A cyberattack dubbed NotPetya last year used mock ransomware to wipe out data at Ukrainian banks, energy companies, media organizations, and government agencies. The CIA, noting that the attack displayed characteristics of an advanced persistent threat (APT), later attributed NotPetya to Russian military hackers intent on crippling Ukraine.
An APT is a targeted attack in which hackers work to surreptitiously gain access to a network and stay undetected for a long period of time—typically months or years. Usually supported by a nation-state, they aim to disrupt operations, destroy infrastructure, or steal high-value information like military plans, intellectual property, and other data from governments, large organizations, and even wealthy or well-connected individuals.
APTs, by their very name, are persistent. Attackers identify a single target, perform reconnaissance, and try a variety of methods, such as spear-phishing or social engineering, experts say, until they successfully gain access to the network.
“A traditional cyberattack is akin to a burglar with a crowbar at a jewelry store: They set off alarms, and get in and out as quickly as possible,” says Richard White, professor of cybersecurity at the University of Maryland University College. “But APTs are very technically savvy and light-footed, have quiet lateral movements, and intentionally don’t leave a large cyberfingerprint for forensic analysis. They stay undetected, below the traditional cybersecurity controls.”
APTs have been used to attack governments and businesses alike. In 2014, for example, hackers of entertainment company Sony Pictures leaked internal data they’d gathered over time, including personal information about employees and their families, emails, executive salaries, and copies of unreleased films, in an effort to embarrass the company. The attackers also deployed malware to erase Sony’s computer infrastructure.
The FBI has blamed the Sony Pictures attack on North Korea, which in turn has denied any involvement.
The breach of consumer credit reporting agency Equifax, which compromised sensitive information pertaining to more than 143 million American consumers, likely was also an APT. While the company says just one employee was to blame, investigators say the hack shows signs of a state-sponsored attack.
Al Pascual, senior vice president and research director at Javelin Strategy and Research, says APTs aren’t limited to cyberspace; he’s seen incidents in which criminals break into high-target individuals’ hotel rooms to physically compromise a device in order to gain access to a network.
“If they want in, they’re going to find a way in. Today there are so many different avenues they can use, whether it’s through zero-days, open ports, or weaknesses in your vendor. That’s why [APTs] are so successful,” he says.
Once hackers gain access to the network, they move methodically and deliberately to establish back doors, synchronizing their activity with bursts of traffic, such as backups, in order to avoid detection, White says. “They know the syncopated rhythms of their victim so it’s much more difficult for security controls to determine the levels of fidelity.”
Detecting and mitigating APTs
Organizations often don’t know that they’ve fallen victim to an advanced persistent threat until it’s too late. A department overseeing end-point detection and response might discover that an executive’s device has been compromised and that there’s malware present, for example, or that encrypted network traffic is traveling through a port at times when it shouldn’t be. In another case, it might discover an influx of attempts to deliver payloads in blocked emails, Pascual says.
“They’re caught when they make a mistake. They become too noisy, and they set off a security control like an [intrusion prevention system] or intrusion detection system,” White adds. “Sometimes they don’t do their reconnaissance correctly and forget to account for a particular security control that catches them off guard. And sometimes it’s good, old-fashioned forensics, auditing, and network scanning that detects something.”
Complicating the detection and mitigation of APTs is their growing sophistication and the wide range of exploitable vulnerabilities that give them access, according to a report from cybersecurity company Kaspersky Lab. In the next year, Kaspersky expects that advanced-threat actors will play to new strengths and hone new tools, which include more supply chain and mobile attacks.
Kaspersky’s antivirus software has been banned by the U.S. government for the company’s alleged role in Russian cyberattacks that breached government servers and stole government data.
“These attacks can be extremely difficult to identify,” the Kaspersky report says. “Some [APT groups and operations] are incredibly sophisticated and possess wide arsenals. Even a target whose networks employ the world’s best defenses is likely using software from a third party, [which] might be an easier target and can be leveraged to attack the better protected original target enterprise.”
Because APTs are usually undetectable by traditional security technology, Neatsun Ziv, vice president of threat prevention at IT security company Check Point Software Technologies, says organizations should focus on putting into place appropriate countermeasures. Such countermeasures could include an intrusion prevention system or intrusion detection system, according to White.
“Unfortunately, it’s only a matter of time—no one is immune forever,” Ziv says. “The number of vulnerabilities, and the ability to make money in the private sector, are increasing, which means the number of opportunities for these attacks to happen is also growing. What’s most important is that organizations are prepared.”