APT Attack: Everything You Need to Know to Keep Your Company Safe
Advanced Persistent Threats Are Some of the Most Complex Cyberattacks. Learn What an APT Attack Is and How to Prevent It!
APT stands for Advanced Persistent Threat. Behind an APT attack there usually are some highly skilled hackers that have very specific targets and a “low-and-slow” approach when it comes to directing and executing their misdemeanours. Read on to find more!
Examining the APT Attack Machinery: Definition
As defined by CompariTech, an
advanced persistent threat (APT) is a sophisticated, long-term and multi-staged attack, usually orchestrated by nation-state groups, or well-organized criminal enterprises. The term was initially used to describe the groups behind these attacks, but its common usage has evolved to also refer to the attack styles we see from these types of threat actors.
Most of the times, APT actors aim for getting access to:
- classified information – this may include government documents, financial records, military plans and so on.
- intellectual-property – this is usually the target of industrial espionage, which can be interested in trade secrets and other sensitive information that can be used by competitors or nation-states.
- personal information or databases – health records, financial details and other types of personal information can be used in a variety of cybercrimes.
- ongoing communication – ATP threat actors are interested in communication between high-value targets – they want to find out about plans or personal information that can be used for blackmailing.
Examining the APT Attack Machinery: Stages
The stages of an APT attack can be grouped into 4 or 5, with different terminology. Let us have a closer look.
1. The Initial Access
As you can imagine, in this stage the ATP attackers get access to their target network, which is usually done by an application vulnerability, a phishing email or a malicious attachment. At this point, the attackers aim to plant malware into the network, which is, consequently, compromised but not breached.
2. The Malware Deployment
Next, the planted malware starts looking for network vulnerabilities, communicating with its external command-and-control servers and waiting for instructions on how to exploit what it finds.
3. The Access Expansion
At this point, the planted malware continues to search and detect vulnerabilities that it uses to find new entry points as backups for the old ones, in case they become inaccessible.
4. The Exploration of the Assets
By this stage, the attackers had established long-term and reliable network access, so the malware looks for sensitive assets like user credentials and sensitive data files that can be stolen.
5. The Data Collection and Transfer
In this final stage, the stolen data stored on a staging server is exfiltrated to an external server, so the target networks are breached. The attackers won’t forget to cover their tracks so they can repeat the process later.
Examining the APT Attack Machinery: Signs / Characteristics
ATP actors use sophisticated means to hide their presence, but there will still be some signs that can raise suspicions. Here are the indicators that may help you recognize an ATP attack:
If you detect an unexpected volume of logins outside working hours, an ATP attack might be ongoing. Attackers might have stolen credentials and use them in different time zones or during the night to avoid being noticed.
Unexpected data transition
ATP attackers copy the data they want to steal to other locations in your network and they transfer it when they know they can do it undetected. Consequently, you might notice server to server, server to client or network to network information flows.
Sophisticated spear phishing emails
Spear phishing attacks are directed against employees or organizations and are designed to “look like they’ve been sent by well-known market actors such as PayPal, Google, Spotify, Netflix, and even Apple Pay. In some cases, they make even take the guise of in-house emails, asking the employee to fill in credential requests.”
ATP actors might send spear phishing emails to high-management individuals, trying to get access to restricted data or their laptops.
As defined in our Cybersecurity Glossary,
a Trojan Horse is a type of malware that acts according to the Greek legend: it camouflages itself as a legitimate file or program to trick unsuspecting users into installing it on their PCs. Upon doing this, users will unknowingly give unauthorized, remote access to the cyber attackers who created and run the Trojan. Trojans can be used to spy on a user’s activity (web browsing, computer activity, etc.), to collect and harvest sensitive data, to delete files, download more malware onto the PC and more.
CompariTech mentions that
APTs often install multiple Trojans in different parts of an organization’s network to make it easy to access various parts. They also use them as redundancies, just in case other forms of network access are blocked. If they only had one entry point, months of their work could be easily undone if the target’s security team comes across it.
Examining the APT Attack Machinery: A Few Examples
When it comes to ATP examples, CompariTech notes:
historically, the term advanced persistent threat has mainly been used for groups linked to nation-states. Few others had the necessary financial backing, the organizational capacity and the impunity of working on behalf of their government (and thus under its protection), except those linked to nation-states. The earliest named APTs were the Chinese state-backed groups PLA 61398 (APT 1) and PLA 61486 (APT 2). Their activities often focused on industrial espionage, targeting the likes of nuclear and aerospace firms. Groups linked to other countries were soon named as well, including Fancy Bear (APT 28), Helix Kitten (APT 34), the Lazarus Group (APT 38) and the Equation Group. These have ties to Russia, Iran, North Korea and the USA, respectively.
Since PLA 61398 was mentioned, it might be interesting for you to know that one of their targets was, apparently, Coca-Cola:
Coca-Cola was in the midst of an acquisition bid for the China Huiyuan Juice Group, worth $2.4 billion. During the negotiation process, PLA Unit 61398 was rifling through the computers of Coca-Cola executives to try and find out the company’s strategy.
The attack started with a spearphishing attempt, which led one of Coca-Cola’s executives to click on a malicious link. This gave the group its entry point into Coca-Cola’s network. Once it was in, it managed to collect and send confidential files back to China each week, all without being noticed.
Examining the APT Attack Machinery: On Prevention
An APT attack is complex and might seem really startling, but, luckily, there are a few prevention strategies you can adopt to avoid it. So, always remember to:
1. Have a firewall installed
2. Have an antivirus solution installed
Antivirus solutions prevent a wide range of trojans, malware and viruses that APT actors might use when trying to exploit your system, so they are also essential.
If you would prefer a solution that mixes the traditional antivirus and firewall with other cybersecurity necessities, you’ve come to the right place. Our Endpoint Detection and Response (EDR) Software merged EPP with EDR to offer you continuous prevention using DNS-based attack protection and patching, combined with an immediate response through DNS and DoH filtering, a next-gen Antivirus, threat hunting, automated patch management, and a component for automated admin rights escalation and de-escalation.
HEIMDAL™ ENDPOINT PREVENTION - DETECTION AND CONTROL
- Next-gen Antivirus & Firewall which stops known threats;
- DNS traffic filter which stops unknown threats;
- Automatic patches for your software and apps with no interruptions;
- Privileged Access Management and Application Control, all in one unified dashboard
3. Enable email protection
Since APT actors are very fond of spear phishing and other email threats, it’s clear that you need to properly protect your email accounts.
Our Heimdal™ Email Fraud Prevention will help you combat phishing, business email compromise, email-deployed malware, imposter threats, CEO fraud and criminal impersonation, Man-in-the-email and spoofing attacks.
Heimdal™ Email Fraud Prevention
- Deep content scanning for attachments and links;
- Phishing, spear phishing and man-in-the-email attacks;
- Advanced spam filters to protect against sophisticated attacks;
- Fraud prevention system against Business Email Compromise;
4. Use an access management solution
Privileged access management is related to privileged accounts and protects data and information across organizations, together with Identity Access Management and Privilege Identity Management. A strong access control system can make it more difficult for APT attackers to successfully log into your company’s network.
Here, you can try our very own Heimdal™ Privileged Access Management, which will show you all the admin requests in its centralized dashboard, allowing you to approve or deny user requests from anywhere or set up an automated flow.
Heimdal™ Privileged Access Management
- Automate the elevation of admin rights on request;
- Approve or reject escalations with one click;
- Provide a full audit trail into user behavior;
- Automatically de-escalate on infection;
Examining the APT Attack Machinery: Wrapping Up
An APT attack is a very complex cybersecurity threat, usually orchestrated by well-organized criminal groups, but not impossible to prevent if you have the right information and allies.
However you choose to proceed, please remember that Heimdal™ Security always has your back and that our team is here to help you protect your home and your company and to create a cybersecurity culture to the benefit of anyone who wants to learn more about it.
Drop a line below if you have any comments, questions or suggestions regarding the topic of APT attack – we are all ears and can’t wait to hear your opinion!