Advanced Persistent Threat (APT).

Advanced Persistent Threat (APT) describes both the actor and the campaign: skilled adversaries who spend weeks to years inside a target environment, prioritising stealth and persistence over noisy smash-and-grab attacks. APTs typically chain spear-phishing, supply-chain compromise, custom malware, living-off-the-land tradecraft, and zero-day exploits. Goals are usually espionage (intellectual property, diplomatic cables, defence research), pre-positioning for sabotage on critical infrastructure, or long-running financial theft.

Named campaigns illustrate the spectrum. APT29 (Cozy Bear) trojanised SolarWinds Orion updates with the SUNBURST backdoor in 2020, reaching thousands of organisations through a single trusted vendor. Volt Typhoon, a PRC-linked group, used living-off-the-land techniques — built-in tools like wmic, netsh, and PowerShell rather than custom malware — to maintain persistent access across US communications, energy, water, and transportation networks; CISA, the FBI, and NSA warned in joint advisory AA24-038A (February 2024) that the intent was pre-positioning for disruptive attacks during a future crisis, not espionage.

Defence requires layered controls: threat-intelligence-driven detection, EDR/XDR with behavioural analytics, network segmentation, strict identity controls, enhanced logging of authentication and command-line activity, and proactive threat hunting against TTPs catalogued in MITRE ATT&CK.

flowchart LR
  A[Reconnaissance] --> B[Initial access<br/>spear-phish / supply chain / 0-day]
  B --> C[Foothold &<br/>persistence]
  C --> D[Privilege escalation<br/>+ credential theft]
  D --> E[Lateral movement<br/>living off the land]
  E --> F[Long-term stealth<br/>collection]
  F --> G[Exfiltration or<br/>pre-positioning]
  F -.evade.-> H[EDR / threat hunting<br/>MITRE ATT&CK]
  H -.detect & evict.-> C