Advanced Persistent Threat (APT) - The Most Dangerous Kind of Cyberattack.

Advanced Persistent Threat (APT) is an attack campaign in which an intruder, or team of intruders, establishes an illicit, long-term presence on a network to mine sensitive data.

You may be interested in taking a look at our other antivirus tools:
Trojan Killer, Trojan Scanner.

Advanced Persistent Threat Attacks. What is APT? | Gridinsoft

What is APT?

GRIDINSOFT TEAM
The advanced persistent threat, or APT, is a complex cybersecurity hazard that consists of multiple elements and is applied over a long period of time. Though it requires more resources to commit, the effectiveness of APTs is much higher than regular malware.

The Advanced Persistent Threats are considered the most dangerous hazard, which requires a ton of effort to detect and prevent. The final target of this attack - the sensitive data - and the midpoint elements touched during the cyberattack must be protected at the highest level. Cybersecurity specialists who establish and assist with running the EDR solutions must foresee all possible attack vectors.

However, such an attack requires a lot of resources and work from the attackers’ side. The three main stages of APT usage - infiltration, expansion, and extraction - require way more effort than the “classic” attacks. They are likely worth it, but some gangs exist less than such an attack may last. An attack with an advanced persistent threat is definitely the competition of professionals.

APT lifecycle
The lifecycle of the advanced persistent threat

Advanced persistent threats have a lot of edges to discuss. First, we want to define the difference between APTs and frequent cyberattacks. Advanced threats may look like just-more-advanced-virus, but it is more like a special operation rather than a common attack. APT attacks rely on many more programs - both used by crooks and ones in the attacked system. They’re also executed manually - unlike ransomware attacks that are usually automated. The word “persistent” in the naming means exactly what it should do - such threats are about long-term presence in the infected system. The target of such attacks is the valuable data, and the more time the attack is on - the more data could be smuggled.

There are also several things to note. The precursor malware and tools for expanding the malware presence for such attacks are oftentimes the same as in more simple attacks. For example, when hackers establish the APT presence and activity in each network element, they may opt for the same exploits in server architecture and user applications. There is no need to reinvent the bicycle, especially when it runs well. Another thing to remember is the typical targets of the attacks using advanced threats. Hackers rarely aim to receive the ransom and sometimes do not want any profit. The final target may be both leaking some critical information, deleting it, or taking control of the servers/websites hosted on those servers. Sure, such a task may take months to complete, but APT deployment and retention are not about a 5-minute walk at all.

APT stages. From infiltration to data extraction

As was mentioned before, attacks with advanced persistent threats have three main stages. During the attack, cybercriminals try to inject the malware, make it more sustainable (i.e., infiltrate all possible environments) and finally begin the data extraction. All these stages require specific software and approaches. However, the final payload is more likely to be a backdoor, remote-access trojan, spyware, or their combinations. To have a more relevant explanation, we will make several remarks about the real cause of a cyberattack with an advanced threat that happened at the beginning of 2022. North Korean hackers attacked the Russian diplomatic sector with Konni RAT.

Stage 1. Malware infiltration

There are tens of possible ways of malware infiltration into the corporate network. However, in the last two years, analysts witnessed a strict trend: almost 40% of the attacks are committed through RDP exploitation. And this figure is actual to all forms of cyberattack, not only APT-related ones. Nonetheless, other methods - SQL injections and social engineering, for example - are used as well. In some cases, primarily to distract the personnel's attention, crooks may additionally launch a DDoS attack. System administrators and cybersecurity masters will put their efforts to protect the network, while the main action will happen behind their backs.

In the case of Konni RAT injection by the same-named cybercrime gang, they did not perform distracting maneuvers. Their approach was the encyclopaedic example of spear phishing. Attackers disguised the email message to the Russian embassy in Indonesia with the attached malicious file as a New Year’s greeting. They managed to counterfeit the email address, so the domain looked like “@mid.ru” - different from the original “@mid.rf” but still similar enough to fool someone. In conjunction with the typical pre-holiday relaxation, that scattered the attention of embassy workers.

Malware injection steps

The exact thing cybercriminals try to inject into the targeted system or network is not always the same virus. It may be a script that will connect to the remote server for getting the payload, or weaken the security system before the malware launches. A so-called precursor malware may be used - to show the phishing page or trick the staff into allowing the malware installation. However, the vast majority of the hackers try to avoid bearing on the human factor. Yet not all employees are reckless enough to ignore dubious behavior.

In the case of the Konni APT attack, the attachment mentioned above (exactly, the .zip archive) contained a script that connected to the command server and managed to download the installer for the remote-access trojan. After launching the поздравление.scr file, embassy workers were spectating the image below while the main action was happening in the background. Such a multi-step scheme is required to obfuscate the log reading and wipe any paths. Additionally, such intermediary steps may be used to disable the security software. When the intrusion is concealed, and the payload malware is downloaded, crooks turn to the second step - expansion.

Stage 2. Malware expansion

Compromising a single computer in the network is never enough, even if it is a domain controller. Exactly, crooks usually aim at the DC, or, at least, the computer with administrator privileges. If they initially extend their virus on the computer with user privileges, they will try to escalate the privileges to execute their malware as administrator. Hackers may do this on the profile of the user they have infected or by creating a separate, hidden administrator account. Escalating privileges is not an easy task, and usually requires the use of exploits. However, if the attack is prepared properly, crooks already know which exploits to use, and have a malicious app that is ready to use this vulnerability.

APT progress network
APT progress in the corporate network

Having the administrator account allows the crooks to create the same highly-privileged accounts on other devices, and manage the network. Taking over the domain controller is an often practice, but it is harder to perform. That’s why crooks usually carry things like brute force utilities or hacktools - they serve as a crowbar when the picklock fails. Rude instruments are easier to detect - but usually, crooks manage to disable any protection on the separate computers at the stage of DC brute force.

Expanding the malware presence in the network has an obvious reason. The more computers are infected - the more data cybercriminals can access and extract. This simple and linear equation must be the guidance for system administrators. Network clustering, enhanced protection measures, persistent control - all these things are essential when dealing with sensitive and valuable data. However, threat actors who dare to commit the attacks with APT likely have the fallback variants. That’s why it is better to have a well-done EDR solution. It is impossible to turn it off without taking over the DC and hard to avoid - it bears on heuristic detection, which is much harder to deceive.

Stage 3. Data extraction

As we mentioned before, APT threats are not called “persistent” just for the occasion. They try to last as long as they can in the corporate system, gathering all data that may potentially be valuable. However, they don’t send the data to their command server as they find it on the victim’s PC. Even when the security software is disabled, system administrators may notice multiple packages sent from the inside of the network to an unknown address. Such a case will set everyone on alarm, and the advanced threat will be uncovered at that point. To make it more silent, cybercriminals must apply some tricks.

Data extraction
The third stage of attack - data exfiltration

Those tricks may be about creating a disguise for the extracted files, as well as distracting the attention. In the majority of cases, crooks opt for the second variant. It is not so easy to find a way to conceal the huge amount of traffic. How often do you send the gigabyte-sized files through email? That will raise suspicion, even though that email will be successfully delivered to the moment of detection. The distraction crooks usually use is the DDoS attack, or a so-called white noise - a lot of pointless commands or requests that obfuscate the logs. Such a trick may circumvent the security solutions and create a lot of headaches for the analysts who will try to figure out what’s happening.

However, when the APT attack operators decide to cease their presence in the certain network, they may even perform the final extraction “as is”. That would not be a common practice, especially if the information received from this company was sold for a good price. Crooks may then re-sell the way they infiltrated into the network to their colleagues, as well as just infiltrate it once again. But when they decide to take French leave, things may be even more rigid. In some cases, crooks may deploy ransomware - as the icing on the cake.

How to protect your network from APT attacks?

As you can see by the paragraphs above, advanced persistent threats are extremely sophisticated and performed by qualified cybercriminals. APT deployment and counteraction may be compared to the game of chess between two grossmeisters - both are very skilled and have a lot of possible moves. It becomes even more interesting when they may only guess about each other's activity and perform some careful steps to understand what’s going on. Nonetheless, spectating this game already means that something went wrong. It does not mean that the security measures must be able to prevent any intrusion. But when you do everything right, crooks will find their hands tied. Let’s see how to make your corporate network secure from attacks with advanced persistent threats.

Cease the human factor

reckless personnel is one of the biggest security breaches that are impossible to eliminate. Yet you can teach them how to be safe and avoid potentially dangerous things, but you will never dispel this hazard completely. Out of 10 workers, nine will be diligent, and one - childish. That’s why besides boosting the cybersecurity knowledge among your employees must be complemented with decreasing the overall damage that may happen because of human mistake.

  • Explain the danger of attached files. Many people think that attachments cannot be dangerous, so they open them without any doubts. Hackers thank them - a big share of attacks of any scale happens because of this false belief.
  • Protect all tight places. MS Office macros and Visual Basic scripts may carry different codes. They could contain the downloader or the same malware when coming from outside. Forbidding their execution without the system administrator's permission - to prevent these injection ways.
  • Set up the software hygiene. That advice is helpful against any malware since crooks use the same exploits for various attacks. Updating the apps regularly, avoiding the use of untrustworthy programs, and keeping an eye on applications that can collect the information about their users - those pieces of advice are basic.
  • Cluster the network. Even if hackers manage to infect a part of the network, it will fail to go further.
  • Apply the use of user’s privileges for most users. Most apps these days don’t require administrator privileges. They may still ask you to type the administrator password sometimes, but it is much easier to do it on-demand than solve the cyberattack.

Technical approaches against APT

Besides the advice that touches the employees and is more common, there are several things to do specifically against the APT. Those measures generally feel the network security and traffic control. Whitelisting and traffic monitoring are the two you must pay the most attention to.

Whitelisting

This procedure means allowing access only to designated websites/IP-addresses from the inside of the corporate network. Such a setup is useful for preventing the malware downloader from connecting to the external server. It also has a more “peaceful” purpose - stopping the employees from visiting various sites to minimize procrastination. However, using this method separately from the others is not 100% effective. “White” domains may be compromised with time, or the connection may be created through safe and legit software. Some programs may still be safe but outdated - that makes them vulnerable to exploitation. Keep all these problems in mind when establishing your network.

Traffic monitoring

While whitelisting is more about passive protection, traffic control is rather an active countermeasure. Primarily, the most important thing to protect is the most vulnerable. In companies, such things are web application servers. They are exposed the most since everyone can connect them by design. Therefore, you must pay additional attention to protecting them with firewalls or other filters that may prevent the SQL or RFI injection attack. Moreover, firewalls are quite useful when it comes to traffic control. These tools can log the network events, allowing you to see and analyze the possible anomalies.

Frequently Asked Questions

What is the purpose of Advanced Persistent Threat (APT)?
One of the main objectives of APT is confidential data. But do not forget that such threats involve a certain scenario. First, they must stay in the infected system as long as possible to extract the most valuable data and resell it to third parties. Another thing about APT is that they use existing exploits, custom applications, and server architectures to avoid wasting time inventing what’s already there. The ultimate goals may not be money and profit, but the typical data leak controls servers and websites.
What is an example of an advanced persistent threat?
An excellent example of APT is the introduction of Konni RAT into the computer network of Russian diplomats in Indonesia. These hackers managed to carry out a phishing attack without much effort. They disguised Russia’s letter to Indonesia, which attached a malicious file as a New Year’s greeting. The email address, of course, was also disguised as the original @mid.rf and looked like this: @mid.ru. The embassy staff did not notice this setup on New Year’s Eve and the heap of similar messages of congratulations.
What are the two most likely vectors for an advanced persistent threat APT against your organization?
The APT attack is not meticulous and changeable; it can produce both complex attack levels and the simplest. The most common vectors of this attack are considered phishing and social engineering. But do not forget about the other vectors:
  • DNS modifications;
  • Vulnerability exploits;
  • Zero-day attacks;
  • Internal attacks (compromising a target’s employee);
  • Supply chain attacks;
  • Ransomware;
  • Pirated software.
What’s the difference between APTs and most malware?
The only difference is the method of execution of malicious tasks. Most common attacks carry a rapid destructive attack, but APT takes a more strategic approach. Hackers make their destructive actions masquerading as traditional programs such as phishing or trojans, and after completing tasks, leave behind hidden, covering all traces. In doing so, they manage to implement their attacking software throughout the network.
How many APT groups are there?
In 2013, the hunt for APT began, and more than identified 150 groups of this attack. Thanks to such discoveries, it is now known not only about the threats but also their tactics, methods, and procedures. In recent years, no one has heard of new areas of this attack, but it is most likely because the previous approach to performing its tasks is quite successful.