Advanced Persistent Threat (APT)

Bart Lenaerts-Bergmans - February 28, 2023

What is an Advanced Persistent Threat?

An advanced persistent threat (APT) is a sophisticated, sustained cyberattack in which an intruder establishes an undetected presence in a network in order to steal sensitive data over a prolonged period of time. An APT attack is carefully planned and designed to infiltrate a specific organization, evade existing security measures and fly under the radar.

Executing an APT attack requires a higher degree of customization and sophistication than a traditional attack. Adversaries are typically well-funded, experienced teams of cybercriminals that target high-value organizations. They’ve spent significant time and resources researching and identifying vulnerabilities within the organization.

The goals of APTs fall into four general categories:

  • Cyber Espionage, including theft of intellectual property or state secrets
  • eCrime for financial gain
  • Hacktivism
  • Destruction

Modern Adversaries and Evasion Techniques

86% of eCrime actors us evasion techniques to bypass AV software. Learn how legacy antivirus is an easy target for adversaries and techniques they use that legacy AV can’t stop.

Download Now


What are the 3 Stages of an APT Attack?

To prevent, detect and resolve an APT, you must recognize its characteristics. Most APTs follow the same basic life cycle of infiltrating a network, expanding access and achieving the goal of the attack, which is most commonly stealing data by extracting it from the network.


Stage 1: Infiltration

In the first phase, advanced persistent threats often gain access through social engineering techniques. One indication of an APT is a phishing email that selectively targets high-level individuals like senior executives or technology leaders, often using information obtained from other team members that have already been compromised. Email attacks that target specific individuals are called “spear-phishing.”

The email may seem to come from a team member and include references to an ongoing project. If several executives report being duped by a spear-phishing attack, start looking for other signs of an APT.

Stage 2: Escalation and Lateral Movement

Once initial access has been gained, attackers insert malware into an organization’s network to move to the second phase, expansion. They move laterally to map the network and gather credentials such as account names and passwords in order to access critical business information.

They may also establish  a “backdoor” — a scheme that allows them to sneak into the network later to conduct stealth operations. Additional entry points are often established to ensure that the attack can continue if a compromised point is discovered and closed.

Stage 3: Exfiltration

To prepare for the third phase, cybercriminals typically store stolen information in a secure location within the network until enough data has been collected. They then extract, or “exfiltrate” it without detection. They may use tactics like a denial-of-service (DoS) attack to distract the security team and tie up network personnel while the data is being exfiltrated. The network can remain compromised, waiting for the thieves to return at any time.

Learn More

Want to stay up to date on recent adversary activities? Stop by the Research and Threat Intel Blog for the latest research, trends, and insights on emerging cyber threats.Research and Threat Intel Blog

Characteristics of an APT Attack

Since advanced persistent threats use different techniques from ordinary hackers, they leave behind different signs. In addition to spear-phishing campaigns that target organization leaders, symptoms of an advanced persistent threat attack include:

  • Unusual activity on user accounts, such as an increase in high-level logins late at night
  • Widespread presence of backdoor Trojans
  • Unexpected or unusual data bundles, which may indicate that data has been amassed in preparation for exfiltration
  • Unexpected information flows, such as anomalies in outbound data or a sudden, uncharacteristic increase in database operations involving massive quantities of data

Advanced Persistent Threat Examples

CrowdStrike currently tracks well over 150 adversaries around the world, including nation-states, eCriminals and hacktivists.

Here are some notable examples of APTs detected by CrowdStrike:

  • GOBLIN PANDA (APT27) was first observed in September 2013 when CrowdStrike discovered indicators of attack (IOAs) in the network of a technology company that operates in multiple sectors. This China-based adversary uses two Microsoft Word exploit documents with training-related themes to drop malicious files when opened. Read our full APT profile on Goblin Panda.
  • FANCY BEAR (APT28), a Russia-based attacker, uses phishing messages and spoofed websites that closely resemble legitimate ones in order to gain access to conventional computers and mobile devices. Read our full APT Group Profile on Fancy Bear.
  • Cozy Bear (APT29) is an adversary of Russian-origin, assessed as likely to be acting on behalf of the Foreign Intelligence Service of the Russian Federation. This adversary has been identified leveraging large-volume spear phishing campaigns to deliver an extensive range of malware types as part of an effort to target political, scientific, and national security entities across a variety of sectors. Read our full APT Group Profile on Cozy Bear.
  • Ocean Buffalo (APT32) is a Vietnam-based targeted intrusion adversary reportedly active since at least 2012. This adversary is known to employ a wide range of Tactics, Techniques, and Procedures (TTPs), to include the use of both custom and off-the-shelf tools as well as the distribution of malware via Strategic Web Compromise (SWC) operations and spear phishing emails containing malicious attachments.
  • HELIX KITTEN (APT34) has been active since at least late 2015 and is likely Iran-based. It targets organizations in aerospace, energy, financial, government, hospitality and telecommunications and uses well-researched and structured spear-phishing messages that are highly relevant to targeted personnel. Read the full APT Profile on HELIX KITTEN.
  • Wicked Panda (APT41) has been one the most prolific and effective China-based adversaries from the mid 2010s into the 2020s. CrowdStrike Intelligence assesses Wicked Panda consists of a superset of groups involving several contractors working in the interests of the Chinese state while still carrying out criminal, for-profit activities, likely with some form of tacit approval from CCP officials. Read the full APT profile on WICKED PANDA.

2023 Threat Hunting Report

In the 2023 Threat Hunting Report, CrowdStrike’s Counter Adversary Operations team exposes the latest adversary tradecraft and provides knowledge and insights to help stop breaches. 

Download Now

How do you Protect Against APT Attacks?

There are many cybersecurity and intelligence solutions available to assist organizations in better protecting against APT attacks. Here are some of the best tactics to employ:

  • Sensor Coverage. Organizations must deploy capabilities that provide their defenders with full visibility across their environment to avoid blind spots that can become a safe haven for cyber threats.
  • Technical Intelligence. Leverage technical intelligence, such as indicators of compromise (IOCs), and consume them into a security information and event manager (SIEM) for data enrichment purposes. This allows for added intelligence when conducting event correlation, potentially highlighting events on the network that may have otherwise gone undetected.
  • Service Provider. Partnering with a best-of-breed cybersecurity firm is a necessity. Should the unthinkable happen, organizations may require assistance responding to a sophisticated cyber threat.
  • A Web Application Firewall (WAF) is a security device designed to protect organizations at the application level by filtering, monitoring and analyzing hypertext transfer protocol (HTTP) and hypertext transfer protocol secure (HTTPS) traffic between the web application and the internet.
  • Threat Intelligence. Threat intelligence assists with threat actor profiling, campaign tracking and malware family tracking. These days, it is more important to understand the context of an attack rather than just knowing an attack itself happened, and this is where threat intelligence plays a vital role.
  • Threat Hunting. Many organizations will find the need for 24/7, managed, human-based threat hunting to accompany their cybersecurity technology already in place.

CrowdStrike’s Advanced Threat Protection: The Importance of Speed

The most essential concept in cybersecurity today is speed. To defend yourself, you must be faster than your adversary. At CrowdStrike, we use breakout time to assess a threat actor’s operational sophistication and estimate the speed with which a response is required.

Breakout time is how long an intruder takes to start moving laterally within a network after gaining access. It’s a critical metric for tracking how fast adversaries can operate and for evaluating a security team’s detection and response times.

Falcon Insight endpoint detection and response (EDR), another essential piece of the Falcon platform,  looks for IOAs to stop attacks before data is lost. The CrowdStrike Adversary Intelligence solution aids incident investigations and speeds breach response by seamlessly integrating automated threat intelligence and custom indicators into endpoint protection. Combined with the expertise of the global CrowdStrike Falcon® Intelligence™ team, the Falcon platform allows organizations of any size to respond more quickly and get ahead of the next APT attack.


Bart is Senior Product Marketing Manager of Threat Intelligence at CrowdStrike and holds +20 years of experience in threat monitoring, detection and intelligence. After starting his career as a network security operations analyst at a Belgian financial organization, Bart moved to the US East Coast to join multiple cybersecurity companies including 3Com/Tippingpoint, RSA Security, Symantec, McAfee, Venafi and FireEye-Mandiant, holding both product management, as well as product marketing roles.