What are Advanced Persistent Threats?

Gain a better understanding of what APTs are, how to detect them, and examples from the wild.

In this 101, we’re going to cover:


From time to time, stories about major, clandestine cyber attacks targeting global infrastructure, governments, and the institutions and corporations we depend upon, find their way to our media headlines. In 2010, for example, the public first learned about a specific large-scale attack called Stuxnet that disabled the Iranian nuclear program by attacking SCADA systems in its uranium enrichment sites. Since then, we've heard about similar attacks with thriller-movie-like titles such as Operation Soft Cell against global telecoms and Operation Cobalt Kitty against a massive corporation in Asia. These nefarious attacks are similar because they're classified as Advanced Persistent Threats or APTs. Let's break this down.

APTs are defined by their scale, complexity, and ability to avoid detection and removal for extended timeframes. They're usually carried out by sophisticated teams instead of solo hackers. Nation-states have often been implicated in APT attacks for various reasons. Operation Soft Cell is thought to have been planned and executed by APT10, a threat actor many believed was operating on behalf of the Chinese Ministry of State Security (MSS). The purpose of the attack appears to have been to obtain CDR data (call logs, cell tower locations, and more) belonging to specific individuals from various countries to track them down or implicate them in illicit activities. This targeted cyber espionage is typically the work of nation-state threat actors.

In identifying an Advanced Persistent Threat, we use several important criteria.


APT attacks are sophisticated in planning and operation, but they often use relatively unsophisticated means of intrusion, like social engineering, email phishing, or zero-day viruses. Actors try multiple tools and strategies repeatedly to gain access first, then figure out how to exploit each security weakness they find. The objective is to gain access to a network, find its vulnerabilities, wait for an opportunity, intrude, and move on to attack the targeted network or system. APT operators use multiple people, tools, and even strategies to achieve their goals.   


The advanced part of the threat implies a larger scope, patience, and a willingness to conduct false flags or wait for an opportunity to get to the next level of intrusion. APTs often last from months to several years. Based on our data, Operation Soft Cell has been active since at least 2012, although evidence suggests that the threat actor was working to attack telecom giants even earlier. Most of the time actors spend in-network involves observing, learning new defenses and tactics to overcome them, and achieving the end goal over time so that prevention and remediation strategies are bypassed. An example might be exfiltrating critical data in small chunks over time and at random intervals to avoid detection. The Soft Cell attack was apparently designed to observe the actions and whereabouts of a targeted group of individuals over a decade or more of daily cell phone activity.  


APTs are a threat because they go far beyond most single-actor schemes and attack high-value targets and whole networks. Any organization using a network for communication, control, and data storage is vulnerable to an ATP attack. That includes any industry, local facility, critical infrastructure, or government organization. Groups with specific, nefarious intent execute attacks instead of by a few hackers using automated pieces of code. Operators have a specific objective, such as causing an economic disaster or political chaos. Sometimes, APTs are carried out by government cyber warfare teams or even terrorist groups. They're skilled, motivated, and well funded. APT actors can wait to achieve their end-game and are dangerous because of their stealthiness and adherence to a long-term plan. 


There can be many desired outcomes of an APT attack by its perpetrators, for example, taking down a company or institution due to consumer data loss or the sharing of trade secrets. At an even more drastic scale, power networks or other critical infrastructure can be attacked. As we learned in Operation Soft Cell, They can be used in espionage schemes and, as we've seen with Stuxnet, to delay or defeat the development of nuclear weapons. Any group with malicious intent can carry out an APT attack with the right talent and funding.

Regarding priority and timing, the first goal is to gain entry to the network via its most vulnerable access points. Then, the goal evolves as the actors gain more administrative access and learn how the network is secured. Step by step, they unblock the pathways to the target network or system, then figure out how to accomplish the goals of the attack. A primary goal of an APT attack is to become a shadow administration team that knows everything about a network and can remain undetected and active for an extended timeframe. That's also one of the main reasons advanced persistent threats are hard to defeat.   


The primary goal of advanced persistent threats is to remain undetected for long timeframes to gain a desired level of control or to accomplish the ultimate mission of degrading system capability or extracting valuable information on an ongoing basis. Non-persistent threats might have some of the same ultimate desired outcomes, but they're usually designed with more short-term, high-impact goals, for example, to exploit a weakness and disable critical operations at least temporarily. An example would be taking a popular website like Twitter or Facebook offline and causing public outrage and loss of brand reputation or as a punishment for a restrictive policy. The strategy and planning involved in an APT reflect the complexity and difficulty of infiltrating and staying in place for longer timeframes. 

In 2013, Mandiant listed steps to implement an APT attack carried out by several Chinese actors:

    • Initial compromise: performed using social engineering and spear-phishing, over email, using zero-day viruses. Another popular infection method was planting malware on a website that the victim's employees are likely to visit.
    • Establish foothold: plant remote administration software in victim's network, create net backdoors and tunnels allowing stealth access to its infrastructure.
    • Escalate privileges: use exploits and password cracking to acquire administrator privileges over the victim's computer and possibly expand it to Windows domain administrator accounts.
    • Internal reconnaissance: collect information on surrounding infrastructure, trust relationships, Windows domain structure.
    • Move laterally: expand control to other workstations, servers, and infrastructure elements and perform data harvesting on them.
    • Maintain presence: ensure continued control over access channels and credentials acquired in previous steps.
  • Complete mission: APT attacks often take advantage of methods and tools used in non-persistent attacks, but they're combined at the planning and execution level to avoid detection and remain in place until the mission has been accomplished, no matter how long it takes.        


  • Operation Aurora in  2009: This threat targeted Google and other U.S. companies. Operation Aurora reportedly originated in China and used a zero-day exploit to install a malicious Trojan horse named Hydraq. Google disclosed the attack in January 2010. Some victims included Adobe Systems, Juniper Networks, and Rackspace. Other companies attacked without publicly disclosing the incident included banks, defense contractors, oil and gas companies, security vendors, and other technology companies. 
  • Stuxnet in 2010: U.S. and Israeli cyber forces attacked the Iranian nuclear program to slow down the country's ability to enrich uranium.
  • Cobalt Kitty in 2017: Operation Cobalt Kitty was a major cyber-espionage APT targeting a global corporation in Asia carried out by the OceanLotus Group.
  • Soft Cell in 2018: the Cybereason Nocturnus team identified an advanced, persistent attack targeting global telecommunications providers carried out by a threat actor using tools and techniques commonly associated with Chinese-affiliated threat actors, like APT10.


It's difficult to detect, analyze, and remediate APT attacks.

  1. Groups behind them are well-funded and government-supported. They have the means and the time to execute a well-planned strategy.
  2. They use the same tools and techniques as low-level, even amateur, hackers to exploit vulnerabilities and gain access. That makes threat attribution difficult.
  3. Once inside a network, they often wait before taking further action. That makes it hard to detect suspicious behavior patterns or direct threats from real-time alerts and remediation measures.
  4. If detected, malicious code can be blocked or removed, but the APT team adapts and tries new approaches using different accounts and account levels and different tools or techniques to get around security protocols. Several simultaneous attacks or false flag operations may distract security teams and enable lower-profile intrusions.
  5. The ultimate goal of the attack may be more far-reaching and devastating than the current security team has planned for. Exploiting a network or server may be one small step in a chain of events designed for a global impact, which may happen years from now.  


There is no simple way to detect and defend against an APT, and it's necessary to get your company's board on your side as you prepare an effective security plan. It takes manpower, expertise, and technology to build your defenses—there are several fundamental principles you should embrace in your planning.


Many companies mistakenly depend too much upon prevention or focus too much on blocking and removing specific malware threats. Advanced persistent threats are designed to get around these "outer layer" strategies by exploiting multiple weaknesses, including human security lapses and deliberate decoys, such as DDOS attacks, that distract cybersecurity teams from monitoring more subtle intrusions and exploits.

Adopting a mindset that attacks are already happening helps teams focus on the behaviors and subtle changes over time that could be related to a larger, longer-term attack. You'll need visibility across your IT environment, including all networks and endpoints. With this visibility, your security team can learn how the APT team operates, what they look for, and which tools they use to execute their plan. By correlating observed events over time, you can discover the plan and shut down the attack as a whole.


Chances are, your cybersecurity team receives multiple threat notifications every day. Some of these are externally produced by experts around the globe. Some come straight from your cyber defense systems. Some are routine malware alerts that trigger automatic countermeasures. Some are false positives. Excessive alerts are a time soak and can stretch already understaffed security teams. APT actors depend on your focusing on some of these notices while ignoring others.

That can create vulnerabilities for more well-timed, secondary attacks that conspire to launch an advanced persistent attack. By all means, monitor and investigate each apparent breach or other suspicious action, but don't assume that blocking it or removing it'll prevent a well-designed intrusion with more far-reaching implications.


Since APT teams are likely to try multiple methods and tools targeting all access points, you need to closely monitor your endpoints and correlate activity across the entire network. A common APT strategy is to gain entry through a poorly secured endpoint, then move laterally to other endpoints and networks to find the target system. Analysts must be able to see all of this activity in context to diagnose a higher-order attack and devise an effective mitigation and prevention strategy.        


It's hard to underestimate the devastating impacts of a successful and long-lasting advanced persistent threat attack. Millions of dollars in lost revenues, repairs, consumer lawsuits, and regulatory penalties are at stake. The stakes are potentially even higher for governments and institutions, with mass disruptions in services, loss of public trust, stolen secrets, and even civil unrest as potential outcomes.

Cybereason offers a multi-layer solution to detect and defend against APTs.

  • Future-Ready Protection: Detect advanced threats, accelerate investigations, and ensure complete remediation across the enterprise and wherever the battle moves.
  • Operation-Centric, Not Alert-Centric: Cybereason pinpoints malicious operations (MalOps) from root cause to every affected endpoint and user with real-time, multi-stage displays of the complete attack details, providing analysts the power to understand immediately, pinpoint, and end attacks with a single click. With Cybereason, you don't just stop the breach; you end it before it starts.
  • Behavior-Based Detection: Traditional endpoint security solutions rely on limited Indicators of Compromise (IOCs) - the artifacts from previously-known attacks. Cybereason goes beyond IOCs, leveraging Indicators of Behavior (IOBs) to detect the subtle signs of an attack. These chains of behavior reveal an attack at the earliest stages by surfacing malicious human and machine activity to uniquely expose and end never-before-seen attacks before they escalate to a major breach event.
  • Team Nocturnus: We have put together a team of some of the world's brightest minds from enterprise security, government intelligence, and the military to uncover emerging global threats. We offer actionable security research, proactive threat hunting, enabling security operations, and holistic incident response to tackle APTs and other enterprise-scale security challenges.

Learn more about our available technology and services to fight advanced security threats.

Read more about advanced persistent threats.


Back to Cybersecurity 101

Learn More About Cybereason EPP

Schedule Your Demo Today