The Anti-virus Times

Friday, March 28, 2025

A major information security trend in recent years is the rise in the number of cyberattacks on corporate infrastructures. Many factors are behind this, including the incessant evolution of malware and the methods through which it is distributed, as well as the overall growth of the IT industry. Consequently, attackers have more potential targets, more higher value information to steal, and an encouraging record of successful attacks. This by no means implies that cybercriminals are no longer interested in ordinary users. Large and sophisticated IT ecosystems and ordinary home computers and servers operate according to the same basic principles. So, it's fair to say that no one’s safe in the face of the ever-growing diversity of digital threats and state-of-the-art attack techniques.

If you are interested in information security, you probably have already heard about such concepts as a targeted attack or an APT (Advanced Persistent Threat). They are often mentioned in the media and antivirus vendors’ publications. Although quite a few information-security incidents involving such attacks are known, incident details and the real extent of their actual consequences are seldom revealed to the general public. Scarce information on the topic is one of the main reasons for the lack of distinct criteria that would allow an incident to be classified with certainty as an APT. And that, in turn, makes it easier to use this somewhat obscure notion in various promotional and PR campaigns.

In today's Antivirus Times issue, we'll be talking about targeted attacks and, more specifically, the APT. We will treat these terms as identical and try to understand what kinds of threats fall within this category. Of course, an ordinary home user is unlikely to ever get directly embroiled in an attack like that. However, being aware of the hazard and knowing what threat actors are capable of can still be beneficial for our readers. In addition, as you’ll see below, the aftermath of targeted attacks can definitely affect a vast number of people from various walks of life.

What is an APT?

The abbreviation APT emerged in the mid-2000s as a broad term encompassing a specific threat category and is said to have originated with the U.S Department of Defense. Back then, APT referred to out-of-the-ordinary IT incidents and cyberespionage campaigns that could pose a national security threat. Over time, the mass media embraced the term to describe particularly notorious cybersecurity attacks against high-profile targets (such as Google), and then information security experts adopted it as well.

It is also worth mentioning that the term emerged much later than the phenomenon itself. So, what are advanced persistent threats considered to be today? One of the most common definitions describes an APT as a premeditated attack of great sophistication that usually involves long-term covert activities undertaken by a threat actor in a compromised infrastructure. Such attacks are usually mounted for the purposes of data theft, cyberespionage, or sabotaging a target information system with the goal of damaging a victim's reputation or disrupting an organisation's operation. APT attacks are often conducted with long-term goals in mind and involve complex and often unique malware that secretly penetrates an infrastructure and performs destructive actions. In addition, an APT is also associated with careful planning and the availability of considerable resources—that include both finances and extensive cybercrime expertise.

Over time, the term APT also came to mean some horrendously grandiose, cryptic, catastrophic and inescapable scourge that can only be fended off by using a specific solution offered by a certain company. Simply put, corporate marketing teams played their part in shaping APT's notoriety. Note that although sophisticated targeted attacks do occur, the integrity of a specific infrastructure depends more on the willingness of the company's information security team to implement preventive protective measures than on the severity of the potential threat.

Information is available on the Web about well-known targeted attacks on large companies and even government organisations, and these attacks often have APT attributes. Doctor Web's virus laboratory also investigates information security incidents, and some are classified as targeted attacks. In a number of cases, we describe the unusual features of such incidents in our publications, without compromising the attack target’s confidentiality. This review, for example, describes a fortunate incident when a targeted attack failed. Sometimes companies ask for help after a breech has already happened. Our researchers have also dealt with cases when threat actors were able to maintain their foothold in corporate infrastructures for years before any signs of intrusion are discovered.

Targeted attacks are usually considered separately from other network attacks on corporate and public organisations. We’ve already mentioned that attacks on businesses are a relatively recent trend. The more common incidents may involve any company whose infrastructure appears vulnerable or seems potentially profitable. These attacks are often one-time events and require no long-term preparations or sophisticated techniques to succeed. Cybercriminals may use the most basic and readily available tools they can get on the black market and act as a small group, or sometimes even a lone criminal can do all the work. In such cases, intruders are mostly interested in financial gains. A targeted attack, on the other hand, is not exactly a routine event. As a rule, industrial or even national security espionage is the attack's primary objective, and targets are never picked randomly. Currently, several dozen APT crime rings, with their distinct MOs, tools, and preferred objectives, are known across the world. The real scale of the threat is unknown; incident details and their consequences are rarely published by media outlets for obvious reasons. At the same time, information security researchers and antivirus vendors participating in these investigations often share important data with each other so that similar incidents can be avoided in the future and users remain well protected. In the course of an investigation, analysts usually also share relevant IoCs (Indicators of Compromise). IoCs include such forensic data as malware definitions, command and control server IP addresses, and the domain names associated with a specific attack. This data helps security professionals analyse suspicious files or network activity in an organisation and check whether its infrastructure has come under a similar attack.

Targeted attack scenarios

Targeted attacks can follow the most diverse patterns, but they're almost always carried out in stages. An attack starts with the careful preparation needed to compromise a specific target. Bad actors can collect information about the organisation's infrastructure, employees, the software used, or even internal regulations. Indeed, attacks of this kind aren't always limited to meddling with networks and devices. To conduct their reconnaissance and gather intelligence, perpetrators may resort to social engineering techniques and pose as job applicants, employees, or partner representatives. It's an important step in determining the optimal penetration method and the infrastructure's point of ingress.

Oddly enough, in order to compromise the first node in a target network, threat actors often resort to phishing. Of course, they don't act at random, but engage in spear phishing. Thanks to the preliminary intelligence they have gathered, the attackers can employ their well-designed social engineering tricks with great effectiveness. To that end, they often send a spear phishing email to a specific employee or group.

Exploiting lesser-known software, operating system and hardware loopholes, or even a zero-day vulnerability is another option. This method is also based on intelligence data about the target organisation's infrastructure and the software it uses. Finding and exploiting zero-day vulnerabilities requires a lot of effort and substantial financial investments, but as noted above, APT crime rings have the required resources at their disposal.

Sometimes bad actors opt for supply chain attacks in order to get to their target's network. They attack the target’s partners, suppliers or contractors to infiltrate the target via their infrastructures. This approach can be very effective as many companies rely on third-party services and products to conduct their business operations. Threat actors use this method to find an ingress point via a less protected network. Information about weaker links in the chain and how they can be used is also part of the intelligence data. Attackers modify a certain product or service and use a scheduled regular update to deploy a backdoor.

Naturally, cybercriminals can combine multiple methods and techniques and duplicate them to improve their chances for success. Their main goal is to smuggle a malicious starter module into the organisation's network and lure a user into running it. The attackers’ subsequent steps include hiding their presence, gaining a foothold in the infrastructure, and advancing consistently through the network.

The starter module is usually a trojan downloader or other malware that conceals and deploys the remaining malicious payload on a device in the network. It’s important to note that APT attacks typically involve sophisticated malware that criminals often design and develop themselves with a specific infrastructure in mind. That’s why conventional antivirus tools may prove to be powerless against such unique designs, especially if they rely solely on signature-based detection. For example, some known APT-related trojan samples take advantage of system services to get downloaded and then spoof legitimate DLL files to subsequently reside only in RAM. There exist complex multicomponent trojan and backdoor modifications that can download additional plugins for specific destructive tasks when given the corresponding command from their C&C (command and control) servers. Analysing and debugging such malicious samples is also complicated because virus makers use various code obfuscation techniques. However, thoroughly examining them helps determine how the trojans operate and enables security professionals to assess the potential damage the samples can inflict.

After the initial infiltration, the trojan takes steps to ensure that it can persist and operate reliably in the system and advance further to other endpoints. As we've already mentioned, at this stage, the trojan is able to receive commands from a C&C server, download additional malicious modules, scan the network, and maintain its covert operation. Attackers always provide a trojan with a self-destruct option, the ability to run in idle mode, and other features it can implement to stay hidden. The ultimate goal is to get to specific devices in the network and the data they store. And situations when an organisation's domain controller gets compromised by bad actors are considered to be particularly dangerous. Gaining access to this node effectively gives attackers free rein in the infrastructure.

Is there a way to minimise risks?

Protecting against targeted attacks is a complex issue, and many of its aspects are beyond the scope of this introductory publication. Of course, targeted attacks don’t endanger ordinary users directly. But, as you know, there is always a beginning for everything. Most employees of victimised companies are by no means information security experts. Some of them are ordinary users who may be picked as targets for supply chain attacks. However, even spear phishing relies on everyday tricks that anyone can recognise and resist. And sometimes an attack's success doesn't even hinge on the APT crime ring’s astounding technical prowess. More often than not, the real reason behind a successful breech is slack corporate security. In our AVT issues, we often emphasise the importance of taking a comprehensive approach to information security. That includes all aspects—from protecting personal data to creating backups and configuring home routers properly. As trite as it sounds, protecting oneself effectively against targeted attacks involves relying on the same basic principles, but it requires a much more detailed approach. That's why it's so difficult to strike a good balance and impose the necessary protective restrictions without paralysing an organisation's operation.

Let’s conclude this publication by diverging from targeted attacks to remind ourselves of threats that are more common to any organisation. It is essential that companies have a well-established information security policy for protecting their infrastructures; conduct security training sessions for their employees; and promote information security basics for everyday work. This applies to any desktop or laptop user accessing information over the network, especially employees who are authorised to work with sensitive data. Role-based access control, minimising privileges, and dividing a local network into multiple segments are basic sound practices that aren't as commonplace as they should be. It’s also quite obvious that whether it be antivirus software running on all network nodes or solutions for monitoring and responding quickly to incidents, security software is a must-use.