Fortinet Blog | News and Threat Research

It’s a rare month that we don’t see the term Advanced Persistent Threat grace news headlines, wreaking havoc on nuclear power facilities, Iranian intelligence agencies and international banking systems.In recent months, the term APT has seemed to take center stage, drilled into our everyday vernacular as researchers continue to discover new and increasingly sophisticated threats one after the other.  And like sequels to a blockbuster movie, each successor seems bigger and badder, with more special effects.

The metaphor isn’t too far from the truth.  In fact, for many, APTs are dramatic and spectacular but on par with a video game or cinematic fantasy. They appear to target far off governments, weapons manufacturers and multinational corporations. They contain stealth espionage capabilities that put James Bond, Jason Bourne and Ethan Hunt of Mission Impossible to shame.  They’re terrifying and invincible but certainly not anything that has direct bearing on our daily lives. In short, they seem a million miles away. Right?

In a previous blog post, we established the definition of an APT, and what users can do to protect themselves. In a sort of follow up, we’ll focus on their characteristics and how they may be closer than you may think, using insights provided by FortiGuard threat researcher Raul Alvarez.

While often containing vastly different capabilities and intended toward different targets, APTs do possess a few common characteristics, according to Alvarez.

Attacker: For one, they are all sourced to a dedicated attacker with deep pockets—that is to say, a group, organization or government agency, as opposed to an individual. The reason?  Because these kinds of attacks are costly and time-consuming, requiring vast amounts of expertise to research, calculate and execute. It stands to reason, then, that APTs are often sourced to a well-funded organization that can provide the necessary backing, and dedicate the time and resources to plan and carry out an attack.

Target:For all of the painstaking effort, the attackers are going to want a solid return on their investments. Unlike mass malware attacks, in which attackers hope to reach as many victims as possible, APT attacks have a dedicated target in mind, and one that will almost certainly provide lucrative returns.

Goal:To that aim, APT attacks are executed with an intended, mission-specific purpose—and the goals go way beyond lifting credit card numbers or pilfering personally identifying information. Instead, most attacks are intent on stealthily accessing highly sensitive information such as trade secrets, healthcare and medical histories, blueprints, intellectual property, military secrets and other classified data. The aim can also be as destructive as taking down nuclear power facilities, governments and critical infrastructure.

As such, here are a few recent examples of the world’s most destructive threats:

Stuxnet: The granddaddy of APTs, Stuxnet made headlines as a then unprecedented threat in 2009 after targeting Middle East nuclear power programs, getting its start after exploiting several Microsoft zero-day vulnerabilities.

However, what distinguishes this threat from others is that it doesn’t just infect programs or computers—it’s sole purpose is to take control of Programmable Logic Controllers used in industrial facilities, as well as SCADA (Supervisory Control And Data Acquisition) systems that monitor PLCs.

Flame: This malware recently secured its place in the history books as the biggest threat to date, making its predecessor Stuxnet look like the “I Love You” virus.

Yet unlike Stuxnet, which mainly targeted industrial power facilities, this piece of mega-malware falls into the category of a cyberespionage APT, replete with sophisticated capabilities that include recording audio, taking screenshots, gathering computer data, connecting to Command and Control servers and detecting security programs that threaten its demise.

The threat also differentiates itself from others with its ability to check the system against a list of applications that might be installed before it actually infects a system and avoiding machines secured by robust AV software and other security apps that can detect its presence.

That said, security programs that can actually identify the Flame malware are few and far between. And in light of its stealth capabilities, behavioral monitoring also falls short in detecting the threat.

Gauss: While this latest, greatest APT threat is actually a banking Trojan, it uncannily shares certain characteristics of its predecessor Flame, leaving many researchers convinced that both threats are sourced to the same organization or nation state.

Gauss can propagate through many of the usual channels such as plug-ins, although components vary from system to system.

Thus far, there have been no reported incidents of financial sabotage linked to Gauss. In fact, unlike notorious banking Trojan Zeus, the chances of monetary theft are likely to be low. Instead, researchers have concluded that the threat was created to monitor financial transactions for specific and targeted individuals.

While researchers have all but determined that APTs are intended for high profile, overseas targets, the fact that traces of code have been found in the wild suggest that these threats are far from containable, and as such, could ostensibly spread to infect banking and power systems used by the average individual. With that in mind, to conclude that APTs can’t and don’t effect everyday users is, at best, misguided. And as such, users will need to stay wary and apply their security know-how to the best of their abilities, including the use of strong antimalware, firewalls and other security mechanisms, lest they become the next victim.