Skip to content Skip to navigation Skip to footer

What is an Advanced Persistent Threat (APT)?

Advanced Persistent Threat Definition and Examples

An advanced persistent threat (APT) refers to an attack that continues, secretively, using innovative hacking methods to access a system and stay inside for a long period of time. Typical attackers are cyber criminals, like the Iranian group APT34, the Russian organization APT28, and others. Although they can come from all over the world, some of the most notable attackers come from Iran, other areas of the Middle East, and North Korea.

Understanding what APT is also involves knowing their targets. APT attackers have been known to go after countries and the large organizations within, as well as large corporations, to exfiltrate information, gradually and systematically, over long stretches of time before withdrawing. The time spent within an organization’s IT system is known as “dwell time.” 

Many other types of cyberattackers have very short dwell times because they focus on getting in and out quickly. APT attackers have significantly longer dwell times, while they either chip away at accomplishing their objectives or wait for the right moment to get what they want. During the waiting period, they may study security systems and adjust their approach accordingly.

Often, these attackers focus on organizations or companies in the United States or other developed countries. Even though they may go after high-value targets, attackers often try to gain access to them using smaller companies or organizations that the targets use to do business. This may include companies along their supply lines or organizations they partner with to further their objectives.

APT attackers tend to hone in on gaining intelligence or other vital information to damage a larger system, exploit or make an organization look bad, or gain a competitive advantage.

What Makes APTs Advanced?

While a traditional cyberattacker may use fairly simple, straightforward methods, such as deploying a Trojan or relatively simple malware, APT attackers use more advanced techniques. For example, they may:

  1. Use elaborate espionage tactics involving multiple actors to penetrate an organization step by step. Getting behind the organization’s firewalls can take dozens of steps and happen over a series of several months or longer.
  2. Gain access to a network through an easy entry point like its email system and then plant malware. The malware examines and evaluates the network, as well as its security system, in search of vulnerabilities. The malware can also act like an agent itself, waiting for a command that instructs it to launch a wave of malicious code.

What Makes APTs Persistent?

APT threats are persistent in two ways:

  1. They are determined to attain specific goals by attacking certain targets. This is different from random cyber threats that attack a wide range of organizations, hoping to stumble on one with a weak security system.
  2. Once they gain entry, they remain for long periods of time while either waiting for an opportune moment or gradually extracting information.

What Makes APTs a Threat?

Like all threats, APTs are dangerous because they have both the ability and intent to cause harm. They are:

  1. Well-orchestrated operations powered by humans determined to obtain an objective. This makes the threat more tangible than those posed by random programs floating around the internet.
  2. Well-funded because those employing the attackers place a high value on a successful attack or extraction of information.

APT Groups and Attackers

APT attacks can be launched by a single person or by a larger group. In some cases, the attack is performed by a government-sponsored agency. They typically focus on attacking an organization’s ability to operate efficiently or achieve its objectives. They could also aim to gain intelligence that can be used to either harm the target or further the group’s—or their employer’s—mission.

It is important to note that even small and midsize businesses have to take precautions. Organizations in all major business sectors have been targeted. The advantage an attack sponsor may gain over a business or within a market segment is often well worth the price they pay for an APT attack.

Here are some of the more high-profile attacks over the past 10 years:

  1. Sony was targeted by North Korea’s Lazarus Group because they made a movie that made their leader, Kim Jong-un, look bad.
  2. The United States' National Security Agency (NSA) was targeted in 2010 in connection with Iran’s nuclear program.
  3. U.S. presidential hopeful, Hillary Clinton, had her 2016 election campaign targeted by the group Fancy Bear. The U.S. Department of Justice has accused Russia of being behind Fancy Bear’s infiltration.

Attack Vectors

Threats typically enter a network, often gaining entry using web-based systems, networks, or humans who have access to the system. For this reason, it is important for an organization to make sure any systems connected to the internet or an internal network are adequately secured. Also, all employees, clients, and executives with access to anything connected to the IT system need to undergo multi-factor identity checks before they are allowed to get into an organization’s system.

Thoroughly vetting individuals is particularly critical because of cyber espionage tactics like social engineering. This is when attackers trick people into giving them access to a network, bypassing the systems that security teams set up to keep them out.

Cyber espionage can also incorporate human intelligence. When cyber criminals leverage human intelligence, they target someone with access to a system and recruit them, spy on the organization to steal access credentials, or use someone to infiltrate the organization. This enables them to report out information that makes penetration easier.

Attackers first get inside the system by installing malware. This provides them access to the network and the ability to control the system remotely. They then establish a secure connection to their external command-and-control system. Once they are connected, they may mask their activity by using encryption or rewriting code. In this way, they can escape notice for months—or even years.

Stages of an APT Attack

APT attacks are performed systematically, according to progressive, interdependent steps.

5 stages of an APT Attack

Gain Access

To get inside the system, cyber criminals often use infected files, junk email, a vulnerable app, or a weak spot on the network.

Establish a Foothold

Attackers plant malware that enables them to set up a network of tunnels and backdoors that allow them to navigate within the system without being detected. The malware can also help them cover their tracks by rewriting code.

Deepen Access

After attackers get inside, they may compromise passwords to access administrator rights. They then use these to manipulate more aspects of the system and obtain greater access.

Move Laterally

Once they are fully inside, attackers may try to move around to other areas of the network, such as servers and other devices. They may also expand the attack, gaining and then deepening access in connected areas.

Look, Learn, Remain

While inside the system, attackers can closely examine how it works as well as where it is vulnerable. Once they have done this, it is easy to grab the information they need. They can then remain in the system until they achieve their goal—or stay inside without any plans of ever exiting.

APT Security

To detect APT attacks and protect systems from them, an organization must implement a multipronged approach.

Security Measures

There are several options open to companies that wish to make their network safer from APT attacks.

Traffic Monitoring

Closely monitoring all inbound and outbound traffic can help prevent APT attackers from getting inside and installing the backdoors they need to gain deeper access. This can be done using a next-generation firewall (NGFW) deployed at the edge of the network. The firewall can examine all ingress and egress traffic, as well as employ filters to detect specific types of attacks.


Whitelisting involves designating a specific set of applications or domains as safe. Only traffic coming from the applications and domains on the list is allowed into the network.

Access Control

Controlling who is allowed to access the network and how can be a powerful tool in preventing APT attacks. The first step is determining who needs access. Then you make sure each user goes through a multi-factor authentication (MFA) process before being allowed entry. Not only does this limit the number of potential attackers, but if the system is compromised, it is also easier to narrow down the source of the problem.

Security Tools

One of the most effective security tools against APT are NGFWs. These filter network traffic, only allowing approved data to go in and out of a system. Through carefully designed packet filtering, they can identify attacks, malware, and additional threats.

Another effective method of preventing attacks is a sandbox solution. When a sandbox protocol is implemented, a specific application is confined to an isolated environment. There, the suspicious object’s behavior is analyzed, while the other systems are protected from its malicious programming. If the suspicious application executes harmful code, only the sheltered, secluded sandbox would be affected.

Advanced Persistent Threat (APT): Market Forecast For The Next 5 Years

The COVID-19 pandemic opened many doors for malicious actors. Malicious emails increased by 600% since it started, ransomware samples increased by 72% during, and over 6 of 10 companies suffered a ransomware attack in 2020. Cyberthreats continued to rise in 2021 and even further in 2022. In fact, attacks in the first half of 2022 rose by 42% compared to the same period in 2021.

APTs also became a bigger cybersecurity issue following the outbreak. Many APT criminal groups started using coronavirus-based phishing scams to gain access to enterprise systems and then launch highly damaging cyberattacks. In 2022, the geopolitical situation in Ukraine and its resultant global upheaval has led to increased APT-related activity. During the year, multiple cybercriminal groups from Russia, China, and the Middle East have leveraged APT methods to weaponize new technologies at scale and attack both traditional and new attack surfaces.

Organizations are more aware of the potential harmful impact of APTs and are therefore scaling up investments in APT protection solutions. The market for these solutions has grown substantially in the post-COVID era. In 2021, it was valued at about $6 billion and grew to $7.4 billion in 2022. Demand will increase further as state-sponsored APT groups adopt newer attack vectors and more sophisticated tools.

By 2027, market value will cross $20 billion, representing a CAGR of 22.35% in the 2022 – 2027 period. The demand for Security Information and Event Management (SIEM) platforms, Intrusion Prevention Systems (IPS), sandboxing, and next-generation firewalls (NGFWs) will be particularly high; these providers will play a key role in the market in the next five years. Moreover, standard cybersecurity detection tools will no longer be adequate to detect and address sophisticated APTs, so a new type of dynamic and specially-drafted defense mechanism called advanced persistent security (APS) will become more popular.

How Fortinet Can Help

FortiGate Next-Generation Firewalls (NGFWs) fight APTs with ultra-fast, high-performance protection that does not degrade network performance. It delivers consistent defense in real time with FortiGuard Services. The FortiGuard Inline Sandbox Service holds suspicious files on the FortiGate without performance impact. These files are only released after analysis. FortiGate is the foundation for the Fortinet Security Fabric, which enables organizations to integrate security functions like authentication, access control, and multi-cloud security across the enterprise. 

One key to fighting APTs is access to real-time intelligence and insight into how an attacker got into the network, whether they are still there, and what is needed to address the attack. FortiGuard Incident Response Services deliver these capabilities through experts that have decades of direct experience in attack forensics and threat response.


What is an advanced persistent threat attack?

An advanced persistent threat (APT) refers to an attack that continues, secretively, using innovative hacking methods to access a system and stay inside for a long period of time.

What is an example of an advanced persistent threat?

Here are some of the more high-profile attacks over the past 10 years:

  1. Sony was targeted by North Korea’s Lazarus Group because they made a movie that made their leader, Kim Jong-un, look bad.
  2. The United States' National Security Agency (NSA) was targeted in 2010 in connection with Iran’s nuclear program.
  3. U.S. presidential hopeful, Hillary Clinton, had her 2016 election campaign targeted by the group Fancy Bear. The U.S. Department of Justice has accused Russia of being behind Fancy Bear’s infiltration.