APT stands for Advanced Persistent Threat. Behind an APT attack there usually are some highly skilled hackers that have very specific targets and a “low-and-slow” approach when it comes to directing and executing their misdemeanours. Read on to find more!

Examining the APT Attack Machinery: Definition

As defined by CompariTech, an

advanced persistent threat (APT) is a sophisticated, long-term and multi-staged attack, usually orchestrated by nation-state groups, or well-organized criminal enterprises. The term was initially used to describe the groups behind these attacks, but its common usage has evolved to also refer to the attack styles we see from these types of threat actors.

Most of the times, APT actors aim for getting access to: 

  • classified information – this may include government documents, financial records, military plans and so on. 
  • intellectual-property – this is usually the target of industrial espionage, which can be interested in trade secrets and other sensitive information that can be used by competitors or nation-states. 
  • personal information or databases – health records, financial details and other types of personal information can be used in a variety of cybercrimes. 
  • ongoing communication – ATP threat actors are interested in communication between high-value targets – they want to find out about plans or personal information that can be used for blackmailing.

Examining the APT Attack Machinery: Stages

The stages of an APT attack can be grouped into 4 or 5, with different terminology. Let us have a closer look. 

apt attack stages

Source: phoenixNAP

1. The Initial Access

As you can imagine, in this stage the ATP attackers get access to their target network, which is usually done by an application vulnerability, a phishing email or a malicious attachment. At this point, the attackers aim to plant malware into the network, which is, consequently, compromised but not breached. 

2. The Malware Deployment

Next, the planted malware starts looking for network vulnerabilities, communicating with its external command-and-control servers and waiting for instructions on how to exploit what it finds. 

3. The Access Expansion

At this point, the planted malware continues to search and detect vulnerabilities that it uses to find new entry points as backups for the old ones, in case they become inaccessible. 

4. The Exploration of the Assets

By this stage, the attackers had established long-term and reliable network access, so the malware looks for sensitive assets like user credentials and sensitive data files that can be stolen.  

5. The Data Collection and Transfer

In this final stage, the stolen data stored on a staging server is exfiltrated to an external server, so the target networks are breached. The attackers won’t forget to cover their tracks so they can repeat the process later. 

Examining the APT Attack Machinery: Signs / Characteristics

ATP actors use sophisticated means to hide their presence, but there will still be some signs that can raise suspicions. Here are the indicators that may help you recognize an ATP attack: 

Unexpected logins

If you detect an unexpected volume of logins outside working hours, an ATP attack might be ongoing. Attackers might have stolen credentials and use them in different time zones or during the night to avoid being noticed. 

apt attack hours

Source: Unsplash

Unexpected data transition

ATP attackers copy the data they want to steal to other locations in your network and they transfer it when they know they can do it undetected. Consequently, you might notice server to server, server to client or network to network information flows

Sophisticated spear phishing emails

Spear phishing attacks are directed against employees or organizations and are designed to  “look like they’ve been sent by well-known market actors such as PayPal, Google, Spotify, Netflix, and even Apple Pay. In some cases, they make even take the guise of in-house emails, asking the employee to fill in credential requests.” 

ATP actors might send spear phishing emails to high-management individuals, trying to get access to restricted data or their laptops. 


As defined in our Cybersecurity Glossary

a Trojan Horse is a type of malware that acts according to the Greek legend: it camouflages itself as a legitimate file or program to trick unsuspecting users into installing it on their PCs. Upon doing this, users will unknowingly give unauthorized, remote access to the cyber attackers who created and run the Trojan. Trojans can be used to spy on a user’s activity (web browsing, computer activity, etc.), to collect and harvest sensitive data, to delete files, download more malware onto the PC and more.

CompariTech mentions that 

APTs often install multiple Trojans in different parts of an organization’s network to make it easy to access various parts. They also use them as redundancies, just in case other forms of network access are blocked. If they only had one entry point, months of their work could be easily undone if the target’s security team comes across it.

Examining the APT Attack Machinery: A Few Examples

When it comes to ATP examples, CompariTech notes: 

historically, the term advanced persistent threat has mainly been used for groups linked to nation-states. Few others had the necessary financial backing, the organizational capacity and the impunity of working on behalf of their government (and thus under its protection), except those linked to nation-states. The earliest named APTs were the Chinese state-backed groups PLA 61398 (APT 1) and PLA 61486 (APT 2). Their activities often focused on industrial espionage, targeting the likes of nuclear and aerospace firms. Groups linked to other countries were soon named as well, including Fancy Bear (APT 28), Helix Kitten (APT 34), the Lazarus Group (APT 38) and the Equation Group. These have ties to Russia, Iran, North Korea and the USA, respectively.

There are also ATP actors that seem to act only for financial gain, without any state ties, like Silence or Carbanak Group

Since PLA 61398 was mentioned, it might be interesting for you to know that one of their targets was, apparently, Coca-Cola

Coca-Cola was in the midst of an acquisition bid for the China Huiyuan Juice Group, worth $2.4 billion. During the negotiation process, PLA Unit 61398 was rifling through the computers of Coca-Cola executives to try and find out the company’s strategy.

The attack started with a spearphishing attempt, which led one of Coca-Cola’s executives to click on a malicious link. This gave the group its entry point into Coca-Cola’s network. Once it was in, it managed to collect and send confidential files back to China each week, all without being noticed.

Examining the APT Attack Machinery: On Prevention

An APT attack is complex and might seem really startling, but, luckily, there are a few prevention strategies you can adopt to avoid it. So, always remember to: 

1. Have a firewall installed 

Firewalls are essential for a successful cybersecurity strategy, therefore it’s crucial to have one installed if you want to prevent APTs. 

2. Have an antivirus solution installed 

Antivirus solutions prevent a wide range of trojans, malware and viruses that APT actors might use when trying to exploit your system, so they are also essential. 

If you would prefer a solution that mixes the traditional antivirus and firewall with other cybersecurity necessities, you’ve come to the right place. Our Endpoint Detection and Response (EDR) Software merged EPP with EDR to offer you continuous prevention using DNS-based attack protection and patching, combined with an immediate response through DNS and DoH filtering, a next-gen Antivirus, threat hunting, automated patch management, and a component for automated admin rights escalation and de-escalation. 

Heimdal Official Logo
Simple standalone security solutions are no longer enough.


Is an innovative multi-layered security approach to organizational defense.
  • Next-gen Antivirus & Firewall which stops known threats;
  • DNS traffic filter which stops unknown threats;
  • Automatic patches for your software and apps with no interruptions;
  • Privileged Access Management and Application Control, all in one unified dashboard
Try it for FREE today Offer valid only for companies.

3. Enable email protection

Since APT actors are very fond of spear phishing and other email threats, it’s clear that you need to properly protect your email accounts. 

Our Heimdal™ Email Fraud Prevention will help you combat phishing, business email compromise, email-deployed malware, imposter threats, CEO fraud and criminal impersonation, Man-in-the-email and spoofing attacks. 

Heimdal Official Logo
Email communications are the first entry point into an organization’s systems.

Heimdal™ Email Fraud Prevention

Is the next-level mail protection system which secures all your incoming and outgoing comunications.
  • Deep content scanning for attachments and links;
  • Phishing, spear phishing and man-in-the-email attacks;
  • Advanced spam filters to protect against sophisticated attacks;
  • Fraud prevention system against Business Email Compromise;
Try it for FREE today Offer valid only for companies.

4. Use an access management solution 

Privileged access management is related to privileged accounts and protects data and information across organizations, together with Identity Access Management and Privilege Identity Management. A strong access control system can make it more difficult for APT attackers to successfully log into your company’s network. 

Here, you can try our very own Heimdal™ Privileged Access Management, which will show you all the admin requests in its centralized dashboard, allowing you to approve or deny user requests from anywhere or set up an automated flow.

Heimdal Official Logo
System admins waste 30% of their time manually managing user rights or installations

Heimdal™ Privileged Access Management

Is the automatic PAM solution that makes everything easier.
  • Automate the elevation of admin rights on request;
  • Approve or reject escalations with one click;
  • Provide a full audit trail into user behavior;
  • Automatically de-escalate on infection;
Try it for FREE today Offer valid only for companies.

Examining the APT Attack Machinery: Wrapping Up

An APT attack is a very complex cybersecurity threat, usually orchestrated by well-organized criminal groups, but not impossible to prevent if you have the right information and allies. 

However you choose to proceed, please remember that Heimdal™ Security always has your back and that our team is here to help you protect your home and your company and to create a cybersecurity culture to the benefit of anyone who wants to learn more about it. 

Drop a line below if you have any comments, questions or suggestions regarding the topic of APT attack  – we are all ears and can’t wait to hear your opinion!

What Is an Attack Surface in Cybersecurity?

Heimdal is the Winner of the Anti-Advanced Persistent Threat (APT) Solution of the Year Award

Email Security 101: Protecting Your Business Against Email Threats

Privileged Account Management 101: How Can Privileged Accounts Compromise Your Security

Leave a Reply

Your email address will not be published. Required fields are marked *