The cyber espionage “investigations” has become popular within the information security industry and resulted in easy marketing opportunities of research reports about Advanced Persistent Threats along with headlines of “nation-state attack”. Apart from the purpose of APT research report marketing, the term “APT” itself got generalized for the sake of convenience. However, this was done at the expense of accuracy and greater
understanding. Today the term APT is widely used throughout the IT security circles to describe any attack that seems to specifically target individual organizations or has thought to be notably technical in nature regardless of whether the attack was actually advanced or persistent. Using an abstract term such as APT can create the impression that all such attacks are technically sophisticated, advanced, persistent, and malware driven. Some in the industry have begun to define APT as malware. According to Juan Andrés Guerrero-Saade, “_the terms ‘APT’, ‘targeted attack’, ‘nation-state sponsored’, and even ‘Cyberespionage’ are inaccurate and misinterpret the object of study, which is to say an espionage operation partially carried out with the use of malware_” .
The following examples are provided in order to illustrate common inaccuracies associated with the term APT:
- Persistent attacks that are not advanced due to lack of advanced tactics and techniques. An example of such a case is El Machete .
- Attacks that are widely distributed, but intended for a specific target which is achieved by compromising a wide range of services but only infecting selectively chosen victims. An example of such a case is Darkhotel components .
- Targeted attacks with the intention of reaching a wider audience such as Regin’s  use of legitimate institutions as domestic network proxies or Duqu’s  utilitarian targeting for digital certificates.
The provided examples show that the classification of an APT as nation-state sponsored adversary, regardless of its sophistication and merely based on the type of sensitive information pursued or targets, which happen to be of interest for a certain nation-state, is inaccurate. Premature interpretations suggesting that only nation-states are interested in political documents ignore the monetary value of political and military secrets. Institutions that might have overlapping interests with a nation state include: political opposition, private consulting, political analysts, financial speculators, adversarial nation-states, to name a few.
Finally, focus on the malware deployment and capabilities or the information stealing tactics of APT groups might strengthen the conviction that the group is interested in a specific type of data. However, this does not clarify whether the recipient of the exfiltrated data is a nation-state or an institution with overlapping interests. Therefore, it should not be assumed that every APT group or attack is associated with a sponsorship or a direct interest of a nation-state.
Lifecycle of an APT Attack
Figure 1 illustrates the differences between “Commodity Threats”, “Advanced Persistent Threats”, and “Hacktivism”. Commodity Threats do not target specific individuals or groups, thus don’t invest time in steps like defining the target and researching the target’s infrastructure and its employees. Moreover, persistence is also skipped mainly due to the “hit-and-run” nature of the threat. The process of Covering their tracks and remaining undetected is also being neglected. Hacktivists on the other hand spend time defining their target, as they plan to accomplish a certain (usually political) goal. A more complex attack scenario (such as APT) can be understood from the perspective of an “APT life-cycle”. As shown in the figure above, the attack of an APT unfolds in a series of stages, ending with the APT actor having established a stealth foothold in the target’s network after exfiltrating all necessary data.
The first step in the APT lifecycle is the Target Definition. Depending on the motivation of the APT group, the target is selected based on the type of data that can potentially be useful for the group or the recipient of the exfiltrated data. It is also possible that the group is instructed to attack a specific target and simply follows the order for monetary reasons. Knowing the target(s), the group can now build or acquire tools that are suitable for obtaining the type of data that is necessary to accomplish their goal.
The next step is described as the Reconnaissance process. During this process, information needed for further stages of the attack is collected. Such information includes technical details about the target infrastructure, which is used to discover vulnerabilities, and personal information about the company and their employees who can be targeted via social engineering. The gathered technical information, such as the operating system or Anti-virus software deployed by the target organization, is used to test for detection of the tools and techniques which will later be used during the attacks. After verifying that the tools are able to avoid detection by the Anti-virus software used by the target, the attack infrastructure is ready for deployment.
After the attack infrastructure has been deployed, the information gathered during the reconnaissance phase is used to identify the point of entry and decide on the attack vector which is then being used for the Initial Intrusion. Upon successful exploitation at this stage the system is considered as compromised, but not as breached. The next step after the initial compromise is the initiation of an outbound connection. In other words, adversaries need to make sure they can reach the Internet from the compromised network in order to contact the external Command and Control server. This can be done by installing malicious software like a remote administration tool (RAT). The purpose of a RAT is to provide control of the compromised machine to the attackers while receiving commands from the Command and Control server.
Once the initial malware is planted on the compromised machine, the attackers try to expand their access on the system. This step is called Privilege Escalation and marks the stage where the attacker tries to elevate his rights on the current system. Higher privileges allow to perform a more efficient harvesting of credentials and the installation of a more sophisticated and stealthy backdoor, ensuring higher likelihood of a long-term persistence.
The Lateral Movement takes place after enough credentials have been obtained and a decision is made that additional systems are needed to be examined in order to discover valuable assets. In other words, the system that was initially compromised might not contain the type of information the adversary is looking for, or is not suitable for establishing long-term persistence. Therefore, this step is used to sustain persistence on the compromised infrastructure by moving laterally within the network in order to place additional backdoors and discover digital assets of interest.
As the adversaries move deeper into the network and gain higher privileges, they attempt to make their activities more difficult to detect by using methods that are native for the target systems or commonly used by administrators, thus making it less obvious to differentiate between malicious and legitimate activity. After discovering data of interest, exfiltration is performed from the target’s network to an external location which the threat actor controls. During the Data Exfiltration step the generated network traffic is made to look like normal traffic as an attempt to avoid detection. After accomplishing their goal, the threat actors take care of Covering their Tracks. However, a backdoor might be left for re-entry. In such a case, the adversaries might come back several times in order to exfiltrate new data.
1. Guerrero-Saade, J. A. (2015). The Ethics and Perils of APT Research: An Unexpected Transition into Intelligence Brokerage.
2. Kaspersky Global Research and Analysis Team. (2014, August 20).
3. Kaspersky Global Research and Analysis Team. (2014). The Darkhotel APT: A Story of unusual hospitality.
4. Kaspersky Lab. (2014). The Regin Platform: Nation-State Ownage Of GSM Networks.
5. Kaspersky Lab. (2015). The Duqu 2.0 Technical Details.