APT

What is an APT?

APT (Advanced Persistent Threat) is a category of cyber threats characterised by three features. Advanced - the attacker has sophisticated tools and capabilities, can develop zero-day exploits and evade security systems. Persistent - the operation lasts weeks, months or years, with the attacker maintaining access to the victim’s network and pursuing long-term objectives. Threat - the operation is backed by an organised actor with a specific goal and motivation.

APT groups are often linked to state intelligence or military services. Examples include APT28/Fancy Bear (Russia/GRU), APT41 (China), Lazarus Group (North Korea) and Equation Group (USA/NSA). Their objectives span industrial espionage, political espionage, critical infrastructure sabotage and information operations.

A typical APT attack progresses through phases: reconnaissance, initial compromise (often spear phishing), establishing a foothold (persistence), privilege escalation, lateral movement, data exfiltration or sabotage. An APT group may be present in the victim’s network for months before detection - or may never be detected.

Why does it matter?

Organisations in the energy, defence, financial and technology sectors are particularly vulnerable to APT operations. Defence against APTs requires a multi-layered approach: threat intelligence on active groups, mature detection and response processes, network segmentation, vulnerability management and regular exercises such as red teaming or TLPT.

Related topics

• Lateral Movement
• Command and Control
• Threat Intelligence