What is an Advanced Persistent Threat (APT)?


When most people think of a cyber attack, they think of it as a one-time transfer. A hacker figures out a way into your system, starts downloading important documents and information, and then leaves. However, it’s not always so simple.

Not every cyber threat ends after an initial attack, even when the first attempt is unsuccessful. A cyberattack against a well-organized system can take time and money to accomplish. They’re usually organized by groups, commonly known as APT groups.

What is an Advanced Persistent Threat (APT) and what should you look for to fend them off?

APT Definition

An advanced persistent threat is a cyberattack wherein criminals work together to steal data or infiltrate systems over a longer period of time. In most cases, these attacks are performed by nation-states seeking to undermine another government.

Whereas other cyberattacks such as malware and phishing schemes work in a matter of days, an APT can take place over months or even years.

APT groups are formed to tackle more difficult challenges, but they’re not as expensive as you’d imagine. In fact, the cost of APT attacks was reported in 2019 to be as low as $15,000. The most expensive aspect of these attacks is for commercial penetration testing tools which help them find vulnerabilities within systems and networks.

Motives behind an APT attack can be for financial gains, like other types of cyberattacks, but they’re also used for political espionage purposes. As you’d expect, governments tend to have the most secure systems, and as a result, require an extended and sophisticated attack.

Advanced Persistent Threat Examples

Not every APT follows the same methodology or has the same motivations. The most well-known groups usually work with some political intent, but they all use criminal methods to accomplish their objectives.


One of the first and most historically prominent examples of an APT is Stuxnet, which was designed to target Iran’s nuclear program. Although it was discovered in 2010, it is thought to have been in development since 2005.

At the time of discovery, Stuxnet was a 500-kilobyte computer worm that infected the software of over 14 industrial sites in Iran. It targeted Microsoft Windows machines and spread on its own. The result was Iran losing almost one-fifth of its nuclear centrifuges.

Wicked Panda

A more recent example of an APT cyber threat is Wicked Panda, which has been one of the most prolific China-based adversaries in the past decade. They work in the interests of the Chinese State as well as performing for-profit attacks.

How an APT Attack Works

An APT attack begins with infiltration. Hackers typically infiltrate using web assets, network resources, phishing emails, authorized human users etc.. Once they’re inside, the hacker installs a backdoor shell that allows them to gain access to the victim’s system whenever they want..

Next, an APT attack will seek to expand its presence and try to compromise staff members with access to valuable data. Once they’ve gathered enough information, hackers will mask their extraction with a DDoS attack or some other form of distraction.

Key Characteristics of Advanced Persistent Threats

APT Groups use different techniques than the other hackers your systems are designed to stop. Here are some advanced persistent threat characteristics that you should keep an eye out for.

Odd Log-Ins After Hours

A first sign of an advanced persistent threat can be an increase in elevated logins late at night. APTs can compromise an entire environment in just a few hours by making use of accounts with higher access and permissions.

Since these hackers use accounts with more permissions, you can also check in with your different departments to monitor when their executives are accessing the network. It should be easy to identify when an outside user is accessing your information.

Returning Hackers

Hackers will also install backdoor Trojan programs to ensure they have a way back into your system if one of their entry points is compromised.

If you’ve identified multiple attacks of a similar type over a longer period of time, it’s most likely an APT cyber attack.

Intercepted Email

APT threats are also known to cause unexpected information flows, such as an email getting intercepted by another computer. Some cloud email systems track where messages are accessed from, but not all of them do.

You might also notice spear-phishing emails, which are sent to upper-management employees who may inadvertently allow a hacker access.

Other Strange Activity

Any time you notice something out of the norm, it may be an APT. This could include sudden increases in data usage or a slowdown in your server.

Tracking threats and unusual system behavior is an essential part of bolstering your cybersecurity. Create a baseline of normal behaviors so you can easily identify any outliers.

How SentinelOne Can Help

The best way to deal with APT cyber threats is with proper detection and security measures. This approach involves network administrators, security providers, and a proactive security solution.

SentinelOne proactively resolves threats in real-time. Our AI-powered models identify malware and ransomware binaries before they can hit you. We can also build critical context for proactive real-time detection and response that can protect your systems from advanced persistent threats.

WatchTower, one of our services, extends your visibility and actionability specifically against novel attacker techniques. Get relevant and timely insights delivered as they come up, and stay ahead of the attackers.

Augment Your Security Operations

Cyber threats are advancing and improving every day. The difference between an APT threat and other threats is that they improve their tactics as they’re infiltrating your system. Let them lie in wait too long and your entire system will be compromised.

The solution, then, is to track an advanced persistent threat and catch them before they gain access to more secure parts of your database. SentinelOne can provide intelligence-driven hunting, day-to-day MDR SOC augmentation, and incident response.

Reach out to us today to learn more about how we can help protect your systems.