{"id":2711,"date":"2014-10-09T19:30:58","date_gmt":"2014-10-09T19:30:58","guid":{"rendered":"http:\/\/kasperskydaily.com\/b2b\/?p=2711"},"modified":"2020-02-26T10:56:34","modified_gmt":"2020-02-26T15:56:34","slug":"a-laymans-dictionary-what-is-apt-and-why-is-it-called-that","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/a-laymans-dictionary-what-is-apt-and-why-is-it-called-that\/2711\/","title":{"rendered":"A layman’s dictionary: What is APT and why is it called that?"},"content":{"rendered":"

APT: These three letters appear in cybersecurity-related news and bulletins more and more. Advanced Persistent Threats have become common.<\/p>\n

\n<\/p>

What is Advanced Persistent Threat? The term actually refers to two different things. Initially, it was hacking groups (possibly government-backed) involved in continuous and persistent (hence the name) attacks towards a specific victim. One example the notorious Comment Crew (aka APT 1), was involved with attacks on the largest media outlets in US.<\/p>\n

A Layman\u2019s dictionary: What is #APT and why is it called that #security<\/p>Tweet<\/a><\/blockquote>\n

Now APT also refers to a specific kind of malicious cyber campaign that involves a series of diverse activities with the intent to cause harm or steal important and sensitive information. The groups behind such attacks are now called \u201cAPT groups\u201d.<\/p>\n

In 2013, Kaspersky Lab\u2019s Global Research & Analysis Team (GReAT) reported that NetTraveler<\/a>, a long-running APT campaign, had infected over 350 victims in more than 40 countries. At the time of the announcement, NetTraveler had been active for 9 years, and it was mainly stealing valuable data from space research laboratories, nanotechnology and energy production companies, nuclear power plants, medical equipment producers, and laser and communications technology companies. It also targeted Tibetan\/Uyghur activists, which suggests that it is most likely backed by Chinese authorities.<\/p>\n

However \u201chi-tech\u201d the targets were, methods used by NetTraveler \u2013 mainly phishing messages with attached MS Office documents, which when opened used exploits for old vulnerabilities CVE-2012-0158 and CVE-2010-3333 \u2013 were quite primitive, but surprisingly efficient.<\/p>\n

This year NetTraveler hit 10 years and was updated with newer malware tools<\/a>. Still, it\u2019s the same APT campaign with the same people behind it.<\/p>\n

\"wide-5\"<\/a><\/p>\n

Earlier this year security researchers uncovered yet another long-standing APT campaign aimed at the exfiltration of important data from organizations associated with strategic industrial sectors. This campaign received not just one name, but two: Energetic Bear and\/or Crouching Yeti<\/a>. It mainly targeted industrial and machinery sectors, but manufacturing, pharmaceutical, and construction companies were also attacked, along with education facilities and, of course, organizations related to information technology.<\/p>\n

Victims were either peppered with spearphishing PDF docs with embedded flash exploit (CVE-2011-0611, quite old, as one may see), or served with Trojanized software installers; then there were waterhole attacks using a variety of re-used exploits.<\/p>\n

APT actors don\u2019t need supercustom #malware for their campaigns to be successful<\/p>Tweet<\/a><\/blockquote>\n

Interestingly, none of these exploits were zero-day: All were long known with patches that were available, but not installed by victims. The campaign had been ongoing for at least four years prior to the discovery.<\/p>\n

As seen above, the APT campaigns have the following common features:<\/p>\n