APT hackers and malware are more widespread and sophisticated than ever. For some professional hackers working for either relevant industries or nation-states, their main task is to gain access to confidential information, inject destructive code, or place hidden backdoor programs to allow them to sneak into the target network or computer at will.
Most APTs use custom code for their activities. However, prefer to use known vulnerabilities, at least initially. When their activities are noticed, it is more difficult for the victim to recognize that it is an APT attack and not a normal, less reputable hacker or malware program. Because APT hackers use different techniques than regular hackers, they also leave different traces. Crucially, any of these traces could be part of legitimate actions within any organization, but their unexpected nature or volume of activity may indicate an APT attack.
APT hackers often install backdoor Trojan programs on compromised computers. This way, they ensure that they can get in again and again, even if the captured credentials have been changed and the victim is tipped off. Another feature: once detected, APT hackers do not disappear like normal attackers. Why should they? The computers around you belong to them. Nowadays, Trojans deployed through social engineering are a common way to get attacked.
Late night logins
APTs quickly escalate from compromising a single computer to taking over multiple computers or the entire environment in just a few hours. They do this by mining an authentication database, stealing credentials, and reusing them. They find out which user accounts have elevated privileges and permissions, and then go through those accounts to compromise resources within the environment. Often, a large number of logins with elevated privileges then occur at night because the attackers live on the other side of the world.
Unplanned information flows
Particular attention should be paid to large, unexpected flows of data from the internal exit point to other internal computers or to external computers. This can be from server to server, server to client, or network to network. These data flows can also be limited but targeted, such as when someone is checking email from abroad. Any email client should show where the last user logged in to retrieve the email and where the last message was retrieved.
This has become more difficult because much of today’s information flows are protected by VPNs, usually including TLS over HTTP (HTTPS). Although this was rarely the case in the past, many organizations now block or intercept all previously undefined and unauthorized HTTPS traffic by deploying a security inspection device chokepoint.
The device “unpacks” the HTTPS traffic by substituting its own digital TLS and acts as a proxy, pretending to be the other side of the communication transaction for both the source and the destination. It decrypts and inspects the traffic and re-encrypts the data before forwarding it to the original communication destinations. Those who do not take these precautions will miss the leak in the exfiltrated data. Of course, to detect a potential APT attack, it is necessary to know what the data streams look like before the environment is compromised.
Unsuspected data bundles
APT hackers often bundle the stolen data at internal collection points before transporting it outside. Therefore, pay special attention to large data bundles (gigabytes, not megabytes) that show up in places where this data should not normally be, especially if it is compressed into archive formats that the organization does not normally use.
Targeted spear phishing campaigns
One of the best indicators is targeted spear-phishing email campaigns against an organization’s employees using document files (for example, Adobe Acrobat PDFs, MS Office Word, MS Office Excel XLS, or MS Office PowerPoint PPTs) with executable code or malicious URL links. This is the original trigger for the vast majority of all APT attacks.
The key sign is that the attacker’s phish email is not sent to everyone in the organization, but to a more selective audience of high-level individuals (for example, CEO, CFO, CISO, or project manager) within the organization, often using information that could only be learned by intruders who had previously compromised other team members.
The emails may be fake, but they contain keywords that relate to real internal projects and issues currently underway. Instead of a generic “Hello, read this!” phishing topic, they contain something that is highly relevant to an ongoing project, for example, and comes from another team member on the project.