APT is a toolbox for cyber spies

Cyber espionage operations are often named with the abbreviation APT, together with a number combination. The abbreviation became known in Finland in connection with the APT31 cyber espionage operation against the parliament. Supo compiled some questions and answers concerning APT operations.

In order to intrude into an information system, an individual or entity carrying out a cyber espionage operation needs some tools. Information is sought and copied from the IT system and eventually it is transferred out of the system without anybody noticing. 

Connections made to the target often leave a trace. In order to prevent the state behind the operation from being revealed, the individual or entity conducting the operation also needs network infrastructure for covering up the traces. Network traffic may be routed via multiple countries and harmless looking IP addresses so that the operation will not immediately be linked with the perpetrating state.  

The abbreviation APT is used to describe such cyber espionage operations. It is not a group consisting of individuals, for example, but a group of technical traces. 

Information security community and security authorities are able to identify cyber operations connected with each other with the help of the traces left by the used methods, software tools and network infrastructure. Identified operations may be named in public. APT identifiers often give very clear indications of the state behind the cyber espionage operation and, mostly, also of the intelligence service.

What does the abbreviation stand for?

APT stands for Advanced Persistent Threat. 


The notion “APT” was adopted in a time when state-run cyber espionage operations aimed at gaining access to the target and staying there as soon as possible without anyone noticing. Software vulnerabilities of the targeted systems were exploited in the cyber espionage operations. 

The operations aim at hiding a malicious code into the targeted system. The code used for cyber espionage operations was very advanced.

Nowadays, ”target-oriented” would be a more descriptive term than “advanced”. The aim of some operations is still to gain long-term access to the target and to operate without being noticed, whereas others attract attention due to the rudimentary methods and painstaking efforts. It is therefore likely that the aim of such operations is more strongly related to communication than to information gathering. 


Cybercrime inspired by financial motives will settle for any vulnerable target that the criminals may exploit in order to achieve financial gain. In cyberespionage, the situation is different. The aim of the operation is to gain access exactly to the specific target. It is therefore in the interests of the perpetrator to try various methods in a persistent manner until a well-functioning one is found. 


Cyber espionage is activity that threatens national security. The aim is to gather such information on the target country that restricts its international margin of manoeuvre or affects its status in the global competition.  

How are APT operations named?

Each APT has been named by the entity having publicly identified the operation, that is, usually an information security company. Some APTs have many different names because various companies have named them based on their own data. The connection between different APT operations might have been found only at a later stage. 

Often the name consists of the abbreviation APT and number but that is not always the case. For example, the operation executed by Russian military intelligence GRU, which was named as APT28, is also known as Sofacy. 

Is APT a group of hackers?

No. APT is part of controlled, systematic state-run cyberespionage. 

Is APT a malware?

No. Malicious code sent to the target may be used in cyber espionage operations but it is also possible not to use any detectable code. An operation can also be carried out over the Internet by abusing legitimate software installed on the target system.