Advanced Persistent Threats. A Recent Overview.

Advanced Persistent Threats are on the rise. The main characteristics of APTs are that they are usually very sophisticated, extremely stealthy, and continuously present. The goal of an APT is to stay inside a system for a prolonged period of time without being detected. Data exfiltration is often the main objective. Classified state information, along with highly valuable critical infrastructure data, and intellectual property are more prevalent targets.

The resources and skills required for this kind of attack are usually only within the reach of nation-states, and more often than not, targeted at high-level players, such as other countries or large corporations. If data theft is the objective of a nation-state, it is best to be stealthy, in order to maintain access for as long as possible, without setting off alarms on a network. Remote access trojans are often utilised to retain backdoor access over the long term.

Advanced Persistent Threats are often highly strategic. In 2020, Kaspersky detailed the most significant targets. Governments, military, financial institutions, energy, and IT companies were the most notable examples.

Small and medium targets are not safe from such attacks either. Advanced persistent threats are sometimes levelled at smaller, less secure targets as stepping stones, in order to get access to larger parties. Multiple backdoors are often created by malicious actors to retain access, even after the owners of a resource believe they have eradicated the problem.

Analysis of malware is greatly impeded by obfuscating code and removing headers from payloads, thus making it more difficult to extract and analyse malware samples. Generic malware would be a first step in facilitating a more serious and stealthy attack. This was observed in 2020 with new ransomware attacks, where less harmful malware was being employed initially as a means to gain an initial foothold inside the network. This will also continue to be a growing trend in APT attacks.

In 2020, it was announced by the Australian Government that they had uncovered a large-scale attack on public and private sector groups, carried out by a highly sophisticated and well-equipped state-based actor. It was widely reported that the prime suspect, in this case, was China. They targeted various essential service providers, along with governmental bodies and operators of essential infrastructure. Diplomatic relations have been highly strained between the two countries in recent years.

The more recently reported SolarWinds attack is reported to have infiltrated at least ten U.S government departments and to have hit Microsoft and FireEye, to name just a few. The unknown group behind this high-profile attack has been named DarkHalo. Sunburst malware was utilised to initially infect many other targets via the Solar Winds platform. This APT had been initially launched months before it was discovered. In line with the modus operandi of these types of attacks, persistence was maintained, and other forms of malware and data exfiltration tools were used to gather as much intelligence as possible. Keyloggers and password stealers were also employed as part of this campaign. The U.S Treasury and Justice Department, along with Microsoft, were among some of the organisations hit by this attack.

The prognosis is stark for 2021. Highly disruptive attacks will continue at the nation-state level, and critical infrastructure may well be impacted negatively. As home working continues into 2021, the attack surface for potential intrusions will only grow. VPN gateways and other network appliances such as IoT devices will inevitably be targeted, in order to gain an initial foothold. As 5G becomes increasingly dominant, new attacks will emerge on the network as more and more devices connect to it. It has also been predicted that criminal groups involved in Ransomware attacks will try to copy some of the more advanced techniques being utilised by nation-states.