What is APT?

June 11, 2013

APT stands for advanced persistent threat. It became famous following a New York Times exposé detailing a month’s long attack campaign in which a Chinese military unit now known as “APT 1” thoroughly penetrated the media organization’s networks with a series of spear-phishing emails and a deluge of customized malware samples.


There are two ways to look at it: APT as a thing and APT as people. On the one hand, an advanced persistent threat refers to a highly precise sort of cyberattack. On the other hand, advanced persistent threat can also refer to the groups, often state sponsored or well-funded in other ways, that are responsible for launching such precision attacks.

Truly advanced persistent threats are a bit counter-intuitive. When you think about most cybercriminals and other spreaders of malware, you think that their goal is to infect as many computers as possible with their credential pilfering, botnet building, or other malicious software. The wider the net, the more opportunity for stealing money, computing resources, or whatever it is they’re after. APT actors on the other hand are interested in infecting the machines of particular people.

The point is: you don’t have to be the CEO in order to be a potential APT target. Nearly anyone with an internet connection is a potential target.

The end-goal of an APT-style attack is to compromise a machine on which there is some sort of valuable information. It would be an obvious success if an attacker managed to load a keylogger or install a backdoor onto the machine of the chief executive or information officer of a prominent company, but you’ve got to wake up pretty early in the morning to trick one of these guys or gals. They’re smart. They have security teams and tools looking out for them. In other words, it may just be too hard to hack these enterprising individuals.

So instead of targeting the CEO, APT groups often choose to target some lesser employee, like a copy-writer or graphic designer, who may not have particularly valuable information on his or her machine but is on the same network as machines with valuable data and could potentially be used as a stepping stone toward infecting valuable machines. To recap: compromise the copy-writer’s machine and use his or her email address to spear-phish the CEO.

Even this tactic often proves too difficult as companies continue investing more money on corporate security products and employee education. APT hackers now resort to choosing increasingly obscure targets in an attempt to daisy chain a complicated sequence of infections that eventually yields valuable data. For example, maybe your great uncle is a bigwig at Boeing or you work as an engineer at a highly specialized design firm that develops a certain exhaust component that Boeing uses in one if it’s jetliners. APT groups might target you as a starting point that could eventually lead to the compromise that yields secrets.

The point is: you don’t have to be the CEO in order to be a potential APT target. Nearly anyone with an internet connection is a potential target.

Just last week Kaspersky analysts uncovered an APT-style espionage campaign called “NetTraveler” that may-well have spanned the better part of a decade targeting diplomats, military contractors and government agencies in 40 countries. This attack, like many APT-style attacks, began with a spear-phishing email that exploited a couple known Microsoft vulnerabilities. Eventually the attackers deployed a tool capable of extracting system information, dropping keylogging malware, stealing Office documents such as Word, Excel and PowerPoint files, and modifying configurations to steal Corel Draw designs, AutoCAD files and other file types used in manufacturing and defense circles. This attack should be considered an advanced persistent threat because it seems to have only targeted individuals and organizations whose computers would contain valuable secrets. As I mentioned above, APT can also refer to hacker or attack groups. In this case, the APT group is a prolific one. Perhaps not quite as prolific as the notorious Comment Crew (aka APT 1), but Kaspersky Lab researchers claim that whoever launched NetTraveler is likely responsible for the Titan Rain and GhostNet attacks as well.