6 Tell-Tale Signs of APT Attacks

When it comes to cyberattacks, advanced persistent threats (APT attacks) are probably the most pernicious. Hackers aren’t interested in low-hanging fruits in an advanced persistent threat scenario. Instead, they compromise your system over a period of time. This allows them to funnel out a steady flow of data and cause long-term damage. APT attacks can lead to identity theft, business impersonation, or embezzlement. 

Typically, the purpose of an APT attack is to cause destruction rather than benefit the hacker. 

In 2020, APT attacks were rare. Today, there are 153 active APT groupsOpens a new window that target government agencies, financial institutions, and healthcare service providers. COVID-19, cyber warfare, cyber espionage, and the ease of access to cloud services have led to increased nation-state activity from APT groups, often targeting essential services. 

Understanding the signs of an ongoing APT attack before it snowballs into an irreversible situation is vital. Fortunately, as these attacks take place over a prolonged period of time and involve multiple threat actors, you will see clear warning signals early on. 

Warning Signals of an APT Attack

1. The network is regularly used to access unusual domains

No matter how many domains you whitelist, corporate networks are inevitably used to access non-work-related websites and online assets by employees. However, there is a difference between acceptable veering from protocol and genuinely suspicious activity. Watch for logins to unusual domains – for example, unknown e-commerce sites, websites hosted in a different country, and uncommon domain extensions like .xyz, .gg, or .run – are something to watch for. 

Set up a network monitoring process so that you get real-time notifications of unusual browsing behavior. Analyze access logs to pinpoint trends in the rise of unusual access. 

2. Your total storage capacity is inexplicably shrinking 

In an APT attack, hackers will often assemble the data they have collected over a period of time before deciding to transfer it out of their system. This creates data bundles that aren’t visible but will impact your storage capacity. This can present itself in several ways. A partition might be showing a specific number of GB/TB in storage capacity, but when you calculate the total file size inside it, there is a significant gap between the two numbers. Or, capacity shrinkage can be caused by an entire partition that suddenly disappears – this is easy to overlook, as it does not impede regular system functioning, but acts as a storage point while criminals stockpile data. 

The best way to preempt this is by providing user awareness training so that employees are cyber aware and can regularly check on their systems’ vital signs. 

3. Slow performance persists despite OS reinstallation

Today, OS reinstallation and an end-to-end system reboot have become significantly simpler due to OTT software delivery via the cloud. If a system exhibits slow performance for a prolonged period (due to a minor virus and system clutter, or at least that’s what’s assumed), you might reinstall the OS and furnish the user with a seemingly fresh system environment. Persistent slow performance after two or more reinstallations is a clear indication of APT. 

APT tactics are so pernicious that they can interfere with your system’s firmware, making it near-impossible to remove. Ideally, you should retire the system in such cases, with any mission-critical data backed up to a sandbox environment. 

4. Trusted publisher-verified executables are slightly larger in size

APT groups and attack designers often use credible channels to penetrate your system (in addition to phishing attempts, but more on that later). For example, an executable file that appears to be signed by a trusted provider like Microsoft might contain a virus or a malicious macro code. This technique is called steganography, where a threat actor uses an ordinary, non-secret file as a shell to hide malware using code signing technology. 

While attacks disguised inside verified executables are hard to spot, the file size should be a telltale sign. Cross-check the attributes of your downloaded file or update through different channels, websites, and colleagues to ensure only legitimate installations occur. 

5. Phishing attacks are frequent and obvious

Interestingly, this is one sign of an APT attack that is easy to spot and equally easy to ignore. Phishing has become almost par for course when communicating online, and most users are likely to discard an obvious phishing email without paying too much attention. However, when there are several phishing emails sent to your workforce in a short time, it could be a sign of a concerted attack and not standalone attempts. 

The best way to address this is by making it easier to report phishing emails and make it mandatory. Employees must immediately report any suspicious email they receive, no matter how innocuous or crude it may seem. IT decision-makers can plot phishing trends across several weeks or months and understand if there is a trend indicative of a larger attack. 

6. You find yourself quarantining backdoor Trojans more often

Backdoor Trojans are a specific type of malware that give hackers remote access to your computer. Even if the user changes their login credentials, the Trojan stays on, allowing hackers to send and receive commands without physical access to your system. A similar technique is pass-the-hash (PtH), where the hacker captures the password hash instead of its actual characters to trick a computing system into initiating a session. IT professionals should promptly remove or quarantine any backdoor Trojans and PtH tools. The downside is that you need to do it frequently. 

If using automated virus scanning and quarantine solutions, analyze the logs to detect any rise in backdoor Trojans/PtH numbers. Also, train users to be wary of executables so that Trojans aren’t inadvertently activated through installations. 

Understanding the Anatomy of an APT Attack  

Given the protracted nature of an APT attack, it is sure to leave bread crumbs along the way that can help you anticipate what’s coming and prevent severe damages. APT attacks typically begin with a reconnaissance stage, where hackers send seemingly harmless malware to “scope out” your computing environment. If the environment is friendly, it will establish a foothold and start escalating rights and privileges to gradually obtain the data it desires or bring about the damage intended. Throughout this period, it will spread across your computing environment to cause the maximum amount of harm. 

So, the best way to counter APT is by: 

• First, creating an inhospitable environment for the attack through regular monitoring, password best practices, and data encryption. 
• Second, staying aware of the possible signs and indicators – essentially, any divergence from regular system behavior. 

This will help you stay ahead of the potential threat and keep your users, data, and business protected from organized cybercriminals. 

MORE ON ADVANCED PERSISTENT THREATS

• What Is an Advanced Persistent Threat?
• Endpoint Security Is Not Enough to Thwart Advanced Threats
• Threat Hunting: How to Actively Monitor Your System