The attacker has a specific target and goal, and has spent time and resources to identify which vulnerabilities they can exploit to gain access, and to design an attack that will likely remain undetected for a long time.
The motive for an APT can be either financial gain or political espionage. APTs were originally associated mainly with nation-state actors who wanted to steal government or industrial secrets. Cyber criminals now use APTs to steal data or intellectual property that they can sell on.
APT hackers and malware are more prevalent and sophisticated than ever. For some professional hackers, working either for their government or relevant industries, their full-time job is to hack specific companies and targets. They perform actions relevant to their sponsor’s interests, which can include accessing confidential information, planting destructive code, or placing hidden backdoor programs that allow them to sneak back into the target network or computer at will.
Also see: What is Phishing?
APT hackers are highly skilled and have the huge operational advantage in that they will never be arrested. Imagine how much more successful and persistent any other thief might be if they could get the same guarantee.
Still, they don’t want their activities to be immediately noticed by their targets, because it would complicate their mission. A successful advanced persistent threat hacker breaks into networks and computers, gets what is needed and slips out unnoticed. They prefer to be very low key. They don’t want to noticed or indeed caught by auditable events, error messages, or traffic congestion, or cause service disruptions.
Social Engineering: The Science of Human Hacking
Most APTs use custom code to do their activities, but prefer, at least at first, to use publicly known vulnerabilities to do their dirty work. That way, if their activities are noticed, it’s harder for the victim to realise that it’s an APT versus the regular, less serious, hacker or malware program.
How can you recognise something that’s meant to be silent and unnoticed?
Signs of advanced persistent threats
Because APT hackers use different techniques from ordinary hackers, they leave behind different signs. Over the past two decades, I've discovered the following five signs are most likely to indicate that your company has been compromised by an APT. Each could be part of legitimate actions within the business, but their unexpected nature or the volume of activity may bear witness to an APT exploit.
1. Increase in unusual log-on times
APTs rapidly escalate from compromising a single computer to taking over multiple computers or the whole environment in just a few hours. They do this by reading an authentication database, stealing credentials, and reusing them. They learn which user (or service) accounts have elevated privileges and permissions, then go through those accounts to compromise assets within the environment. Often, a high volume of elevated log-ons occur at night because the attackers live on the other side of the world. If you suddenly notice a high volume of elevated log-ons across multiple servers or high-value individual computers out of hours, that's th time to start worrying.
2. Widespread backdoor Trojans
APT hackers often install backdoor Trojan programs on compromised computers within the exploited environment. They do this to ensure they can always get back in, even if the captured log-on credentials are changed when the victim gets a clue.
These days, Trojans deployed through social engineering provide the avenue through which most companies are exploited. They are fairly common in every environment, and they proliferate in APT attacks.
3. Unexpected information flows
Look for large, unexpected flows of data from internal origination points to other internal computers or to external computers. It could be server to server, server to client, or network to network.
Those data flows might also be limited, but targeted — such as someone picking up email from a foreign country.
4. Unexpected data bundles
APTs often aggregate stolen data to internal collection points before moving it outside. Look for large gigabyte chunks of data appearing in places where that data should not be, especially if compressed in archive formats not normally used by your company.
5. Focused spear phishing campaigns
If I had to think of one of the best indicators, it would be focused spear phishing email campaigns against a company's employees using allsorts of common document files containing executable code or malicious URL links. This is the original causative agent in the vast majority of APT attacks.
The most important sign is that the attacker’s phish email is not sent to everyone in the company, but instead to a more selective target of high-value individuals (e.g., CEO, CFO, CISO, project leaders, or technology leaders) within the company, often using information that could only have been learned by intruders that had already previously compromised other team members.
The emails might be fake, but they contain keywords referring to real internal, currently ongoing projects and subjects. Instead of some generic, “Hi, read this!” phishing subject, they contain something very relevant to your ongoing project and come from another team member on the project. If you’ve ever seen one of these very specific, targeted phishing emails, you’ll usually question yourself about whether you could have avoided it. They are usually that good these days.