Rob Behnke
January 10th, 2023
APT stands for Advanced Persistent Threat and refers to a threat actor with the resources necessary to pose a sustained threat to an organization. Often, APTs are sponsored by nation-states or organized crime, which provide them with the resources required to attract and train top talent and to develop or acquire sophisticated tools. These APTs will typically carry out attacks to support the goals of their sponsors, such as stealing intellectual property (IP) or disrupting business amongst their enemies.
APTs are the most sophisticated threat actors in the cyber threat landscape. They often develop their own malware and have their own set of hacking tools and a team of specialists.
APTs also typically have their preferred methods of gaining access to a target environment. For example, some APTs might carry out phishing attacks designed to trick the recipient into clicking on a malicious link or opening an infected attachment. Others take advantage of vulnerabilities in an organization’s remote work infrastructure, using guessed or breached user credentials to log in via VPNs or RDP.
APT attacks are commonly attributed to a particular group based on the combination of the malware used and the techniques used to deploy it. Some groups have their own custom malware that is only used by them, while others may use the same tools as other groups. Groups also differ in their choice of targets, attack techniques, and other factors. This means that, while the attribution of a cyberattack is never guaranteed to be correct, it is possible to identify the group behind an attack with high confidence.
APTs target organizations in a variety of different sectors and locations. As DeFi and other crypto projects become more visible, they are increasingly targeted by APT attacks.
The attack on deBridge is an example of an attack that was attributed to an APT, the Lazarus Group, based on the details of the attack. In this case, the attackers used a phishing attack to deliver a password-protected PDF and a malicious file claiming to contain the password.
Opening the password file infected the computer with malware that sent information about the infected computer to attacker-controlled servers and could have allowed the attacker to run any malicious code that they wanted on the infected computer.
This attack was attributed to the APT based on the fact that the Lazarus Group previously performed a phishing attack using a different malicious file with the same names. While not guaranteed, this provides a strong indication that the two attacks were performed by the same group.
APTs are sophisticated cyber threat actors, and, given enough motivation, resources, and time, they could likely breach any organization. However, in most cases, they use the same tools and techniques as other cybercriminals to carry out their attacks.
This means that organizations can largely protect themselves against attacks by APTs by following cybersecurity best practices. For example, the attack against deBridge was unsuccessful because the deBirdge team had a strong anti-phishing program so team members knew not to open the suspicious file. Similarly, using strong passwords and protecting your computer with a strong, up-to-date antivirus can block many APT attacks.
For more information about protecting your project against APTs and other cyber threats, reach out to our Web3 security experts at halborn@protonmail.com.