APT Security: What You Need to Know about Advanced Persistent Threats
Advanced Persistent Threats (APT) Are Dangerous for Any Company. Learn What They Are and How to Stay Safe!
APT security is a concept that describes the preventive measures any company should take to avoid advanced persistent threats (APTs). Read on to find out how an APT attack works, what are the clues that indicate your network might be compromised and what you can do to avoid the danger.
APT Security: Definition
According to CompariTech, an advanced persistent threat (APT) describes
a sophisticated, long-term and multi-staged attack, usually orchestrated by nation-state groups, or well-organized criminal enterprises. The term was initially used to describe the groups behind these attacks, but its common usage has evolved to also refer to the attack styles we see from these types of threat actors.
Usually, when cybercriminals initiate APT attacks, they aim to obtain classified information, intellectual property, personal information or databases, ongoing communication between high-value targets.
APT Security: History, M.O., Famous Groups
The term “advanced persistent threat” was used for the first time in 2006 by the United States Air Force Colonel Greg Rattray.
As I have mentioned, APT threat actors are usually members of organized groups. Among the most famous APT groups we mention:
- The Chinese cyberespionage group consisting of Red Apolo (APT 10), MenuPass, Stone Panda and Potassium. According to the United States Department of Justice, the cyberespionage group has operated since 2006 and targets “aerospace, engineering, and telecom firms and any government that they believe is a rival of China.”
- Charming Kitten (aka APT35 or Ajax Security or Phosphorus or NewsBeef – an Iranian government cyberwarfare group known “to use phishing to impersonate company websites, as well as fake accounts and fake DNS domains to phish users’ passwords.”
- Lazarus Group or Guardians of Peace/Whois Team, a cybercrime that appears to have strong links to North Korea. Although “not much is known about the Lazarus Group, researchers have attributed many cyberattacks to them over the last decade. Originally a criminal group, the group has now been designated as an advanced persistent threat due to intended nature, threat, and a wide array of methods used when conducting an operation.”
- Cozy Bear or APT 29, a “Russian hacker group believed to be associated with one or more intelligence agencies of Russia. The Dutch General Intelligence and Security Service (AIVD) deduced from security camera footage that it is led by the Russian Foreign Intelligence Service (SVR).” Apparently, they were responsible for an attack on US sovereign national data on the 20th of December 2020 and are still targeting the US today.
An APT attack’s lifecycle includes multiple stages:
- Initial compromise. In this initial stage, cybercriminals get access to their targets by using tactics like social engineering, spear phishing, zero-day vulnerabilities or malware.
- Establishing foothold. At this point, the remote administration software is planted in the network of the victim, creating backdoors for future access.
- Privileges escalation. In this stage, cybercriminals try to acquire administrator privileges by exploiting or cracking passwords
- Internal prospecting. This stage is dedicated to exploration and information collection.
- Lateral movement. At this point, cybercriminals “expand control to other workstations, servers and infrastructure elements and perform data harvesting on them.”
- Presence maintenance. In this stage, hackers make sure that they have continued control over the victim’s network and that they maintain the credentials acquired in the earlier stages.
- End of mission. In this final stage, cybercriminals exfiltrate the data they’ve stolen from the victim’s network.
APT Security: APT Attack Indicators
APT attacks, as impressive as they may be, can be discovered in time if you pay attention to certain aspects:
Are there any late-night logins into your company’s network?
Unexpected logins outside working hours could suggest that credentials got stolen and are being used in different time zones or during the night.
Are there any large flows of data, from internal sources to internal or external devices?
In general, APT attackers usually copy the data they want to steal to other locations in your network before transferring it to their servers.
Was there any spear-phishing attempt in your company?
Spear phishing attacks are designed to “look like they’ve been sent by well-known market actors such as PayPal, Google, Spotify, Netflix, and even Apple Pay” and might be directed against high-management individuals, in the attempt to get access to restricted data or their devices.
Did you discover any backdoor Trojan?
As defined in our Cybersecurity Glossary, A Trojan represents
a type of malware that acts according to the Greek legend: it camouflages itself as a legitimate file or program to trick unsuspecting users into installing it on their PCs. Upon doing this, users will unknowingly give unauthorized, remote access to the cyber attackers who created and run the Trojan. Trojans can be used to spy on a user’s activity (web browsing, computer activity, etc.), to collect and harvest sensitive data, to delete files, download more malware onto the PC and more.
Trojans are some of the APT actors’ favorites, as CompariTech mentions:
APTs often install multiple Trojans in different parts of an organization’s network to make it easy to access various parts. They also use them as redundancies, just in case other forms of network access are blocked. If they only had one entry point, months of their work could be easily undone if the target’s security team comes across it.
APT Security: APT Attack Examples
Some of the most notorious APT attacks happened in 2006 and 2010 – I’m talking about Sykipot Attacks and the Stuxnet Worm.
The 2006 Sykipot attacks took advantage of Adobe Reader and Acrobat vulnerabilities and were part of “a long-running series of cyberattack campaigns aimed primarily at U.S and U.K organizations including defense contractors, telecommunications companies and government departments. The attackers consistently used targeted emails containing either a link or malicious attachment containing zero-day exploits.”
The Stuxnet Worm was used against Iran in 2010. “Considered at the time to be one of the most sophisticated pieces of malware ever detected […]”, the worm targeted “systems that are traditionally not connected to the internet for security reasons. It instead infects Windows machines via USB keys and then propagates across the network […]”.
If you’re interested in learning more about how worms work, I recommend you to read one of our previous articles, Virus vs. Worm: What’s the Difference?
APT Security: Prevention
Although this type of cyberattacks is highly sophisticated, achieving APT security is not such a difficult mission as it might seem. In fact, the prevention strategies you can adopt to keep your company safe are, so to say, classic:
If you’re interested in implementing all the suggestions mentioned above and working with a single agent in a unified dashboard for a complete overview, you can give our product suite a try.
Our EPDR solution actually comprises a next-gen antivirus, DNS protection (our DNS threat prevention tool even won the Anti-Advanced Persistent Threat Solution of the Year Award at the Computing Security Awards in 2020), automated software patching and access management.
HEIMDAL™ ENDPOINT PREVENTION
- DETECTION AND CONTROL
For your email protection we have designed Heimdal™ Email Fraud Prevention. Heimdal™ Email Fraud Prevention will help you combat phishing, business email compromise, email-deployed malware, imposter threats, CEO fraud and criminal impersonation, as well as Man-in-the-email and spoofing attacks.
Heimdal™ Email Fraud Prevention
APT Security: Wrapping Up
Any company can achieve APT security if used to respecting a few basic cybersecurity rules, albeit APT attacks are some of the most complex online threats of today’s world.
However you choose to proceed, please remember that Heimdal™ Security always has your back and that our team is here to help you protect your home and your company and to create a cybersecurity culture to the benefit of anyone who wants to learn more about it.
Drop a line below if you have any comments, questions or suggestions regarding the topic of APT security – we are all ears and can’t wait to hear your opinion!