fbpx
Wikipedia

Advanced persistent threat

May 11, 2024

An advanced persistent threat (APT) is a stealthy threat actor, typically a state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period.[1][2] In recent times, the term may also refer to non-state-sponsored groups conducting large-scale targeted intrusions for specific goals.[3]

Such threat actors' motivations are typically political or economic.[4] Every major business sector has recorded instances of cyberattacks by advanced actors with specific goals, whether to steal, spy, or disrupt. These targeted sectors include government, defense, financial services, legal services, industrial, telecoms, consumer goods and many more.[5][6][7] Some groups utilize traditional espionage vectors, including social engineering, human intelligence and infiltration to gain access to a physical location to enable network attacks. The purpose of these attacks is to install custom malware (malicious software).[8]

APT attacks on mobile devices have also become a legitimate concern, since attackers are able to penetrate into cloud and mobile infrastructure to eavesdrop, steal, and tamper with data.[9]

The median "dwell-time", the time an APT attack goes undetected, differs widely between regions. FireEye reported the mean dwell-time for 2018 in the Americas as 71 days, EMEA as 177 days, and APAC as 204 days.[5] Such a long dwell-time allows attackers a significant amount of time to go through the attack cycle, propagate, and achieve their objectives.

Definition edit

Definitions of precisely what an APT is can vary, but can be summarized by their named requirements below:

  • Advanced – Operators behind the threat have a full spectrum of intelligence-gathering techniques at their disposal. These may include commercial and open source computer intrusion technologies and techniques, but may also extend to include the intelligence apparatus of a state. While individual components of the attack may not be considered particularly "advanced" (e.g. malware components generated from commonly available do-it-yourself malware construction kits, or the use of easily procured exploit materials), their operators can typically access and develop more advanced tools as required. They often combine multiple targeting methods, tools, and techniques in order to reach and compromise their target and maintain access to it. Operators may also demonstrate a deliberate focus on operational security that differentiates them from "less advanced" threats.[3][10][11]
  • Persistent – Operators have specific objectives, rather than opportunistically seeking information for financial or other gain. This distinction implies that the attackers are guided by external entities. The targeting is conducted through continuous monitoring and interaction in order to achieve the defined objectives. It does not mean a barrage of constant attacks and malware updates. In fact, a "low-and-slow" approach is usually more successful. If the operator loses access to their target they usually will reattempt access, and most often, successfully. One of the operator's goals is to maintain long-term access to the target, in contrast to threats who only need access to execute a specific task.[10][12]
  • Threat – APTs are a threat because they have both capability and intent. APT attacks are executed by coordinated human actions, rather than by mindless and automated pieces of code. The operators have a specific objective and are skilled, motivated, organized and well funded. Actors are not limited to state sponsored groups.[3][10]

History and targets edit

Warnings against targeted, socially-engineered emails dropping trojans to exfiltrate sensitive information were published by UK and US CERT organisations in 2005. This method was used throughout the early 1990s and does not in itself constitute an APT. The term "advanced persistent threat" has been cited as originating from the United States Air Force in 2006[13] with Colonel Greg Rattray cited as the individual who coined the term.[14]

The Stuxnet computer worm, which targeted the computer hardware of Iran's nuclear program, is one example of an APT attack. In this case, the Iranian government might consider the Stuxnet creators to be an advanced persistent threat.[citation needed][15]

Within the computer security community, and increasingly within the media, the term is almost always used in reference to a long-term pattern of sophisticated computer network exploitation aimed at governments, companies, and political activists, and by extension, also to ascribe the A, P and T attributes to the groups behind these attacks.[16] Advanced persistent threat (APT) as a term may be shifting focus to computer-based hacking due to the rising number of occurrences. PC World reported an 81 percent increase from 2010 to 2011 of particularly advanced targeted computer attacks.[17]

Actors in many countries have used cyberspace as a means to gather intelligence on individuals and groups of individuals of interest.[18][19][20] The United States Cyber Command is tasked with coordinating the US military's offensive and defensive cyber operations.[21]

Numerous sources have alleged that some APT groups are affiliated with, or are agents of, governments of sovereign states.[22][23][24] Businesses holding a large quantity of personally identifiable information are at high risk of being targeted by advanced persistent threats, including:[25]

A Bell Canada study provided deep research into the anatomy of APTs and uncovered widespread presence in Canadian government and critical infrastructure. Attribution was established to Chinese and Russian actors.[28]

Life cycle edit

 
A diagram depicting the life cycle staged approach of an advanced persistent threat (APT), which repeats itself once complete.

Actors behind advanced persistent threats create a growing and changing risk to organizations' financial assets, intellectual property, and reputation[29] by following a continuous process or kill chain:

  1. Target specific organizations for a singular objective
  2. Attempt to gain a foothold in the environment (common tactics include spear phishing emails)
  3. Use the compromised systems as access into the target network
  4. Deploy additional tools that help fulfill the attack objective
  5. Cover tracks to maintain access for future initiatives

The global landscape of APT's from all sources is sometimes referred to in the singular as "the" APT, as are references to the actor behind a specific incident or series of incidents, but the definition of APT includes both actor and method.[30]

In 2013, Mandiant presented results of their research on alleged Chinese attacks using APT method between 2004 and 2013[31] that followed similar lifecycle:

  • Initial compromise – performed by use of social engineering and spear phishing, over email, using zero-day viruses. Another popular infection method was planting malware on a website that the victim's employees will be likely to visit.[32]
  • Establish foothold – plant remote administration software in victim's network, create net backdoors and tunnels allowing stealth access to its infrastructure.
  • Escalate privileges – use exploits and password cracking to acquire administrator privileges over victim's computer and possibly expand it to Windows domain administrator accounts.
  • Internal reconnaissance – collect information on surrounding infrastructure, trust relationships, Windows domain structure.
  • Move laterally – expand control to other workstations, servers and infrastructure elements and perform data harvesting on them.
  • Maintain presence – ensure continued control over access channels and credentials acquired in previous steps.
  • Complete mission – exfiltrate stolen data from victim's network.

In incidents analysed by Mandiant, the average period over which the attackers controlled the victim's network was one year, with longest – almost five years.[31] The infiltrations were allegedly performed by Shanghai-based Unit 61398 of People's Liberation Army. Chinese officials have denied any involvement in these attacks.[33]

Previous reports from Secdev had previously discovered and implicated Chinese actors.[34]

Mitigation strategies edit

There are tens of millions of malware variations,[35] which makes it extremely challenging to protect organizations from APT. While APT activities are stealthy and hard to detect, the command and control network traffic associated with APT can be detected at the network layer level with sophisticated methods. Deep log analyses and log correlation from various sources is of limited usefulness in detecting APT activities. It is challenging to separate noises from legitimate traffic. Traditional security technology and methods have been ineffective in detecting or mitigating APTs.[36] Active cyber defense has yielded greater efficacy in detecting and prosecuting APTs (find, fix, finish) when applying cyber threat intelligence to hunt and adversary pursuit activities.[37][38] Human-Introduced Cyber Vulnerabilities (HICV) are a weak cyber link that are neither well understood nor mitigated, constituting a significant attack vector.[39]

APT groups edit

China edit

Further information: Cyberwarfare by China, Chinese intelligence activity abroad, and Chinese espionage in the United States

Since Xi Jinping became General Secretary of the Chinese Communist Party in 2012, the Ministry of State Security gained more responsibility over cyberespionage vis-à-vis the People's Liberation Army, and currently oversees various APT groups.[40] According to security researcher Timo Steffens, "the APT landscape in China is run in a 'whole country' approach, leveraging skills from universities, individual, and private and public sectors".[41]

Iran edit

North Korea edit

Russia edit

Türkiye edit

  • StrongPity (also known as APT-C-41 or PROMETHIUM)[72]

United States edit

Uzbekistan edit

Vietnam edit

Naming edit

Multiple organizations may assign different names to the same actor. As separate researchers could each have their own varying assessments of an APT group, companies such as CrowdStrike, Kaspersky, Mandiant, and Microsoft, among others, have their own internal naming schemes.[77] Names between different organizations may refer to overlapping but ultimately different groups, based on various data gathered.

CrowdStrike assigns animals by nation-state or other category, such as "Kitten" for Iran and "Spider" for groups focused on cybercrime.[78] Other companies have named groups based on this system — Rampant Kitten, for instance, was named by Check Point rather than CrowdStrike.[79]

Dragos bases its names for APT groups on minerals.[77]

Mandiant assigns numbered acronyms in three categories, APT, FIN, and UNC, resulting in APT names like FIN7. Other companies using a similar system include Proofpoint (TA) and IBM (ITG and Hive).[77]

Microsoft used to assign names from the periodic table, often stylized in all-caps (e.g. POTASSIUM); in April 2023, Microsoft changed its naming schema to use weather-based names (e.g. Volt Typhoon).[80]

See also edit

Notes edit

  1. ^ active since 2013, unlike most APTs, Gamaredon broadly targets all users all over the globe (in addition to also focusing on certain victims, especially Ukrainian organizations[69]) and appears to provide services for other APTs.[70] For example, the InvisiMole threat group has attacked select systems that Gamaredon had earlier compromised and fingerprinted.[69]

References edit

  1. ^ "What Is an Advanced Persistent Threat (APT)?". www.kaspersky.com. from the original on 22 March 2021. Retrieved 11 August 2019.
  2. ^ "What Is an Advanced Persistent Threat (APT)?". Cisco. from the original on 22 March 2021. Retrieved 11 August 2019.
  3. ^ a b c Maloney, Sarah. "What is an Advanced Persistent Threat (APT)?". from the original on 7 April 2019. Retrieved 9 November 2018.
  4. ^ Cole., Eric (2013). Advanced Persistent Threat: Understanding the Danger and How to Protect Your Organization. Syngress. OCLC 939843912.
  5. ^ a b "M-Trends Cyber Security Trends". FireEye. from the original on 21 September 2021. Retrieved 11 August 2019.
  6. ^ (PDF). FireEye. Archived from the original (PDF) on 11 August 2019.
  7. ^ (PDF). FireEye. Archived from the original (PDF) on 11 August 2019.
  8. ^ (PDF). Symantec. Archived from the original (PDF) on 8 May 2018.
  9. ^ Au, Man Ho (2018). "Privacy-preserving personal data operation on mobile cloud—Chances and challenges over advanced persistent threat". Future Generation Computer Systems. 79: 337–349. doi:10.1016/j.future.2017.06.021.
  10. ^ a b c "Advanced Persistent Threats (APTs)". IT Governance. from the original on 11 August 2019. Retrieved 11 August 2019.
  11. ^ "Advanced persistent Threat Awareness" (PDF). TrendMicro Inc. (PDF) from the original on 10 June 2016. Retrieved 11 August 2019.
  12. ^ "Explained: Advanced Persistent Threat (APT)". Malwarebytes Labs. 26 July 2016. from the original on 9 May 2019. Retrieved 11 August 2019.
  13. ^ (PDF). SANS Technology Institute. Archived from the original (PDF) on 26 June 2013. Retrieved 14 April 2013.
  14. ^ . Forrester Research. Archived from the original on 15 April 2014. Retrieved 14 April 2014.
  15. ^ Beim, Jared (2018). "Enforcing a Prohibition on International Espionage". Chicago Journal of International Law. 18: 647–672. ProQuest 2012381493. from the original on 22 May 2021. Retrieved 18 January 2023.
  16. ^ "Advanced Persistent Threats: Learn the ABCs of APTs - Part A". SecureWorks. from the original on 7 April 2019. Retrieved 23 January 2017.
  17. ^ Olavsrud, Thor (30 April 2012). . CIO Magazine. Archived from the original on 14 April 2021. Retrieved 14 April 2021.
  18. ^ . BusinessWeek. 10 April 2008. Archived from the original on 10 January 2010. Retrieved 20 January 2010.
  19. ^ . BusinessWeek. 10 April 2008. Archived from the original on 18 April 2011. Retrieved 19 March 2011.
  20. ^ Rosenbach, Marcel; Schulz, Thomas; Wagner, Wieland (19 January 2010). "Google Under Attack: The High Cost of Doing Business in China". Der Spiegel. from the original on 21 January 2010. Retrieved 20 January 2010.
  21. ^ "Commander Discusses a Decade of DOD Cyber Power". U.S. DEPARTMENT OF DEFENSE. from the original on 19 September 2020. Retrieved 28 August 2020.
  22. ^ "Under Cyberthreat: Defense Contractors". Bloomberg.com. BusinessWeek. 6 July 2009. from the original on 11 January 2010. Retrieved 20 January 2010.
  23. ^ "Understanding the Advanced Persistent Threat". Tom Parker. 4 February 2010. from the original on 18 February 2010. Retrieved 4 February 2010.
  24. ^ "Advanced Persistent Threat (or Informationized Force Operations)" (PDF). Usenix, Michael K. Daly. 4 November 2009. (PDF) from the original on 11 May 2021. Retrieved 4 November 2009.
  25. ^ . Dell SecureWorks. Archived from the original on 5 March 2016. Retrieved 21 May 2012.
  26. ^ Gonzalez, Joaquin Jay III; Kemp, Roger L. (16 January 2019). Cybersecurity: Current Writings on Threats and Protection. McFarland. p. 69. ISBN 978-1-4766-7440-7.
  27. ^ Ingerman, Bret; Yang, Catherine (31 May 2011). "Top-Ten IT Issues, 2011". Educause Review. from the original on 14 April 2021. Retrieved 14 April 2021.
  28. ^ McMahon, Dave; Rohozinski, Rafal. "The Dark Space Project: Defence R&D Canada – Centre for Security Science Contractor Report DRDC CSS CR 2013-007" (PDF). publications.gc.ca. (PDF) from the original on 5 November 2016. Retrieved 1 April 2021.
  29. ^ . Secureworks. Secureworks Insights. Archived from the original on 7 April 2019. Retrieved 24 February 2016.
  30. ^ EMAGCOMSECURITY (9 April 2015). "APT (Advanced Persistent Threat) Group". from the original on 15 January 2019. Retrieved 15 January 2019.
  31. ^ a b . Mandiant. 2013. Archived from the original on 2 February 2015. Retrieved 19 February 2013.
  32. ^ "What are MITRE ATT&CK initial access techniques". GitGuardian - Automated Secrets Detection. 8 June 2021. from the original on 29 November 2023. Retrieved 13 October 2023.
  33. ^ Blanchard, Ben (19 February 2013). "China says U.S. hacking accusations lack technical proof". Reuters. from the original on 14 April 2021. Retrieved 14 April 2021.
  34. ^ Deibert, R.; Rohozinski, R.; Manchanda, A.; Villeneuve, N.; Walton, G (28 March 2009). "Tracking GhostNet: investigating a cyber espionage network". The Munk Centre for International Studies, University of Toronto. from the original on 27 December 2023. Retrieved 27 December 2023.
  35. ^ RicMessier (30 October 2013). GSEC GIAC Security Essentials Certification All. McGraw Hill Professional, 2013. p. xxv. ISBN 978-0-07-182091-2.
  36. ^ "Anatomy of an APT (Advanced Persistent Threat) Attack". FireEye. from the original on 7 November 2020. Retrieved 14 November 2020.
  37. ^ "Threat Intelligence in an Active Cyber Defense (Part 1)". Recorded Future. 18 February 2015. from the original on 20 June 2021. Retrieved 10 March 2021.
  38. ^ "Threat Intelligence in an Active Cyber Defense (Part 2)". Recorded Future. 24 February 2015. from the original on 27 February 2021. Retrieved 10 March 2021.
  39. ^ "A Context-Centred Research Approach to Phishing and Operational Technology in Industrial Control Systems | Journal of Information Warfare". www.jinfowar.com. from the original on 31 July 2021. Retrieved 31 July 2021.
  40. ^ Mozur, Paul; Buckley, Chris (26 August 2021). "Spies for Hire: China's New Breed of Hackers Blends Espionage and Entrepreneurship". The New York Times. ISSN 0362-4331. from the original on 27 August 2021. Retrieved 27 August 2021.
  41. ^ Stone, Jeff (5 October 2020). "Foreign spies use front companies to disguise their hacking, borrowing an old camouflage tactic". cyberscoop.com. Cyberscoop. from the original on 22 March 2021. Retrieved 11 October 2020.
  42. ^ "Buckeye: Espionage Outfit Used Equation Group Tools Prior to Shadow Brokers Leak". Symantec. 7 May 2019. Archived from the original on 7 May 2019. Retrieved 23 July 2019.
  43. ^ (PDF). FireEye. May 2015. Archived from the original (PDF) on 24 November 2023. Retrieved 21 March 2021.
  44. ^ a b "China-Based Threat Actors" (PDF). U.S. Department of Health and Human Services Office of Information Security. 16 August 2023. (PDF) from the original on 29 December 2023. Retrieved 29 April 2024.
  45. ^ van Dantzig, Maarten; Schamper, Erik (19 December 2019). (PDF). fox-it.com. NCC Group. Archived from the original (PDF) on 22 March 2021. Retrieved 23 December 2019.
  46. ^ Vijayan, Jai (19 December 2019). "China-Based Cyber Espionage Group Targeting Orgs in 10 Countries". www.darkreading.com. Dark Reading. from the original on 7 May 2021. Retrieved 12 January 2020.
  47. ^ Lyngaas, Sean (10 August 2021). "Chinese hackers posed as Iranians to breach Israeli targets, FireEye says". www.cyberscoop.com. from the original on 29 November 2023. Retrieved 15 August 2021.
  48. ^ "Treasury Sanctions China-Linked Hackers for Targeting U.S. Critical Infrastructure". U.S. Department of the Treasury. 19 March 2024. from the original on 25 March 2024. Retrieved 25 March 2024.
  49. ^ Lyngaas, Sean (16 October 2020). "Google offers details on Chinese hacking group that targeted Biden campaign". Cyberscoop. from the original on 7 May 2021. Retrieved 16 October 2020.
  50. ^ Hui, Sylvia (25 March 2024). "US and UK announce sanctions over China-linked hacks on election watchdog and lawmakers". Associated Press. from the original on 25 March 2024. Retrieved 25 March 2024.
  51. ^ Lyngaas, Sean (12 February 2019). "Right country, wrong group? Researchers say it wasn't APT10 that hacked Norwegian software firm". www.cyberscoop.com. Cyberscoop. from the original on 7 May 2021. Retrieved 16 October 2020.
  52. ^ Naraine, Ryan (2 March 2021). "Microsoft: Multiple Exchange Server Zero-Days Under Attack by Chinese Hacking Group". securityweek.com. Wired Business Media. from the original on 6 July 2023. Retrieved 3 March 2021.
  53. ^ Burt, Tom (2 March 2021). "New nation-state cyberattacks". blogs.microsoft.com. Microsoft. from the original on 2 March 2021. Retrieved 3 March 2021.
  54. ^ Gatlan, Sergiu (19 July 2021). "US and allies officially accuse China of Microsoft Exchange attacks". Bleeping Computer. from the original on 25 March 2024. Retrieved 25 March 2024.
  55. ^ . FireEye. 16 October 2019. Archived from the original on 7 May 2021. Retrieved 14 April 2020.
  56. ^ "Bureau names ransomware culprits". www.taipeitimes.com. Taipei Times. 17 May 2020. from the original on 22 March 2021. Retrieved 22 May 2020.
  57. ^ Tartare, Mathieu; Smolár, Martin (21 May 2020). "No "Game over" for the Winnti Group". www.welivesecurity.com. We Live Security. from the original on 22 March 2021. Retrieved 22 May 2020.
  58. ^ Greenberg, Andy (6 August 2020). "Chinese Hackers Have Pillaged Taiwan's Semiconductor Industry". Wired. from the original on 22 March 2021. Retrieved 7 August 2020.
  59. ^ Nichols, Shaun (20 October 2021). "'LightBasin' hackers spent 5 years hiding on telco networks". TechTarget. from the original on 29 November 2023. Retrieved 8 April 2022.
  60. ^ Ilascu, Ionut (19 October 2021). "LightBasin hacking group breaches 13 global telecoms in two years". Bleeping Computer. from the original on 24 July 2023. Retrieved 8 April 2022.
  61. ^ Sabin, Sam (26 October 2022). "New pro-China disinformation campaign targets 2022 elections: Report". Axios. from the original on 26 October 2022. Retrieved 27 October 2022.
  62. ^ Chen, Joey (12 May 2020). "Tropic Trooper's Back: USBferry Attack Targets Air-gapped Environments". blog.trendmicro.com. Trend Micro. from the original on 22 March 2021. Retrieved 16 May 2020.
  63. ^ Cimpanu, Catalin. "Hackers target the air-gapped networks of the Taiwanese and Philippine military". ZDnet. from the original on 22 March 2021. Retrieved 16 May 2020.
  64. ^ Intelligence, Microsoft Threat (24 May 2023). "Volt Typhoon targets US critical infrastructure with living-off-the-land techniques". Microsoft Security Blog. from the original on 17 January 2024. Retrieved 26 May 2023.
  65. ^ Montalbano, Elizabeth (1 September 2020). "Pioneer Kitten APT Sells Corporate Network Access". Threat Post. from the original on 22 March 2021. Retrieved 3 September 2020.
  66. ^ "APT39, ITG07, Chafer, Remix Kitten, Group G0087 | MITRE ATT&CK®". attack.mitre.org. from the original on 30 December 2022. Retrieved 30 December 2022.
  67. ^ "Crowdstrike Global Threat Report 2020" (PDF). crowdstrike.com. 2020. (PDF) from the original on 14 March 2020. Retrieved 30 December 2020.
  68. ^ Kyle Alspach (4 February 2022). "Microsoft discloses new details on Russian hacker group Gamaredon". VentureBeat. from the original on 6 February 2022. Retrieved 22 March 2022.
  69. ^ a b Charlie Osborne (21 March 2022). "Ukraine warns of InvisiMole attacks tied to state-sponsored Russian hackers". ZDNet. from the original on 22 March 2022. Retrieved 22 March 2022.
  70. ^ Warren Mercer; Vitor Ventura (23 February 2021). "Gamaredon - When nation states don't pay all the bills". Cisco. from the original on 19 March 2022. Retrieved 22 March 2022.
  71. ^ "Adversary: Venomous Bear - Threat Actor". Crowdstrike Adversary Universe. Retrieved 22 March 2022.
  72. ^ Warren Mercer; Paul Rascagneres; Vitor Ventura (29 June 2020). "PROMETHIUM extends global reach with StrongPity3 APT". Cisco. from the original on 22 March 2022. Retrieved 22 March 2022.
  73. ^ "Equation: The Death Star of Malware Galaxy". Kaspersky Lab. 16 February 2015. from the original on 11 July 2019. Retrieved 23 July 2019.
  74. ^ Gallagher, Sean (3 October 2019). "Kaspersky finds Uzbekistan hacking op… because group used Kaspersky AV". arstechnica.com. Ars Technica. from the original on 22 March 2021. Retrieved 5 October 2019.
  75. ^ Panda, Ankit. "Offensive Cyber Capabilities and Public Health Intelligence: Vietnam, APT32, and COVID-19". thediplomat.com. The Diplomat. from the original on 22 March 2021. Retrieved 29 April 2020.
  76. ^ Tanriverdi, Hakan; Zierer, Max; Wetter, Ann-Kathrin; Biermann, Kai; Nguyen, Thi Do (8 October 2020). Nierle, Verena; Schöffel, Robert; Wreschniok, Lisa (eds.). "Lined up in the sights of Vietnamese hackers". Bayerischer Rundfunk. from the original on 22 March 2021. Retrieved 11 October 2020. In Bui's case the traces lead to a group presumably acting on behalf of the Vietnamese state. Experts have many names for this group: APT 32 and Ocean Lotus are best known. In conversations with a dozen of information security specialists, they all agreed that this is a Vietnamese group spying, in particular, on its own compatriots.
  77. ^ a b c BushidoToken (20 May 2022). "Threat Group Naming Schemes In Cyber Threat Intelligence". Curated Intelligence. from the original on 8 December 2023. Retrieved 21 January 2024.
  78. ^ "CrowdStrike 2023 Global Threat Report" (PDF). CrowdStrike. (PDF) from the original on 26 March 2024. Retrieved 21 January 2024.
  79. ^ "Rampant Kitten". Thailand Electronic Transactions Development Agency. from the original on 29 November 2022. Retrieved 21 January 2024.
  80. ^ Lambert, John (18 April 2023). "Microsoft shifts to a new threat actor naming taxonomy". Microsoft. from the original on 22 January 2024. Retrieved 21 January 2024.

External links edit

Lists of APT groups
  • Mandiant: Advanced Persistent Threat Groups
  • MITRE ATT&CK security community tracked Advanced Persistent Group Pages

May 11, 2024
advanced, persistent, threat, advanced, persistent, threat, stealthy, threat, actor, typically, state, state, sponsored, group, which, gains, unauthorized, access, computer, network, remains, undetected, extended, period, recent, times, term, also, refer, stat. An advanced persistent threat APT is a stealthy threat actor typically a state or state sponsored group which gains unauthorized access to a computer network and remains undetected for an extended period 1 2 In recent times the term may also refer to non state sponsored groups conducting large scale targeted intrusions for specific goals 3 Such threat actors motivations are typically political or economic 4 Every major business sector has recorded instances of cyberattacks by advanced actors with specific goals whether to steal spy or disrupt These targeted sectors include government defense financial services legal services industrial telecoms consumer goods and many more 5 6 7 Some groups utilize traditional espionage vectors including social engineering human intelligence and infiltration to gain access to a physical location to enable network attacks The purpose of these attacks is to install custom malware malicious software 8 APT attacks on mobile devices have also become a legitimate concern since attackers are able to penetrate into cloud and mobile infrastructure to eavesdrop steal and tamper with data 9 The median dwell time the time an APT attack goes undetected differs widely between regions FireEye reported the mean dwell time for 2018 in the Americas as 71 days EMEA as 177 days and APAC as 204 days 5 Such a long dwell time allows attackers a significant amount of time to go through the attack cycle propagate and achieve their objectives Contents 1 Definition 2 History and targets 3 Life cycle 4 Mitigation strategies 5 APT groups 5 1 China 5 2 Iran 5 3 North Korea 5 4 Russia 5 5 Turkiye 5 6 United States 5 7 Uzbekistan 5 8 Vietnam 6 Naming 7 See also 8 Notes 9 References 10 External linksDefinition editDefinitions of precisely what an APT is can vary but can be summarized by their named requirements below Advanced Operators behind the threat have a full spectrum of intelligence gathering techniques at their disposal These may include commercial and open source computer intrusion technologies and techniques but may also extend to include the intelligence apparatus of a state While individual components of the attack may not be considered particularly advanced e g malware components generated from commonly available do it yourself malware construction kits or the use of easily procured exploit materials their operators can typically access and develop more advanced tools as required They often combine multiple targeting methods tools and techniques in order to reach and compromise their target and maintain access to it Operators may also demonstrate a deliberate focus on operational security that differentiates them from less advanced threats 3 10 11 Persistent Operators have specific objectives rather than opportunistically seeking information for financial or other gain This distinction implies that the attackers are guided by external entities The targeting is conducted through continuous monitoring and interaction in order to achieve the defined objectives It does not mean a barrage of constant attacks and malware updates In fact a low and slow approach is usually more successful If the operator loses access to their target they usually will reattempt access and most often successfully One of the operator s goals is to maintain long term access to the target in contrast to threats who only need access to execute a specific task 10 12 Threat APTs are a threat because they have both capability and intent APT attacks are executed by coordinated human actions rather than by mindless and automated pieces of code The operators have a specific objective and are skilled motivated organized and well funded Actors are not limited to state sponsored groups 3 10 History and targets editWarnings against targeted socially engineered emails dropping trojans to exfiltrate sensitive information were published by UK and US CERT organisations in 2005 This method was used throughout the early 1990s and does not in itself constitute an APT The term advanced persistent threat has been cited as originating from the United States Air Force in 2006 13 with Colonel Greg Rattray cited as the individual who coined the term 14 The Stuxnet computer worm which targeted the computer hardware of Iran s nuclear program is one example of an APT attack In this case the Iranian government might consider the Stuxnet creators to be an advanced persistent threat citation needed 15 Within the computer security community and increasingly within the media the term is almost always used in reference to a long term pattern of sophisticated computer network exploitation aimed at governments companies and political activists and by extension also to ascribe the A P and T attributes to the groups behind these attacks 16 Advanced persistent threat APT as a term may be shifting focus to computer based hacking due to the rising number of occurrences PC World reported an 81 percent increase from 2010 to 2011 of particularly advanced targeted computer attacks 17 Actors in many countries have used cyberspace as a means to gather intelligence on individuals and groups of individuals of interest 18 19 20 The United States Cyber Command is tasked with coordinating the US military s offensive and defensive cyber operations 21 Numerous sources have alleged that some APT groups are affiliated with or are agents of governments of sovereign states 22 23 24 Businesses holding a large quantity of personally identifiable information are at high risk of being targeted by advanced persistent threats including 25 Agriculture 26 Energy Financial institutions Health care Higher education 27 Manufacturing Technology Telecommunications Transportation A Bell Canada study provided deep research into the anatomy of APTs and uncovered widespread presence in Canadian government and critical infrastructure Attribution was established to Chinese and Russian actors 28 Life cycle edit nbsp A diagram depicting the life cycle staged approach of an advanced persistent threat APT which repeats itself once complete Actors behind advanced persistent threats create a growing and changing risk to organizations financial assets intellectual property and reputation 29 by following a continuous process or kill chain Target specific organizations for a singular objective Attempt to gain a foothold in the environment common tactics include spear phishing emails Use the compromised systems as access into the target network Deploy additional tools that help fulfill the attack objective Cover tracks to maintain access for future initiatives The global landscape of APT s from all sources is sometimes referred to in the singular as the APT as are references to the actor behind a specific incident or series of incidents but the definition of APT includes both actor and method 30 In 2013 Mandiant presented results of their research on alleged Chinese attacks using APT method between 2004 and 2013 31 that followed similar lifecycle Initial compromise performed by use of social engineering and spear phishing over email using zero day viruses Another popular infection method was planting malware on a website that the victim s employees will be likely to visit 32 Establish foothold plant remote administration software in victim s network create net backdoors and tunnels allowing stealth access to its infrastructure Escalate privileges use exploits and password cracking to acquire administrator privileges over victim s computer and possibly expand it to Windows domain administrator accounts Internal reconnaissance collect information on surrounding infrastructure trust relationships Windows domain structure Move laterally expand control to other workstations servers and infrastructure elements and perform data harvesting on them Maintain presence ensure continued control over access channels and credentials acquired in previous steps Complete mission exfiltrate stolen data from victim s network In incidents analysed by Mandiant the average period over which the attackers controlled the victim s network was one year with longest almost five years 31 The infiltrations were allegedly performed by Shanghai based Unit 61398 of People s Liberation Army Chinese officials have denied any involvement in these attacks 33 Previous reports from Secdev had previously discovered and implicated Chinese actors 34 Mitigation strategies editThere are tens of millions of malware variations 35 which makes it extremely challenging to protect organizations from APT While APT activities are stealthy and hard to detect the command and control network traffic associated with APT can be detected at the network layer level with sophisticated methods Deep log analyses and log correlation from various sources is of limited usefulness in detecting APT activities It is challenging to separate noises from legitimate traffic Traditional security technology and methods have been ineffective in detecting or mitigating APTs 36 Active cyber defense has yielded greater efficacy in detecting and prosecuting APTs find fix finish when applying cyber threat intelligence to hunt and adversary pursuit activities 37 38 Human Introduced Cyber Vulnerabilities HICV are a weak cyber link that are neither well understood nor mitigated constituting a significant attack vector 39 APT groups editChina edit Further information Cyberwarfare by China Chinese intelligence activity abroad and Chinese espionage in the United States Since Xi Jinping became General Secretary of the Chinese Communist Party in 2012 the Ministry of State Security gained more responsibility over cyberespionage vis a vis the People s Liberation Army and currently oversees various APT groups 40 According to security researcher Timo Steffens the APT landscape in China is run in a whole country approach leveraging skills from universities individual and private and public sectors 41 APT1 is PLA Unit 61398 APT2 is PLA Unit 61486 APT3 aka Boyusec is the Guangdong State Security Department of the MSS 42 APT10 aka Red Apollo is the Tianjin State Security Bureau of the MSS APT12 aka Numbered Panda is an unidentified unit of the PLA APT17 aka DeputyDog is an unidentified unit of the Chinese government 43 APT18 aka Dynamite Panda or Scandium is a unit of the People s Liberation Army Navy 44 APT19 aka Deep Panda or C0d0so0 Team is an unidentified unit of the Chinese government APT20 aka Violin Panda or Wocao is an unidentified unit of the Chinese government 45 46 APT22 aka Suckfly is an unidentified unit of the Chinese government APT26 aka Turbine Panda is the Jiangsu State Security Department of the MSS APT27 aka Emissary Panda is an unidentified unit of the Chinese government 47 APT30 aka Naikon is PLA Unit 78020 APT31 aka Zirconium or Hurricane Panda is the Hubei State Security Department of the MSS 48 49 50 51 APT40 is the Hainan State Security Department of the MSS Hafnium is closely associated with APT40 52 53 54 APT41 also known as Double Dragon Winnti Group or Barium is a unit of the Ministry of State Security based in Chengdu China 55 56 57 58 44 LightBasin 59 60 Also known as UNC1945 Dragonbridge 61 Tropic Trooper 62 63 Volt Typhoon 64 Iran edit Charming Kitten also known as APT35 Elfin Team also known as APT33 Helix Kitten also known as APT34 Pioneer Kitten 65 Remix Kitten also known as APT39 ITG07 or Chafer 66 67 North Korea edit Kimsuky Lazarus Group also known as APT38 Ricochet Chollima also known as APT37 Russia edit Berserk Bear Cozy Bear also known as APT29 Fancy Bear also known as APT28 FIN7 Gamaredon 68 also known as Primitive Bear a Sandworm Venomous Bear 71 Turkiye edit StrongPity also known as APT C 41 or PROMETHIUM 72 United States edit Equation Group 73 Uzbekistan edit SandCat associated with the State Security Service according to Kaspersky 74 Vietnam edit OceanLotus also known as APT32 75 76 Naming editMultiple organizations may assign different names to the same actor As separate researchers could each have their own varying assessments of an APT group companies such as CrowdStrike Kaspersky Mandiant and Microsoft among others have their own internal naming schemes 77 Names between different organizations may refer to overlapping but ultimately different groups based on various data gathered CrowdStrike assigns animals by nation state or other category such as Kitten for Iran and Spider for groups focused on cybercrime 78 Other companies have named groups based on this system Rampant Kitten for instance was named by Check Point rather than CrowdStrike 79 Dragos bases its names for APT groups on minerals 77 Mandiant assigns numbered acronyms in three categories APT FIN and UNC resulting in APT names like FIN7 Other companies using a similar system include Proofpoint TA and IBM ITG and Hive 77 Microsoft used to assign names from the periodic table often stylized in all caps e g POTASSIUM in April 2023 Microsoft changed its naming schema to use weather based names e g Volt Typhoon 80 See also editBureau 121 Chinese intelligence activity abroad Cyber spying Darkhotel Fileless malware Ghostnet Kill chain NetSpectre Operation Aurora Operation Shady RAT Proactive cyber defence Spear phishing Spyware Stuxnet Tailored Access Operations Unit 180 Unit 8200Notes edit active since 2013 unlike most APTs Gamaredon broadly targets all users all over the globe in addition to also focusing on certain victims especially Ukrainian organizations 69 and appears to provide services for other APTs 70 For example the InvisiMole threat group has attacked select systems that Gamaredon had earlier compromised and fingerprinted 69 References edit What Is an Advanced Persistent Threat APT www kaspersky com Archived from the original on 22 March 2021 Retrieved 11 August 2019 What Is an Advanced Persistent Threat APT Cisco Archived from the original on 22 March 2021 Retrieved 11 August 2019 a b c Maloney Sarah What is an Advanced Persistent Threat APT Archived from the original on 7 April 2019 Retrieved 9 November 2018 Cole Eric 2013 Advanced Persistent Threat Understanding the Danger and How to Protect Your Organization Syngress OCLC 939843912 a b M Trends Cyber Security Trends FireEye Archived from the original on 21 September 2021 Retrieved 11 August 2019 Cyber Threats to the Financial Services and Insurance Industries PDF FireEye Archived from the original PDF on 11 August 2019 Cyber Threats to the Retail and Consumer Goods Industry PDF FireEye Archived from the original PDF on 11 August 2019 Advanced Persistent Threats A Symantec Perspective PDF Symantec Archived from the original PDF on 8 May 2018 Au Man Ho 2018 Privacy preserving personal data operation on mobile cloud Chances and challenges over advanced persistent threat Future Generation Computer Systems 79 337 349 doi 10 1016 j future 2017 06 021 a b c Advanced Persistent Threats APTs IT Governance Archived from the original on 11 August 2019 Retrieved 11 August 2019 Advanced persistent Threat Awareness PDF TrendMicro Inc Archived PDF from the original on 10 June 2016 Retrieved 11 August 2019 Explained Advanced Persistent Threat APT Malwarebytes Labs 26 July 2016 Archived from the original on 9 May 2019 Retrieved 11 August 2019 Assessing Outbound Traffic to Uncover Advanced Persistent Threat PDF SANS Technology Institute Archived from the original PDF on 26 June 2013 Retrieved 14 April 2013 Introducing Forrester s Cyber Threat Intelligence Research Forrester Research Archived from the original on 15 April 2014 Retrieved 14 April 2014 Beim Jared 2018 Enforcing a Prohibition on International Espionage Chicago Journal of International Law 18 647 672 ProQuest 2012381493 Archived from the original on 22 May 2021 Retrieved 18 January 2023 Advanced Persistent Threats Learn the ABCs of APTs Part A SecureWorks Archived from the original on 7 April 2019 Retrieved 23 January 2017 Olavsrud Thor 30 April 2012 Targeted Attacks Increased Became More Diverse in 2011 CIO Magazine Archived from the original on 14 April 2021 Retrieved 14 April 2021 An Evolving Crisis BusinessWeek 10 April 2008 Archived from the original on 10 January 2010 Retrieved 20 January 2010 The New E spionage Threat BusinessWeek 10 April 2008 Archived from the original on 18 April 2011 Retrieved 19 March 2011 Rosenbach Marcel Schulz Thomas Wagner Wieland 19 January 2010 Google Under Attack The High Cost of Doing Business in China Der Spiegel Archived from the original on 21 January 2010 Retrieved 20 January 2010 Commander Discusses a Decade of DOD Cyber Power U S DEPARTMENT OF DEFENSE Archived from the original on 19 September 2020 Retrieved 28 August 2020 Under Cyberthreat Defense Contractors Bloomberg com BusinessWeek 6 July 2009 Archived from the original on 11 January 2010 Retrieved 20 January 2010 Understanding the Advanced Persistent Threat Tom Parker 4 February 2010 Archived from the original on 18 February 2010 Retrieved 4 February 2010 Advanced Persistent Threat or Informationized Force Operations PDF Usenix Michael K Daly 4 November 2009 Archived PDF from the original on 11 May 2021 Retrieved 4 November 2009 Anatomy of an Advanced Persistent Threat APT Dell SecureWorks Archived from the original on 5 March 2016 Retrieved 21 May 2012 Gonzalez Joaquin Jay III Kemp Roger L 16 January 2019 Cybersecurity Current Writings on Threats and Protection McFarland p 69 ISBN 978 1 4766 7440 7 Ingerman Bret Yang Catherine 31 May 2011 Top Ten IT Issues 2011 Educause Review Archived from the original on 14 April 2021 Retrieved 14 April 2021 McMahon Dave Rohozinski Rafal The Dark Space Project Defence R amp D Canada Centre for Security Science Contractor Report DRDC CSS CR 2013 007 PDF publications gc ca Archived PDF from the original on 5 November 2016 Retrieved 1 April 2021 Outmaneuvering Advanced and Evasive Malware Threats Secureworks Secureworks Insights Archived from the original on 7 April 2019 Retrieved 24 February 2016 EMAGCOMSECURITY 9 April 2015 APT Advanced Persistent Threat Group Archived from the original on 15 January 2019 Retrieved 15 January 2019 a b APT1 Exposing One of China s Cyber Espionage Units Mandiant 2013 Archived from the original on 2 February 2015 Retrieved 19 February 2013 What are MITRE ATT amp CK initial access techniques GitGuardian Automated Secrets Detection 8 June 2021 Archived from the original on 29 November 2023 Retrieved 13 October 2023 Blanchard Ben 19 February 2013 China says U S hacking accusations lack technical proof Reuters Archived from the original on 14 April 2021 Retrieved 14 April 2021 Deibert R Rohozinski R Manchanda A Villeneuve N Walton G 28 March 2009 Tracking GhostNet investigating a cyber espionage network The Munk Centre for International Studies University of Toronto Archived from the original on 27 December 2023 Retrieved 27 December 2023 RicMessier 30 October 2013 GSEC GIAC Security Essentials Certification All McGraw Hill Professional 2013 p xxv ISBN 978 0 07 182091 2 Anatomy of an APT Advanced Persistent Threat Attack FireEye Archived from the original on 7 November 2020 Retrieved 14 November 2020 Threat Intelligence in an Active Cyber Defense Part 1 Recorded Future 18 February 2015 Archived from the original on 20 June 2021 Retrieved 10 March 2021 Threat Intelligence in an Active Cyber Defense Part 2 Recorded Future 24 February 2015 Archived from the original on 27 February 2021 Retrieved 10 March 2021 A Context Centred Research Approach to Phishing and Operational Technology in Industrial Control Systems Journal of Information Warfare www jinfowar com Archived from the original on 31 July 2021 Retrieved 31 July 2021 Mozur Paul Buckley Chris 26 August 2021 Spies for Hire China s New Breed of Hackers Blends Espionage and Entrepreneurship The New York Times ISSN 0362 4331 Archived from the original on 27 August 2021 Retrieved 27 August 2021 Stone Jeff 5 October 2020 Foreign spies use front companies to disguise their hacking borrowing an old camouflage tactic cyberscoop com Cyberscoop Archived from the original on 22 March 2021 Retrieved 11 October 2020 Buckeye Espionage Outfit Used Equation Group Tools Prior to Shadow Brokers Leak Symantec 7 May 2019 Archived from the original on 7 May 2019 Retrieved 23 July 2019 APT17 Hiding in Plain Sight FireEye and Microsoft Expose Obfuscation Tactic PDF FireEye May 2015 Archived from the original PDF on 24 November 2023 Retrieved 21 March 2021 a b China Based Threat Actors PDF U S Department of Health and Human Services Office of Information Security 16 August 2023 Archived PDF from the original on 29 December 2023 Retrieved 29 April 2024 van Dantzig Maarten Schamper Erik 19 December 2019 Wocao APT20 PDF fox it com NCC Group Archived from the original PDF on 22 March 2021 Retrieved 23 December 2019 Vijayan Jai 19 December 2019 China Based Cyber Espionage Group Targeting Orgs in 10 Countries www darkreading com Dark Reading Archived from the original on 7 May 2021 Retrieved 12 January 2020 Lyngaas Sean 10 August 2021 Chinese hackers posed as Iranians to breach Israeli targets FireEye says www cyberscoop com Archived from the original on 29 November 2023 Retrieved 15 August 2021 Treasury Sanctions China Linked Hackers for Targeting U S Critical Infrastructure U S Department of the Treasury 19 March 2024 Archived from the original on 25 March 2024 Retrieved 25 March 2024 Lyngaas Sean 16 October 2020 Google offers details on Chinese hacking group that targeted Biden campaign Cyberscoop Archived from the original on 7 May 2021 Retrieved 16 October 2020 Hui Sylvia 25 March 2024 US and UK announce sanctions over China linked hacks on election watchdog and lawmakers Associated Press Archived from the original on 25 March 2024 Retrieved 25 March 2024 Lyngaas Sean 12 February 2019 Right country wrong group Researchers say it wasn t APT10 that hacked Norwegian software firm www cyberscoop com Cyberscoop Archived from the original on 7 May 2021 Retrieved 16 October 2020 Naraine Ryan 2 March 2021 Microsoft Multiple Exchange Server Zero Days Under Attack by Chinese Hacking Group securityweek com Wired Business Media Archived from the original on 6 July 2023 Retrieved 3 March 2021 Burt Tom 2 March 2021 New nation state cyberattacks blogs microsoft com Microsoft Archived from the original on 2 March 2021 Retrieved 3 March 2021 Gatlan Sergiu 19 July 2021 US and allies officially accuse China of Microsoft Exchange attacks Bleeping Computer Archived from the original on 25 March 2024 Retrieved 25 March 2024 Double Dragon APT41 a dual espionage and cyber crime operation FireEye 16 October 2019 Archived from the original on 7 May 2021 Retrieved 14 April 2020 Bureau names ransomware culprits www taipeitimes com Taipei Times 17 May 2020 Archived from the original on 22 March 2021 Retrieved 22 May 2020 Tartare Mathieu Smolar Martin 21 May 2020 No Game over for the Winnti Group www welivesecurity com We Live Security Archived from the original on 22 March 2021 Retrieved 22 May 2020 Greenberg Andy 6 August 2020 Chinese Hackers Have Pillaged Taiwan s Semiconductor Industry Wired Archived from the original on 22 March 2021 Retrieved 7 August 2020 Nichols Shaun 20 October 2021 LightBasin hackers spent 5 years hiding on telco networks TechTarget Archived from the original on 29 November 2023 Retrieved 8 April 2022 Ilascu Ionut 19 October 2021 LightBasin hacking group breaches 13 global telecoms in two years Bleeping Computer Archived from the original on 24 July 2023 Retrieved 8 April 2022 Sabin Sam 26 October 2022 New pro China disinformation campaign targets 2022 elections Report Axios Archived from the original on 26 October 2022 Retrieved 27 October 2022 Chen Joey 12 May 2020 Tropic Trooper s Back USBferry Attack Targets Air gapped Environments blog trendmicro com Trend Micro Archived from the original on 22 March 2021 Retrieved 16 May 2020 Cimpanu Catalin Hackers target the air gapped networks of the Taiwanese and Philippine military ZDnet Archived from the original on 22 March 2021 Retrieved 16 May 2020 Intelligence Microsoft Threat 24 May 2023 Volt Typhoon targets US critical infrastructure with living off the land techniques Microsoft Security Blog Archived from the original on 17 January 2024 Retrieved 26 May 2023 Montalbano Elizabeth 1 September 2020 Pioneer Kitten APT Sells Corporate Network Access Threat Post Archived from the original on 22 March 2021 Retrieved 3 September 2020 APT39 ITG07 Chafer Remix Kitten Group G0087 MITRE ATT amp CK attack mitre org Archived from the original on 30 December 2022 Retrieved 30 December 2022 Crowdstrike Global Threat Report 2020 PDF crowdstrike com 2020 Archived PDF from the original on 14 March 2020 Retrieved 30 December 2020 Kyle Alspach 4 February 2022 Microsoft discloses new details on Russian hacker group Gamaredon VentureBeat Archived from the original on 6 February 2022 Retrieved 22 March 2022 a b Charlie Osborne 21 March 2022 Ukraine warns of InvisiMole attacks tied to state sponsored Russian hackers ZDNet Archived from the original on 22 March 2022 Retrieved 22 March 2022 Warren Mercer Vitor Ventura 23 February 2021 Gamaredon When nation states don t pay all the bills Cisco Archived from the original on 19 March 2022 Retrieved 22 March 2022 Adversary Venomous Bear Threat Actor Crowdstrike Adversary Universe Retrieved 22 March 2022 Warren Mercer Paul Rascagneres Vitor Ventura 29 June 2020 PROMETHIUM extends global reach with StrongPity3 APT Cisco Archived from the original on 22 March 2022 Retrieved 22 March 2022 Equation The Death Star of Malware Galaxy Kaspersky Lab 16 February 2015 Archived from the original on 11 July 2019 Retrieved 23 July 2019 Gallagher Sean 3 October 2019 Kaspersky finds Uzbekistan hacking op because group used Kaspersky AV arstechnica com Ars Technica Archived from the original on 22 March 2021 Retrieved 5 October 2019 Panda Ankit Offensive Cyber Capabilities and Public Health Intelligence Vietnam APT32 and COVID 19 thediplomat com The Diplomat Archived from the original on 22 March 2021 Retrieved 29 April 2020 Tanriverdi Hakan Zierer Max Wetter Ann Kathrin Biermann Kai Nguyen Thi Do 8 October 2020 Nierle Verena Schoffel Robert Wreschniok Lisa eds Lined up in the sights of Vietnamese hackers Bayerischer Rundfunk Archived from the original on 22 March 2021 Retrieved 11 October 2020 In Bui s case the traces lead to a group presumably acting on behalf of the Vietnamese state Experts have many names for this group APT 32 and Ocean Lotus are best known In conversations with a dozen of information security specialists they all agreed that this is a Vietnamese group spying in particular on its own compatriots a b c BushidoToken 20 May 2022 Threat Group Naming Schemes In Cyber Threat Intelligence Curated Intelligence Archived from the original on 8 December 2023 Retrieved 21 January 2024 CrowdStrike 2023 Global Threat Report PDF CrowdStrike Archived PDF from the original on 26 March 2024 Retrieved 21 January 2024 Rampant Kitten Thailand Electronic Transactions Development Agency Archived from the original on 29 November 2022 Retrieved 21 January 2024 Lambert John 18 April 2023 Microsoft shifts to a new threat actor naming taxonomy Microsoft Archived from the original on 22 January 2024 Retrieved 21 January 2024 External links editLists of APT groups Mandiant Advanced Persistent Threat Groups MITRE ATT amp CK security community tracked Advanced Persistent Group Pages Retrieved from https en wikipedia org w index php title Advanced persistent threat amp oldid 1222892487, wikipedia, wiki, book, books, library,

article

, read, download, free, free download, mp3, video, mp4, 3gp, jpg, jpeg, gif, png, picture, music, song, movie, book, game, games.