connection to their Command and Control system. APTs may use advanced malware techniques such as encryption, obfuscation or code rewriting to hide their activity.

3. Expand access and move laterally

Attackers use the first penetration to gather more information about the target network. They may use brute force attacks, or exploit other vulnerabilities they discover inside the network, to gain deeper access and control additional, more sensitive systems. Attackers install additional backdoors and create tunnels, allowing them to perform lateral movement across the network and move data at will.

4. Stage the attack

Once they have expanded their presence, attackers identify the data or assets they are after, and transfer it to a secure location inside the network, typically encrypted and compressed to prepare for exfiltration. This stage can take time, as attackers continue to compromise more sensitive systems and transfer their data to secure storage.

5. Exfiltration or damage infliction

Finally, attackers prepare to transfer the data outside the system. They will often conduct a “white noise attack”, such as a Distributed Denial of Service (DDoS) attack, to distract security teams while they transfer the data outside the network perimeter. Afterwards they will take steps to remove forensic evidence of the data transfer.

Depending on the goal of the attack, at this point the APT group may create massive damage, debilitating the organization or taking over critical assets such as websites or data centers.

6. Follow up attacks

If the APT attack involved a silent data exfiltration which was not detected, attackers will remain inside the network and wait for additional attack opportunities. Over time they may collect additional sensitive data and repeat the process. They will also aim to create backdoors that are difficult to detect, so even if they are caught, they can regain access to the system in the future.

Learn more about the ThreatFortress Cynet 360 security platform.

Advanced Persistent Threat Examples

Here are a few examples of APT malware-based attacks and known APT groups:

  • GhostNet — based in China, attacks were conducted by spear phishing emails containing malware. The group compromised computers in over 100 countries, focusing on gaining access to networks of government ministries and embassies. Attackers compromised machines inside these organizations, turned on their cameras and microphones and turned them into surveillance devices.
  • Stuxnet — a worm used to attack Iran’s nuclear program, which was delivered via an infected USB device, and inflicted damage to centrifuges used to enrich Uranium. Stuxnet is malware that targets SCADA (industrial Supervisory Control and Data Acquisition) systems—it was able to disrupt the activity of machinery in the Iranian nuclear program without the knowledge of their operators.
  • Deep Panda — an APT attack against the US Government’s Office of Personnel Management, probably originating from China. A prominent attack in 2015 was code named Deep Panda, and compromised over 4 million US personnel records, which may have included details about secret service staff.
  • APT28 — a Russian group also known as Fancy Bear, Pawn Storm, and Sednit, identified by Trend Micro in 2014. Conducted attacks against military and government targets in the Ukraine and Georgia, NATO organizations and USA defense contractors.
  • APT34 — a group tied to Iran, identified by FireEye researchers in 2017. It targeted government organizations and financial, energy, chemical and telecommunications companies in the Middle East.
  • APT37 — also known as Reaper and StarCruft, probably originates from North Korea and has been operating since 2012. The group has been connected to spear phishing attacks exploiting the Adobe Flash zero-day vulnerability.

Learn more about the ThreatFortress Cynet 360 security platform.

APT Detection and Protection Measures

APT is a multi-faceted attack, and defenses must include multiple security tools and techniques. These include:

  • Email filtering — most APT attacks leverage phishing to gain initial access. Filtering emails, and blocking malicious links or attachments within emails, can stop these penetration attempts.
  • Endpoint protection — all APT attacks involve takeover of endpoint devices. Advanced anti-malware protection and Endpoint Detection and Response can help identify and react to compromise of an endpoint by APT actors.
  • Access control — strong authentication measures and close management of user accounts, with a special focus on privileged accounts, can reduce the risks of APT.
  • Monitoring of traffic, user and entity behavior — can help identify penetrations, lateral movement and exfiltration at different stages of an APT attack.

Learn more about the ThreatFortress Cynet 360 security platform.

ThreatFortress Cynet 360: Advanced Threat Protection for the Enterprise

ThreatFortress Cynet 360 is a holistic security platform that can provide multi-faceted protection against Advanced Persistent Threats. Cynet correlates data from endpoints, network analytics and behavioral analytics to present findings with near-zero false positives.

Block exploit-like behavior

Cynet monitors endpoints memory to identify behavioral patterns that are readily exploited, such as unusual process handle request. These behavioral patterns lead to the vast majority of exploits, whether new or known. Cynet is able to provide effective protection against Advanced Persistent Threats and more, by identifying such patterns.

Block exploit-derived malware

Cynet employs multi-layered malware protection, including sandboxing, process behavior monitoring, and ML-based static analysis. Cynet also offers fuzzy hashing and threat intelligence. This makes sure that even if an Advanced Persistent Threat establishes a connection with the attacker, and downloads additional malware, Cynet will stop this malware from running, thus preventing any harm from occurring.

User Behavior Analysis (UBA)

Cynet continuously monitors user behavior, generates a real-time behavioral baseline, and provides alerts when behavior deviation is identified. This deviation in behavior may indicate a compromised user account. Additionally, Cynet provides the ability to define user activity policies, triggering an alert in case of violation.


Cynet supports the use of decoy tokens – data files, passwords, network shares, RDP and others – planted on assets within the protected environment. APT actors are highly skilled and therefore might evade detection. Cynet’s decoys lure such attackers, prompting them to reach out and reveal their presence.

Uncover hidden threats

Cynet uses an adversary-centric methodology to pinpoint threats throughout the attack chain. Cynet thinks like an adversary, identifying indicators and behaviors across endpoints, users, files, and networks. They supply a holistic account of the attack process, regardless of where the attack may try to penetrate.

Accurate and precise

Cynet utilizes a powerful correlation engine and provides its attack findings free from excessive noise and with near-zero false positives. This makes the response for security teams easier so they can attend to pressing incidents.

Choose from manual or automatic remediation. This way, your security teams can have a highly effective yet straight-forward way to disrupt, detect, and respond to advanced threats before they have the chance to do damage.

Learn more about the ThreatFortress Cynet 360 security platform.

Got Questions?

Schedule a time to speak to your cybersecurity consultant for free to help you understand your options. Or Email [email protected] and our team will respond to your questions.

Schedule a time now:

Gain the Hacker’s View of your Cybersecurity Risk in Seconds with your Free Cybersecurity Assessment!

Discover How Hackers Exploit Your Business… If you had a no cost quick and easy way to check the safety of your business from cyber-attacks, would you do it?

Helping Business Owners start conversations about their cybersecurity culture. Cybersecurity does not have to be like chasing Bigfoot. Quantify your cybersecurity risk and instantly understand your vulnerabilities with ChatFortress Cybersecurity Report Cards.

Cybersecurity Report Card Logo - cybersecurity assessment

Discover Your Cybersecurity Risk in Minutes for FREE!

Nothing to Install, Nothing to Download, Anyone Can Do It!

Enter a website URL below to claim your report card instantly!

Your Cybersecurity Report Card will be automatically generated within seconds… tell us your website URL and let us amaze you!

Who is ChatFortress

ChatFortress is a leading cybersecurity company helping business owners protect their assets from cybercriminals. We provide companies with access to the latest technologies, social engineering and human behavioral strategies, and user education to create a proactive cybersecurity culture. Helping you fortify your business against cyberattacks.

Detect and Remove BAD Emails in 3 Seconds!

ChatFortress Email Guardian is the Ultimate Anti-phishing Program as it Detects and Mitgates Email Phishing Attacks in 3 seconds using A.i Real-Time Inbox Scanning for Phishing Prevention!

We support Small Business and have released the Small Business Cybersecurity Scholarship Program.

Providing Small Business with enterprise cybersecurity protection without the enterprise price tag! You can save over $699/month if you qualify for one of our Small Business Scholarships.

Protect Your Business from Cyber Criminals!

How secure it your website?