APTs are orchestrated by cybercriminals to breach an organization to gain and maintain access to high-value assets, such as intellectual property or confidential information, for economic benefit or espionage purposes.
APTs are not typically quick, “take-the-money-and-run” attacks. Instead, they are highly strategic and may be sponsored by nation-states or terrorist groups. Increasingly, elaborate APTs are being used to appropriate confidential records and personally identifiable information from large enterprises.
APTs often begin with spear-phishing attacks, drive-by downloads, infected USB devices, or file sharing to gain entry into corporate systems. Once a system is accessed, a back door is created that bypasses traditional security controls. Sometimes, legitimate administrative credentials are leveraged to establish more back doors. Cybercriminals then install low-profile, well-hidden software that connects to their command-and-control (C&C) servers, and then they access and exfiltrate valuable data. Typically, the code does not raise any red flags as it evades detection by signature-based defenses such as antivirus software. These sophisticated, stealthy threats can remain undetected for long periods of time.
History of APTs
APTs first came to prominence over a decade ago with the advent of large-scale espionage attacks aimed at high-profile industries and government agencies. The term advanced persistent threat is attributed to US Air Force Colonel Greg Rattray, who applied the expression to refer to data-exfiltrating Trojans in 2006. At that time, there was only one documented APT attack. In 2014, according to APTnotes, there were 50 incidents. Examples of early attacks include Moonlight Maze (targeted US defense contractors), Sykipot (aimed at US and UK companies in energy, telecommunications, and defense), GhostNet (infiltrated systems in more than 100 countries), Operation Aurora (accessed and modified source code at high-tech, security, and defense companies), Zeus (Trojan Horse toolkit used for stealing personal information from social media and credit card and banking credentials), Stuxnet (spied on and disrupted industrial control systems), and more. Today, advanced persistent threats are also surfacing in enterprises.
How APTs Work
Malware is delivered to an endpoint often via an e-mail attachment, drive-by download from a malicious URL, or infected USB device.
Malware communicates remotely with the attacker’s external command-and-control (C&C) server. Attackers now have full access to the infected system and the sensitive data stored, such as passwords and user names. The system can also receive further instructions about executing the operation.
The threat traverses the target’s network and accesses servers or systems with the intent to collect valuable data or disrupt network operations.
Data is quietly exfiltrated using various methods designed to evade alerts and tracking.
Attackers cover their tracks by eradicating all traces of the malware, making forensics difficult or impossible—or they may stage other attacks to distract the target’s security staff.
Notable Headline-Generating APTs
Sony Pictures (2014)
Details about the perpetrators of this massive breach are still under investigation, but speculation is that the attack was politically motivated as the result of a film that was deemed offensive to North Korea. The breach resulted in leaks of a variety of movie-related internal documents. It is alleged that the breach was initiated with a spear-phishing e-mail that contained a PDF with a remote-access Trojan (RAT).
Attackers used an air conditioning contractor’s credentials to infiltrate Target’s network and point-of-sale systems, obtaining 40 million credit card details. The breach cost the retailer approximately $61 million.