What is an Advanced Persistent Threat (APT)?

Cyberattacks are becoming increasingly sophisticated, and the most dangerous ones are those we don’t even notice. An Advanced Persistent Threat (APT) is a type of attack that operates in the shadows, much like professional spies: hackers quietly infiltrate a system, establish persistence, and can observe every step a company takes for months. Due to rising geopolitical tension and businesses’ growing digital dependence, such “invisible” intrusions like APTs are more relevant today than ever.

What is an APT attack?

An Advanced Persistent Threat (APT) is a sophisticated, targeted, and long-term cyberattack in which an attacker gains access to a network and remains undetected for an extended period of time.

The term consists of three key characteristics of the malicious campaign:

• Advanced – the attack uses complex techniques: from cyber espionage and social engineering to zero-day vulnerabilities.
  
  
• Persistent – attackers aim to remain unnoticed in the system for as long as possible (for months or even years).
  
  
• Threat – attackers act according to a plan and intend to cause harm.

Who carries out APT attacks and why?

The actors behind APT attacks are typically professional threat groups that are organized and well-funded. These threats could come from state-sponsored cyber groups that are doing intelligence or information warfare, and cybercrime groups. They have structured organizations with analysts, technical staff, and operators, as opposed to random hackers with no structure or the same level of organization as APTs.

The primary focus of an APT attack is not to create an immediate response, but rather, to gain access to information and build continuing access over a long period of time. This time frame represents a point when an actor may have gained knowledge about the security posture of a target and could modify their attack strategies based on this intelligence.

There are many motivations for an actor to conduct an APT attack, including:

• cyber espionage/intelligence gathering;
• theft of intellectual property/technology;
• accessing personal/financial information;
• preparing for future attacks or sabotage;
• influencing or manipulating political/economic processes.

Who becomes a target of advanced persistent threats?

Due to the level of effort needed to perform an APT attack and the investment in resources required, APT attackers typically focus their efforts on those organizations that have large amounts of sensitive or proprietary information.

Examples of organizations that APTs target:

• governmental agencies, military/national defense agencies;
• energy/utilities/telecommunications/transportation companies;
• financial services industry (banks/investment firms/insurance companies/payment processing firms);
• fortune 500 companies within technology/manufacturing/health care;
• media companies/non-governmental organizations (NGOs)/think tanks.

Threat actors may also exploit smaller companies or organizations: even medium and small businesses can become victims if they are part of the supply chain leading to a more valuable target.

Characteristics of advanced persistent threats

APT threats differ in nature from typical viruses or mass phishing campaigns. These are not random attacks, but long-term operations meticulously planned with the precision of special missions, involving a team of specialists, technical expertise, and a clearly defined goal.

Here are the key characteristics that make APTs unique and dangerous:

1. High technical sophistication

APT actors use advanced tools and techniques: zero-day vulnerabilities, malicious frameworks, rootkits, and sophisticated espionage methods that allow them to operate as stealthily as possible.

2. “Manual” execution

Behind an Advanced Persistent Threat are people: teams of operators, analysts, and technical specialists who semi-automate or manually analyze the network in real time and adapt their methods and decisions.

3. Long duration of the attack

Such operations can last for months or even years. Attackers take their time, act methodically, and repeatedly return to an already compromised system.

4. High stealth

APT groups do everything possible to remain undetected: they clean event logs, disguise traffic, use legitimate system tools, and avoid suspicious activity in every possible way.

5. Clear goal and motivation

An APT is not a random hacking – hackers have a specific objective: espionage, data or intellectual property theft, sabotage, or influence on business or government processes.

6. Careful planning

Every step of such a malicious campaign is well thought out. The process consists of clearly defined consecutive phases, from reconnaissance to exfiltration, each planned in advance.

7. Multiple access points and backup backdoors

To maintain stable access, attackers create numerous entry points and C2 channels to avoid losing control of the network even if one point of compromise is discovered.

8. Strong resources and support

APT groups are often funded by states, intelligence agencies, or large criminal organizations. This provides them with significant technical capabilities: advanced tools and highly skilled personnel.

9. Focus on maximum benefit or damage

These are not attacks “for the sake of attacking”: they aim for real impact, not just inconvenience, but maximum effect, such as achieving economic or political gain or disrupting business processes.

10. Use of diversion tactics

To conceal the main operation, attackers may launch DDoS or other “noisy” attacks that distract security teams, for example, from the theft of confidential information.

Why APT attacks are dangerous

During advanced persistent threats, attackers operate unnoticed, gradually gaining control over critical systems or data. This creates several serious risks:

Stages of advanced persistent threats

APT attacks are long-term, well-planned operations that consist of four main stages:

1. Infiltration or initial access

To obtain an entry point, attackers penetrate the network using phishing, vulnerability exploitation, infected files, or compromising contractors.

2. Establishing persistence and expanding access

After infiltrating, the APT group installs backdoors, creates hidden command-and-control (C2) channels, and begins exploring the internal infrastructure. This allows them to maintain access even after certain vulnerabilities are fixed.

3. Lateral movement and data preparation

Once higher privileges are obtained, attackers move laterally across the network in search of the most valuable assets. They collect the necessary information and prepare it for exfiltration by compressing or encrypting the data.

4. Exfiltration or sabotage (primary attack)

The main phase involves stealthily transferring data outside the network or performing destructive actions. Even afterward, APT groups may remain inside the system, preparing for repeated intrusions.

Lifecycle of APT attacks: How attackers operate

Advanced persistent threats are unlike ordinary quick breaches – attackers move step by step, quietly expanding their presence and control over the system. When examining the classic lifecycle of an APT attack in more detail, eight clear sequential steps carried out by the attackers can be identified:

Step 1. Reconnaissance

The goal is to find the most convenient entry point and prepare personalized attacks.

At the beginning, attackers study the target, gathering as much information as possible – the network structure, technologies, open services, employees, their roles, and contacts.

Step 2. Initial compromise

The main task is to enter the network unnoticed. Hackers obtain the first, usually limited, access to the system. To do this, they most often use the following methods:

• a phishing message with a malicious attachment;
• exploitation of a zero-day vulnerability;
• cracking a weak password;
• compromising a contractor or partner.

Step 3. Establish foothold

Attackers install backdoors, create hidden accounts, or modify configurations to maintain stable access even in the case of reboot or system changes. They also establish a command-and-control (C2) channel – a covert connection to an external server through which they receive commands and transmit data.

Step 4. Privilege escalation

Once inside, a hacker typically starts with limited access rights. Thus, their priority is to find the means by which they can:

• gain administrative privileges,
• obtain credentials by intercepting them, and
• create new system accounts using unsecured credentials.

This provides the hacker with additional access levels and gives him the ability to control larger portions of the overall system.

Step 5. Lateral movement

The primary goal of the hacker at this stage is to identify the specific assets that are the target of the attack.

Once the hacker has escalated his access level, he will search throughout the entire network for other servers to further locate other valuable resources such as databases, internal systems, cloud storage, and file servers.

Step 6. Data collection and exfiltration

The data collection and exfiltration are the primary objectives of the APT attack; all other previous activities were leading up to this point.

After determining which data are necessary for the operation, the hacker carefully collects them (such as financial documents, technology trade secrets, business correspondence, and other types of personal data) and encrypts, compresses, and sends this data through the use of an intermediary server so that they may unawarely disguise the transfer as legitimate.

Step 7. Covering tracks

The goal is to complicate or completely block the detection of the attack. To remain unnoticed as long as possible and erase their traces, APT actors:

• clear or alter event logs,
• use rootkits,
• hide malware activity,
• encrypt or tunnel traffic,
• may rewrite code.

Step 8. Maintaining persistence

The goal is to be able to return or continue exploitation later.

Even after stealing data or completing a part of the operation, attackers often stay in the network. They create additional backdoors and access points to return at the right moment or continue unobtrusive control.

Common methods used by APT groups

Advanced persistent attacks rarely start with a single click or a random virus. These are full-scale campaigns in which every step is carefully planned, from finding entry points to the stealthy extraction of data. APT groups combine various techniques – technical, psychological, and organizational – to operate as quietly as possible and blend naturally into the company’s normal workflows.

Here are the most common methods they use:

1. Phishing and social engineering

Initial attacks in an advanced persistent threat cyber-attack commonly begin with a detailed and carefully constructed e-mail (or message). 

Normally, such e-mails appear very professional, with e-mails appearing to be coming from someone within the company hierarchy (such as a manager or partner), and will encourage the recipient to "click a link" or "open an attachment" that actually provides the hacker with remote access to the organization’s network. 

In some cases, hackers may also use a “watering hole” attack by focusing on websites that are regularly frequented by users within the targeted organization.

2. Exploitation of vulnerabilities and zero-day

Organizations that have applications and/or services with security vulnerabilities (unpatched bugs) or outdated versions of the software are very attractive targets for Advanced Persistent Threat (APT) groups since they have a much greater chance of exploiting the vulnerabilities present within an organization. 

Additionally, "zero-day" vulnerabilities (vulnerabilities that are not known to the security community) are extremely valuable to hackers because they will allow hackers access to the organization’s network, even when everything appears to be up to date and secure.

3. Supply chain attacks

Rather than targeting the actual primary organization’s network, APT groups often target organizations or individuals that form part of the organization’s supply chain (suppliers, manufacturing companies, service integrators, or software providers, for example). 

By exploiting a supplier's compromised software update or by integrating with a partner, hackers will be able to gain access to a trusted network of an organization targeted by an APT group. Some of the largest and most well-known APT attacks have begun in this way.

4. Malware and hidden backdoors

Malware is used by cybercriminals to establish continuous access to a compromised system. The following types of malicious software may be implemented:

• trojans disguised as ordinary programs;
• fileless attacks that operate in memory without leaving “classic” traces;
• rootkits that provide deep, hidden access.

All of these give the hacker a constant, quiet, and often invisible control channel.

5. Theft and abuse of legitimate credentials

In addition to exploiting technical vulnerabilities, APT groups are known to use a variety of methods to obtain valid usernames and passwords for their victims. 

These methods include keylogging, phishing, and cracking weak passwords, among others. Once they gain access to a valid employee account, the attackers can conduct their activities in the same manner as legitimate employees, thus blending in with the normal operations of a business.

6. Hidden Command-and-Control (C2) Channels

To control infected devices, attackers create covert command-and-control (C2) channels that may be encrypted or disguised as normal traffic (e.g., DNS queries or legitimate web connections). Through these channels, APT groups issue commands and exfiltrate data while remaining unnoticed.

7. Covering tracks and avoiding detection

To stay off the radar of security analysts, APT groups actively hide their tracks:

• obfuscate malware code;
• modify or delete event logs;
• encrypt traffic;
• use legitimate system tools instead of “suspicious” utilities.

This makes their activity resemble normal system behavior.

8. Diversion tactics and “smoke screens”

When the main part of the operation occurs, attackers may create distracting noise: launching a DDoS attack or spreading less harmful malware. The goal is to divert the security team’s attention and overwhelm them, causing them to miss the real threat.

Examples of advanced persistent threats

How to detect an APT threat: What to pay attention to

Advanced persistent threats operate quietly: they mask themselves carefully and avoid causing noticeable disruptions, remaining undetected for months. However, even the most sophisticated APTs leave subtle “traces” that can indicate something unusual is happening within the network.

We offer a short checklist of signs of a possible APT attack that you should pay attention to:

1. Have you observed unusual account activity?

• unexpected logins at night or from external locations;
• activity on behalf of employees who usually work at a different time;
• an abnormal number of failed or overly frequent login attempts.

APTs often use stolen accounts to act as a “legitimate user.”

2. Have you noticed anomalies in network traffic?

• a sharp increase in outbound data volume;
• long or unusually structured connections;
• traffic in directions not typically used by the company.

During data preparation for exfiltration, APT groups move data inside or outside the network.

3. Have there been suspicious changes in database activity?

• sudden increase in queries or operations with large amounts of data;
• actions not characteristic of a specific service or user;
• creation of files of unclear origin.

APTs aggregate data before stealthily extracting it.

4. Have you noticed unexpected files or archives in unusual places?

• large ZIP/7z archives in temporary directories;
• folders with “strange” names;
• files that look legitimate but contain unclear data.

These may be data prepared for transfer to attackers’ servers.

5. Has there been widespread use of trojans or backdoors?

• simultaneous detection of several similar malicious components;
• malware returning after removal;
• abnormal system processes.

APT groups always create multiple backup access points to the system.

6. Have targeted phishing emails been received by executives?

• phishing messages addressed to C-level or technical directors;
• personalized emails with relevant topics;
• attachments that launch macros or require “additional permissions.”

APTs almost always begin with high-precision phishing campaigns.

7. Have you observed strange connections to external servers?

• new or unknown domains with which connections are frequently established;
• frequent DNS queries with the same structure;
• encrypted or non-standard tunnels.

These may be C2 (Command & Control) channels through which attackers control the attack.

8. Abnormal behavior of system tools

• PowerShell, WMI, and PsExec launched in unusual scenarios;
• commands not typical for regular users;
• automated scripts without a clear purpose.

Attackers often use “legitimate tools” to avoid suspicion.

APT attacks are a chain of anomalies that, together, may indicate an intrusion. The earlier such signals are noticed by an analyst or monitoring system, the higher the chances of preventing data exfiltration or sabotage.

What to Do if You Suspect an APT Attack

Signs of suspicious activity can be noticed by any employee: for example, unusual files in a folder, a login notification outside working hours, or a strange email from a “manager.”

If your company has a pre-established Incident Response Plan, staff know how to act in such situations.

But if there is no such plan, what should you do before handing the incident over to security specialists? Use our recommendations.

Expert advice

1. Do not take abrupt actions

• Do not turn off the computer.
• Do not delete suspicious files or emails.
• Do not change system settings.

It is important to act calmly and avoid steps that could harm the investigation: erase important traces or, conversely, alert the attackers.

2. Record what exactly raised your suspicion

Make a simple record:

• a screenshot of suspicious files or messages;
• a brief description of what you noticed and when.

This will help specialists quickly understand where to start the inspection.

3. Check your behavior in the system

• Do not reopen unknown attachments.
• Do not click suspicious links.
• Do not enter your passwords on unfamiliar sites.

4. Do not spread information inside the company

Do not discuss the incident in general chats or with colleagues; if attackers are inside the network, this may signal them to “cover their tracks.”

5. Immediately inform the responsible specialists

If the company has its own cybersecurity specialists, report the incident to them. They know how to respond, can assess the risks, and begin the correct technical actions. Provide them with screenshots and a description of the situation.

If there are no such specialists, inform your manager or the IT-responsible person so they can quickly involve external cybersecurity experts.

What happens next?

After receiving a report of a possible APT attack, cybersecurity specialists conduct a detailed investigation:

• analyze event logs,
• isolate suspicious devices,
• identify possible entry points,
• check whether there were attempts at lateral movement or data theft.

After the incident is resolved, the company should ensure its protection is strengthened to eliminate the risk of repeated attacks.

Security measures: How to protect yourself from APT threats?

Advanced persistent threats are complex and targeted, so protection must be comprehensive: it should include both technical tools and internal processes. We recommend combining your own security measures with professional support from external specialists.

Recommended technical measures for the company

To create a basic protective “shield,” implement solutions that complicate attackers’ work and reduce the impact of potential intrusion, including:

• multi-factor authentication (MFA),
• network segmentation,
• access control (least privilege / Zero Trust),
• data encryption,
• endpoint protection (antivirus / EDR),
• use of a web application firewall (WAF),
• regular software updates,
• backup and recovery testing,
• network traffic monitoring,
• contractor and supply chain security control.

Organizational measures against advanced persistent threats

For effective protection, technology alone is not enough – security must be supported by processes:

• regularly train staff in security culture;
• develop an incident response plan (IRP);
• create and regularly update security policies.

The Datami team helps develop these documents “from scratch” and, if necessary, conducts an audit of existing policies and provides recommendations so the company is prepared for APT threats.

What Datami offers for protection against APT attacks

To avoid becoming an easy target for attackers, a company must maintain a high level of defense. This requires independent expertise that can identify non-obvious risks and tools capable of detecting attack preparation at early stages. Datami’s arsenal includes various solutions for testing, monitoring, and restoring the security system to effectively prevent APT threats.

APT is a challenge you must be prepared for

Any company that works with important information or is part of a supply chain can become a target of advanced persistent threats.

Protection against APT is always a system. No single tool can completely stop or timely detect such an attack, and even strong internal teams need an external perspective to notice what may remain unseen in day-to-day operations. Therefore, only a combination of technologies, internal processes, trained personnel, and independent expertise provides true resilience.

Preparedness is the key advantage in confronting APT. And the earlier a company begins systematically strengthening its defenses, the lower the likelihood of a successful attack.