Advanced persistent threats target major businesses and governments – but they can be detected and thwarted with the right tools and advice.
Hackers were formerly thought as lone individuals writing and sending malware in isolation. That’s no longer the case: today, the most significant cyber risks come from Advanced Persistent Threats (APTs) that infiltrate and sabotage the IT infrastructure of major multinational corporations and government institutions.
APTs represent a class of cyber attack techniques where an attacker establishes an unauthorised long-term presence on a network, intending to steal highly sensitive data over a long time.
Their difference from run-of-the-mill cyber attacks can be seen in the name:
Given the sensitivity and global importance of their preferred targets, APT intrusions tend to have extreme consequences down the line. APT cyber attackers can steal confidential data, gather information on essential personnel, conduct massive bank heists, and possibly sabotage critical infrastructure.
To truly understand the nature of APTs, read on: we’ll paint a picture of the present threat landscape, along with three proven strategies to prevent them from getting in or spreading throughout your network.
Asia-Pacific (APAC) companies are a major target for APTs – a Kaspersky study found that up to 75% of executives in the region anticipate APT attacks on their respective businesses. A series of high-profile APT intrusions, not to mention the prevalence of APT groups based in China and North Korea, may have increased awareness of APTs as a regional threat among decision-makers in APAC.
Because APT intrusions require significant commitment in time and resources, both perpetrators and victims tend to be major players. APT targets tend to be high-value institutions, like government security forces or billion-dollar multinational corporations. On the other side, perpetrators demonstrate exceptional skills, high coordination and the ability to develop their own tools and techniques, which hints at backing from nation-states or organised crime.
The world’s most sophisticated cyber war forces may be behind APAC’s most prominent APT attacks; experts believe that national intelligence services from countries like China, Iran and North Korea use APTs as a tool for foreign leverage.
China-linked APT Group Mustang Panda has been lurking in Indonesian government IT networks, especially Indonesia’s intelligence agency Badan Intelijen Negara (BIN). Mustang Panda-connected PlugX malware command and control (C&C) servers were communicating with hosts inside Indonesian networks, likely facilitating access to intelligence records for at least five months in 2021.
Naikon is another example of a China-linked APT, albeit one that has been around for far longer. Naikon conducted a five-year campaign against Southeast Asian nations’ military and government organisations. For almost a decade now, Naikon’s programmers have been steadily altering their server infrastructure, creating new loader variants, and building new backdoors to keep it invisible to cyber defences.
The Russian APT group “Silence” is one of the rare APTs that specialises in robbing its targets. Its most high-profile attack, a US$3 million heist in Bangladesh in 2019, was a departure from its usual Eastern European theatre of operations – the APT traditionally attacked banks and businesses in Russia, Ukraine, Belarus, Azerbaijan, Poland, and Kazakhstan.
APTs’ shadowy, long-term nature, along with the secrecy exercised by its victims, makes it difficult to tally the exact attacks’ cost throughout APAC. A Positive Technologies report made a rough estimate of the cost of each APT toolkit, and compared it to the average damage of the APT assault: the APT always came out on top. Silence, for instance, spent US$55,000 on their intrusion toolkit and made out with US$288,000 per successful attack.
Successful APT attacks consist of a complex series of steps, using a variety of sophisticated exploits and tactics. Models like the MITRE ATT&CK explore typical APT attacks in more detail than we can accommodate here.
To provide a brief overview of an APT incursion, we’re presenting a more simplified model, following Imperva’s and NTT’s analyses that break incursions down into three stages, often carried out over weeks or months at a time.
Social engineering exploits like spear phishing use human nature to trick users into opening files that can install malware into the system. The APT might also send in a DDoS attack to distract network personnel, weakening the security perimeter and facilitating infiltration. Once inside, APT attackers can install a backdoor shell, or stealthy malware that grants network access to intruders.
Stage 2: Expansion. In this phase, the attackers will broaden their presence within the network. First, they’ll try to establish an outbound connection to their Command and Control server, allowing APT personnel to fine-tune their approach within the system.
Once inside, the attackers will try to gather more information about their target network. They’ll find other vulnerabilities to use for deeper access and privilege escalation, and gain control over more sensitive systems. These intrusions will be disguised using encryption, allowing APT operations to look like normal network traffic.
Stage 3: Extraction. Over long periods of time, the APT will store its stolen information within secure locations inside the network. Getting gigabytes of data out will arouse suspicion, so APTs will set up distractions like DDoS attacks or other white noise tactics to distract the security team, allowing the APT intruders to safely extract the information they’ve gathered while inside.
This is by no means the end of any APT attack; intruders will try to leave as many backdoors as possible, so they can still find entry points even if others have been detected and addressed.
No business is completely safe from APT intrusions. Their complexity and long-term time horizons mean that APTs can be difficult to detect, and even more fiendishly difficult to root out. A combination of three strategies – prevention, mitigation, and monitoring – can help protect businesses against APTs, blocking them from either gaining a foothold or expanding their presence in your system.
Strategy 1: Prevention. The tactics for preventing APTs from entering your systems resemble the strategy for protecting against malware online. This consists of building a solid perimeter defence in the form of firewalls and antivirus, and training users in account security practices.
Any prevention tactics must include worker training in basic account security protocols: using two-factor authentication (2FA) to block unauthorised logins, recognising phishing attempts, and practising safe web browsing at work.
These prevention steps are particularly urgent for businesses in the region: a survey of APAC decision-makers found that only 3% of respondents were able to correctly tell between fake and real emails and SMS messages. About a fourth of these respondents also displayed unsafe account security practices, like using work phones and email accounts for personal activities.
Strategy 2: Mitigating access to data. Even with the best perimeter defences in place, additional layers of defence must be deployed to protect your IT infrastructure in case APTs have already breached your system.
This calls for internal security measures within your IT infrastructure, such as:
Strategy 3: Monitoring traffic. Monitoring unusual activity on databases and looking for abnormal data access requests can alert users to APT early warning signs, like suspiciously-timed logins and unusual network traffic volumes.
This kind of monitoring calls for a next-generation firewall (NGFW) deployed at the edge of the network. The NGFW incorporates tools like Intrusion Detection System (IDS), Intrusion Prevention System (IPS), Advanced Threat Protection (ATP), and Domain Name System (DNS) to examine all incoming and outgoing traffic, while using filters to detect and respond to specific attacks.