What is an APT?The term advanced persistent threat (APT) can refer to an attacker with substantial means, organization and motivation to carry out a sustained cyberattack against a target.
An APT, not surprisingly, is advanced, persistent and threatening. It is advanced because it employs stealth and multiple attack methods to compromise a target, often a high-value corporate or government resource. This type of attack is also difficult to detect, remove and attribute to a particular attacker. Worse yet, once a target is breached, backdoors are often created to provide the attacker with ongoing access to the compromised system.
APTs are considered persistent in the sense that the attacker may spend months gathering intelligence about the target and use that intelligence to launch multiple attacks over an extended period of time. It is threatening because perpetrators are often after highly sensitive information, such as the layout of nuclear power plants or codes to break into U.S. defense contractors.
An APT attack generally has three primary goals:
- Theft of sensitive information from the target
- Surveillance of the target
- Sabotage of the target
Perpetrators of APTs often use trusted connections to gain access to networks and systems. These connections may be found, for example, through a sympathetic insider or unwitting employee who falls prey to a spear phishing attack.
How Are APTs Different?APTs are different from other cyberattacks in a number of ways. First, APTs often use customized tools and intrusion techniques - such as vulnerability exploits, viruses, worms, and rootkits - designed specifically to penetrate the target organization. In addition, APTs often launch multiple attacks simultaneously to breach their targets and ensure ongoing access to targeted systems, sometimes including a decoy to trick the target into thinking the attack has been successfully repelled.
Second, APT attacks occur over long periods of time during which the attackers move slowly and quietly to avoid detection. In contrast to the speedy tactics of many attacks launched by typical cybercriminals, the goal of the APT is to stay undetected by moving "low and slow" with continuous monitoring and interaction until the attackers achieve their defined objectives.
Third, APTs are designed to satisfy the requirements of espionage and/or sabotage, usually involving covert state actors. The objective of an APT includes military, political, or economic intelligence gathering, confidential data or trade secret threat, disruption of operations, or even destruction of equipment.
Fourth, APTs are aimed at a limited range of highly valuable targets. APT attacks have been launched against government agencies and facilities, defense contractors, and manufacturers of high-tech products. Organizations and companies that maintain and operate national infrastructure are also likely targets.
Some Examples of APTsOperation Aurora was one of the first widely publicized APTs; the series of attacks against U.S. companies was sophisticated, targeted, stealthy and designed to manipulate targets.
The attacks, conducted in mid-2009, exploited a vulnerability in the Internet Explorer browser, enabling the attackers to gain access to computer systems and download malware to those systems. The computers systems were connected to a remote server and intellectual property was stolen from the companies, which included Google, Northrop Grumman and Dow Chemical. (Read about other damaging attacks in Malicious Software: Worms, Trojans and Bots, Oh My!)
Stuxnet was the first APT that used a cyberattack to disrupt physical infrastructure. Believed to have been developed by the United States and Israel, the Stuxnet worm targeted the industrial control systems of an Iranian nuclear power plant.
Although Stuxnet appears to have been developed to attack Iranian nuclear facilities, it has spread far beyond its intended target, and could also be used against industrial facilities in Western countries, including the United States.
One of the most prominent examples of an APT was the breach of RSA, a computer and network security company. In March 2011, RSA sprang a leak when it was penetrated by a spear-phishing attack that hooked one its employees and resulted in a huge catch for cyberattackers.
In an open letter to RSA posted by customers to the company's website in March 2011, Executive Chairman Art Coviello said that a sophisticated APT attack had extracted valuable information related to its SecurID two-factor authentication product used by remote workers to securely access their company’s network.
"While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack," Coviello said.
But Coviello, it turned out, was wrong about that, as numerous RSA SecurID token customers, including U.S. defense giant Lockheed Martin, reported attacks resulting from the RSA breach. In an effort to limit damage, RSA agreed to replace the tokens for its key customers.
Whither APTs?One thing is certain: APTs will continue. As long as there is sensitive information to steal, organized groups will go after it. And as long as nations exist, there will be espionage and sabotage - physical or cyber.
There is already a follow-up to the Stuxnet worm, dubbed Duqu, which was discovered in the fall of 2011. Like a sleeper agent, Duqu swiftly embedded itself in key industrial systems and is gathering intelligence and biding its time. Rest assured it is studying design documents to find weak spots for future attacks.