Advanced Persistent Threats

> [!abstract] In short: An APT is an attack where an intruder gains unauthorized access and stays undetected for a long time. These are patient, well-resourced, long-term operations, often run by well-funded groups, sometimes backed by governments or criminal organizations. ## What it is An Advanced Persistent Threat isn't a smash-and-grab. The intruder gets in and then _stays_, quietly, for months or years. These operations need serious resources and planning, which is why they're usually the work of well-funded groups, sometimes state-sponsored. The motive goes beyond quick financial gain. It's about **maintaining access** and reaching high-value targets: trade secrets, cutting-edge research, proprietary technology, anything that hands an advantage to whoever is funding the operation. ## How it works It starts with reconnaissance to study the target, then initial infiltration (spear-phishing, exploiting vulnerabilities, supply chain attacks). Once inside, the attackers set up a way to keep their access through malware or backdoors, then move laterally, escalating privileges and compromising more systems. Then data exfiltration, and finally persistence, so they can return whenever they want. The classic stages: 1. **Reconnaissance:** Gather information: employees, technologies in use, public-facing systems. 2. **Initial intrusion:** Get the first foothold, often via spear-phishing or a known vulnerability. 3. **Establish foothold:** Install backdoors or implants that survive reboots and updates. 4. **Privilege escalation:** Gain higher-level access (admin, domain admin). 5. **Lateral movement:** Pivot through the network toward the systems that actually hold value. 6. **Data exfiltration:** Quietly send data out, often disguised as normal traffic. 7. **Persistence and cleanup:** Keep access for the future and erase evidence of the intrusion. ## Impact Because these are long-term operations, the financial and reputational damage can be enormous, sometimes enough to destroy an organization. Beyond the immediate losses, an APT can compromise national security when the target is a government agency or defense contractor, and cause years of strategic damage when stolen intellectual property hands competitors a permanent edge. Some well-known APT groups have been linked to specific countries (**APT28** and **APT29** to Russia, **APT1** and **APT41** to China, **Lazarus** to North Korea), which is why APT incidents often carry a geopolitical dimension on top of the technical one. ## Two faces of the same idea The defining trait of an APT is persistent, undetected access to something valuable. That can be achieved through code or through a person. These two real cases show the same pattern from opposite directions. > [!example] The cyber APT: SolarWinds (2020) Attributed to **APT29** (Cozy Bear, tied to Russian intelligence), this was a supply chain attack. Rather than hacking thousands of targets directly, the attackers compromised SolarWinds and slipped malicious code into a routine update of its Orion software. That trojanized update was then shipped to thousands of customers, including US government agencies and major tech firms. The intrusion began around 2019 and wasn't discovered until December 2020. Patient, hidden, and aimed straight at high-value targets. ![](https://www.youtube.com/watch?v=Eq6ATHhBezw) > [!example] The human insider: Robert Hanssen (1979–2001) An FBI counterintelligence agent who spied for the Soviet Union and then Russia for around two decades. He never had to "hack" anything: his access was completely authorized. Using dead drops and encrypted communications under the alias "Ramon Garcia," he handed over classified material for cash and diamonds, and at one point was even assigned to hunt the very mole he himself was. He went undetected for years despite occasional suspicion. ![](https://www.youtube.com/watch?v=7cC4hwroYOo) > [!quote] Why pair them: > SolarWinds is an APT made of code and Hanssen is an APT made of trust. One slipped in through a software update, the other walked in with a badge. The lesson is the same: the real damage of a persistent threat comes not from how loud the break-in is, but from how long it stays quiet. This is also exactly where APTs blur into the [[Insider Threat]] problem. ## Defenses Defenses focus on **assuming breach**. Since APTs are built to slip past perimeter defenses, the goal shifts to detecting them early and limiting how far they can move once inside. - **Network segmentation**, so a foothold can't reach everything. - **Strong logging and SIEM monitoring**, to surface the quiet signs. - **Threat hunting**: actively searching for signs of compromise instead of waiting for alerts. - **MFA everywhere**, raising the cost of stolen credentials. - **Timely patching** of critical vulnerabilities, closing the doors they ride in on. > [!tip] Most defenses ask "how do we keep them out?" APTs force a harder question: "they're already in and have been for months, how would we even know?". That shift, from prevention to detection and containment, is the heart of defending against them.