APT is a cyber toolbox for states carrying out cyber espionage operations

Cyber espionage operations are internationally referred to by the abbreviation APT, derived from the words Advanced Persistent Threat. The states behind espionage operations do not publish information on the cyber espionage units working for them. Instead, APT operations are assigned names as similarities in the cyberattacks carried out by them are identified. These include such methods as phishing messages, exploiting the vulnerabilities in the hardware or software used by the target system in the (boundary) network, and using stolen user IDs.

Advanced 

The notion “APT” was adopted in a time when state-run cyber espionage operations aimed at gaining access to the target and staying there as long as possible without anyone noticing.  Software vulnerabilities of the targeted systems were exploited in the cyber espionage operations. The operations aim at hiding a malicious code into the targeted system. Cyber espionage operations use very advanced methods, which are complemented by the quick exploitation of any publicly disclosed vulnerabilities.

Persistent 

Cybercrime inspired by financial motives will settle for any vulnerable target that the criminals may exploit in order to achieve financial gain. In cyber espionage, the situation is different. The aim of the operation is to gain access exactly to the specific target. It is therefore in the interests of the perpetrator to try various methods in a persistent manner until a well-functioning one is found – and to maintain this access for as long as possible. Access to the target can also be found via a party or system with weaker protection operating close to the target system.

Threat 

Cyber espionage is activity that threatens national security. The aim is to gather such information on the target country that restricts its international margin of manoeuvre or affects its status in the global competition. Other objectives of APT operations may be to influence the political atmosphere in the target country through fake news or other measures aimed at paralysing society. 

How are APT operations named? 

Each APT has been named by the entity having publicly identified the operation, that is, usually an information security company. Some APTs have many different names because various companies have named them based on their own data. The connection between different APT operations might have been found only at a later stage. Often the name consists of the abbreviation APT and a number, but that is not always the case. For example, the operation executed by Russian military intelligence GRU, which was named as APT28, is also known as Sofacy. 

Is APT a group of hackers? 

No. APT is part of controlled, systematic state-run cyber espionage, principally backed up by an intelligence service. APTs may collaborate with so-called hacker groups for the purpose of obtaining access, for example.

Is APT a malware? 

No. Malicious code sent to the target may be used in cyber espionage operations, but it is also possible not to use any detectable code. An operation can also be carried out over the internet by giving manual commands to the legitimate software installed on the target system used by, for example, system administrators on a daily basis.

How does APT work?

As in the physical world, breaking into the target will leave a trace, such as the telecommunications connections established. In order to prevent the state behind the operation from being revealed, the individual or entity conducting the operation also needs network infrastructure for covering up the traces. Network traffic may be routed via multiple countries and harmless looking IP addresses – such as home WiFi routers – so that the operation will not immediately be linked with the perpetrating state.