After a successful asset discovery adversaries try to exfiltrate data from the compromised network. In many cases the initial C&C is used as the drop-off point. However, other systems and technologies might be involved . The actual approach of the exfiltration depends on APT group’s tactics, data amount and other circumstances.
In most cases the goal of an APT campaign is the theft of intellectual property, confidential information  or access to specific systems within the target organization’s network. For example, adversaries usually target for patented technologies, diplomatic information or access to computers of researchers and executives in order to monitor their activity. Due to the fact that the asset of interest is usually in digital form it’s hard to detect the theft which allows the adversaries to conduct the crime without being noticed.
After the initial host compromise, malicious actors attempt to move laterally within the compromised organization and focus their efforts on internal reconnaissance, credential harvesting and attack of internal system. It is common that built-in tools are used during this step in order to avoid detection, because tools like Microsoft’s PowerShell and WMI are white-listed and their activity is often not part of the security log review process . The avoidance of detection on the network is a key aspect of long term, persistent campaigns.
Once the initial foothold is established, the attackers seek for ways to spread through the network. It’s often the case that the initial compromise happens on a computer which is not a matter of importance in regards of the APT’s campaign. Therefore, attackers try to escalate their privileges on this machine so that they can start moving through the target’s infrastructure in order to find and compromise systems on the network that store valuable information.
api = shodan.Shodan(SHODAN_API_KEY)
During the APT campaign adversaries need to maintain active connections with the compromised infrastructure. While the initial malware plays an important role, it’s important for the attackers to establish a Command and Control (C&C) infrastructure in order to interact with the infected host. C&C provides means of upgrading the malware, performing further attacks and facilitates during the data exfiltration stage. Therefore, attackers make sure that the C&C is stealth, not blocked by the target’s network monitoring systems and is resilient to takedowns .
To secure the access to a compromised system, attackers use persistence in order to make sure their backdoor remains installed and running across system reboots. This allows intruders to control the infected system in the future and proceed with further exploitation of the target or its infrastructure. The sophistication of the persistence method used by the attackers usually depends on the system access rights they have gained and their tactics. The higher the access level, the more sophisticated and stealthy persistence can be applied.