Today’s columnist, independent info-sec consultant Alex Vakulov, points out that Lockheed Martin first started using the phrase advanced persistent threat in its documents in 2004. Vakulov says some 80% of large companies with more than 5,000 employees were hit by APT groups one or more times in the past year. (Photo by Suhaimi Abdullah/Getty Images)

Most security pros know about large-scale attacks that have targeted banks, large corporations, government agencies, and even military facilities. Who conducts these attacks? Why are they so destructive? How can security teams protect their organizations from them?

Since about 2004, the Lockheed Martin Computer Incident Response Team (LM-CIRT) has been using the term Advanced Persistent Threat (APT) in its documents. APT attacks are complex attacks carried out mainly on the IT infrastructure of military and government facilities. As a rule, secret services of other countries and groups of “government hackers” were suspected of carrying them out.

Later, thanks to journalists, the APT concept expanded to multi-layered attacks, the target of which can target a network of any organization. Even now, the term APT remains ambiguous. The term implies either a multi-stage attack scenario, the tools used, or powerful hacker groups.

There are still no uniform criteria that would allow attributing a particular attack specifically to the APT class. Successful targeted attacks are often carried out using old exploit kits, and zero-day vulnerabilities are not a required attribute of an APT.

APTs are also discussed when attackers distribute spear-phishing emails to compromise the accounts of company employees. This account then gets used as an entry point to the local network and a springboard for moving to the next level – to computers of executives and critical servers of the company. However, social engineering methods are already overwhelmingly popular, so it’s strange to single them out as a marker of advanced persistent threats. So, what should we focus on?

APT attack signs

Analyzing the reports of various security specialists, I formulated the following APT characteristic:

  • Targeted: The target are not always a specific person or organization. Attackers can target a vertical segment (for example, financial institutions) or a homogeneous group of people, such as hotel guests or cruise ship passengers.
  • Hard to defend: Individual security tools cannot stop APTs.
  • Long-term: It can last for months and continue until the bitter end or loss of purpose.
  • Well-funded: Even a banal DDoS costs a lot of money if it lasts long.
  • Multi-staged: APT uses several attack vectors and different techniques sequentially. By themselves, methods can be primitive; their combination is essential.
  • Stealth: APTs can go unnoticed for a long time or proceed under the guise of minor day-to-day incidents. The abnormal behavior of the network or individual devices persists, although nothing suspicious is found during routine security checks.
  • Sophisticated: APT actors often (but not always) use advanced techniques to effectively mask their components from traditional defenses - for example, a reverse shell to bypass the firewall.

According to VPNBrains, APT actors use the following techniques (listed in decreasing order of frequency): phishing and social engineering, misconfigurations, zero-day vulnerabilities, DDoS and botnets, traditional malware,  compromised devices, and insider attack.

There are several key stages of any APT attack:

  • Collection of information.
  • Primary infection (luring to phishing sites, sending out infected documents).
  • Delivery of malicious payload (drive-by-downloads, exploiting vulnerabilities).
  • Active phase (elevating privileges and bypassing security systems to obtain additional data about the system and maintain persistence in it).
  • Building stable remote control (implementing backdoors, keyloggers, reverse shells).
  • Communication with command and control servers in anticipation of further commands (bypassing firewalls, using various instant messengers, social network clients and popular network APIs to transmit commands).
  • Achievement of the final goal (data theft, spying, execution of illegal financial transactions, the formation of a botnet, interception of control over the SCADA systems).

The zero-day menace

The effectiveness of APT attacks increases significantly when vulnerabilities are exploited for which there is no patch yet. For example, Iranian government-sponsored APT actors exploited Microsoft Exchange vulnerabilities in their malicious activities. Another group, reported by the Google Project Zero team, used multiple zero-days in Chrome and Android. APT41 exploited the Zoho ManageEngine zero-day vulnerability CVE-2020-10189. There are plenty of other examples among news headlines.

APT trends: what 2022 will bring

APT groups are increasing their activity. Some 80% of large companies (with more than 5,000 employees) were hit by APT groups one or more times in the past year. Asian malicious actors dominate in the number of APT attacks. And, previously discovered APT groups have not disappeared anywhere, and the period of calm does not mean the termination of their activities. They perform small operations that are not globally visible, or they may simply change the format and select the tools for new attacks.

Other trends to look for; Common components used in network attacks of different APT groups make it possible to assert a close relationship between them. There’s also a clear connection between global events and vectors of new attacks. Social engineering remains a key method for initiating attacks.

Cybersecurity companies have been vying to offer their protection against APTs for years. Mostly these are traditional tools. They offer to use a VPN, firewall, SIEM solutions, antivirus, and spam filters.

There are not many effective ways of countering APT attacks. Reasonable caution, security training, the zero-trust approach, defense-in-depth, and technical solutions from major vendors will help security teams reduce the damage from APT attacks.

Alex Vakulov, independent info-sec consultant