What Is an Advanced Persistent Threat (APT)?
In early 2020, a routine software update went out to customers of SolarWinds Orion. It was signed, it looked legitimate, and it carried a backdoor. Up to 18,000 organizations installed it. The operators did not smash anything. They picked a small number of targets out of those thousands, slipped into US government departments and large enterprises, and quietly read email and stole data for months before the intrusion was disclosed that December. The US government attributed the operation to the SVR, Russia's foreign intelligence service, the group tracked as APT29 or Cozy Bear.
That is an advanced persistent threat: not a hit-and-run, but a patient, well-resourced intruder who gets in, stays hidden, and works toward a specific objective over a long period.
This guide covers what an advanced persistent threat actually is, why APTs are different from ordinary attacks, who runs them and the confusing way the industry names them, the stages of an APT attack mapped to MITRE ATT&CK, the warning signs a defender can actually see, real examples, and how to detect and defend against them. It is written for blue teamers: SOC analysts, threat hunters, and DFIR practitioners.
What is an advanced persistent threat?
An advanced persistent threat (APT) is a prolonged, targeted cyberattack in which an intruder gains access to a network and remains undetected for an extended period to steal data or achieve a strategic goal. The term describes both the attack and the actor behind it. People say "an APT compromised the network" and "APT29 ran the operation," and both are correct.
The name is best read one word at a time, because the popular reading of it is wrong.
Advanced does not mean the attacker only uses exotic zero-days. They use whatever works, and what works is usually cheap: a spear-phishing email, a stolen password, an unpatched internet-facing server. The advanced part is the operation, not always the malware. These actors can develop custom tooling and chain zero-days when they need to, but they will pick the lock with a spear-phish if the door is unlocked.
Persistent is the defining trait. The attacker is not after a quick score. They establish multiple footholds, build redundant persistence so losing one machine does not evict them, and operate low and slow to avoid tripping alarms. Kick them off and a well-run APT comes back. The whole design is to maximize dwell time.
Threat means there is a human adversary with intent and resources, not an automated worm spraying the internet. Someone chose your organization, set an objective, and will adapt when you push back.
Put together, an APT is a human-directed campaign that prioritizes stealth and longevity over speed. That is what separates it from the commodity attack that encrypts a network on day one and demands a ransom. An APT would rather you never know it was there.
Why APTs are different
Ordinary attacks are opportunistic. They take whatever target is easy and cash out fast. APTs invert every part of that.
- They are targeted. A specific organization is chosen for what it has: intellectual property, classified information, access to a bigger target downstream, or money to fund a regime.
- They are well-resourced. Most APTs are nation-state intelligence services or groups funded by them. CrowdStrike tracks more than 280 named adversary groups, and the serious ones operate like the professional teams they are, with budgets, tooling, and time.
- They are patient. Where a financially motivated crew wants out before detection, an APT wants in for as long as possible. The global median dwell time across all intrusions is roughly two weeks (Mandiant's M-Trends 2026 puts it at 14 days), but espionage-driven groups are engineered to stretch that far longer, often remaining hidden for months.
- Their objective is rarely noise. Espionage, long-term access, pre-positioning in critical infrastructure, or large-scale theft. The endgame is strategic, so the operation is built to support it quietly.
The practical consequence for a defender is that you cannot wait for an APT to make noise. It is built not to. Detection has to be proactive, which is why defending against them leans so heavily on threat hunting and behavioral analysis rather than signature alerts.
Who runs APTs, and why the names are a mess
Most APTs trace back to four nation-states: Russia, China, North Korea, and Iran. Their motives split cleanly. Russian and Chinese groups lean toward espionage and strategic access. North Korea is the outlier that steals money, including cryptocurrency, to fund the state. Iranian groups mix espionage with disruption.
The naming is genuinely confusing, and it matters because a single group wears half a dozen names. Each vendor invented its own scheme:
| Source | Naming scheme | Example for one group |
|---|---|---|
| CrowdStrike | Animal by nation nexus: Panda (China), Bear (Russia), Kitten (Iran), Chollima (North Korea), Spider (eCrime) | Cozy Bear |
| Microsoft | Two-word weather names by nexus: Typhoon (China), Blizzard (Russia), Sleet (North Korea), Sandstorm (Iran) | Midnight Blizzard |
| Mandiant (Google) | Numbered: APT##, UNC## (uncategorized), FIN## (financial) | APT29 |
| MITRE ATT&CK | G#### group IDs that aggregate every known alias | G0016 |
Every row above is the same Russian SVR group. The same intrusion set can show up in three reports under three names, which is how analysts end up arguing about whether two campaigns are the same actor. In June 2025, Microsoft and CrowdStrike announced a joint effort to publish a mapping between their threat-actor names to cut the confusion. When you read a report, anchor on the MITRE ATT&CK group ID, which collects the aliases in one place.
The stages of an APT attack
An APT attack is usually described in three stages: infiltration, escalation and lateral movement, and exfiltration. The model is a useful spine, and it maps directly onto MITRE ATT&CK tactics, which is how detection teams turn it into something huntable.
Stage 1: infiltration
The attacker gets in. Their favorite routes in are spear-phishing a specific employee with a convincing, researched lure, exploiting a vulnerability in an internet-facing system, or compromising a trusted supplier so the malware arrives through a legitimate update (the SolarWinds pattern). Note that none of these require a zero-day. A valid stolen credential walks straight through the front door and generates no malware alert at all.
Stage 2: escalation and lateral movement
This is where an APT earns its name. Having landed on one machine, the operator establishes persistence so a reboot or a cleaned host does not evict them, harvests credentials to escalate privileges, maps the network, and moves laterally toward the systems that hold the objective. Much of this is done with living-off-the-land techniques, using built-in administrative tools like PowerShell and legitimate remote-access utilities, so the activity blends into normal admin work and leaves little for antivirus to catch. A command-and-control channel keeps the operator in touch, often beaconing slowly to stay under the radar.
Stage 3: exfiltration
With access to what they came for, the attackers collect and stage the data, typically compressing and encrypting it, then move it out, often over the same C2 channel or through a trusted cloud service so the traffic looks normal. Some operations end with a destructive act or a ransomware deployment, sometimes as cover to bury the real objective. Crucially, exfiltration is rarely the end. A patient APT leaves its footholds in place to come back, which is why eviction has to be complete, not partial.
Characteristics and warning signs of an APT
APTs are built to be quiet, but the activity still leaves traces if you know where to look. The signs a defender can actually act on:
- Privileged logins at odd hours or from odd places. Credential abuse shows up as accounts, especially admin accounts, authenticating at times or from locations that do not fit the user.
- Backdoors and new persistence. Unexpected scheduled tasks, services, registry run keys, or web shells appearing across multiple hosts.
- Staged data. Large archive files (often compressed and encrypted) appearing in unusual locations, which is data bundled for theft.
- Anomalous outbound flows. Beaconing to an external host on a regular interval, or large outbound transfers and unusual database queries pulling far more data than a normal process would.
- Valid accounts doing abnormal things. The hardest signal, because there is no malware. A legitimate account suddenly accessing systems it never touches is often the only tell.
- Lateral movement patterns. Authentication from workstation to workstation, or admin tools running where they normally never run.
Individually each can be benign. The skill is correlating them into the story of an intrusion, which is exactly what hunting and good detection engineering are for.
Advanced persistent threat examples
Real APTs make the abstract concrete. Four well-documented groups, attributed by governments and tracked in MITRE ATT&CK:
| Group (common aliases) | Nexus | Sponsor | Known for |
|---|---|---|---|
| APT29 (Cozy Bear, Midnight Blizzard) | Russia | SVR, foreign intelligence | SolarWinds supply-chain compromise (2020); patient, stealthy espionage |
| APT28 (Fancy Bear, Forest Blizzard) | Russia | GRU, military intelligence | 2016 DNC breach and election interference; US indicted GRU officers in 2018 |
| APT41 (Wicked Panda) | China | State-sponsored | Dual operation: state espionage alongside financially motivated intrusions |
| Lazarus Group (APT38, TraderTraitor) | North Korea | DPRK state | Financially motivated theft; the FBI attributed the ~$1.5B Bybit crypto heist (2025) to it |
The split is instructive. APT29 sat inside SolarWinds victims for months doing nothing but collecting intelligence, the textbook patient espionage actor. Lazarus shows the North Korean exception: in February 2025 the FBI confirmed it stole roughly $1.5 billion in cryptocurrency from the Bybit exchange, the largest crypto heist on record, money that funds the regime. Same APT discipline, different objective.
How to detect and defend against APTs
You cannot prevent every initial foothold, and assuming you can is how they win. A realistic program is built to detect and evict an intruder who is already inside, and to make their job slow and loud enough that you catch them before the objective.
- Assume breach and hunt. Do not wait for an alert that an APT is built to avoid. Run regular threat hunting against behavior, not just indicators, because the behavior is what survives when the attacker rotates infrastructure.
- Get deep visibility. EDR or XDR on endpoints for process, persistence, and credential telemetry, plus a SIEM aggregating identity, network, and cloud logs. Keep enough log retention to investigate backward across a months-long dwell window, or the early stages are already gone when you find the late ones.
- Watch identity hardest. Because these actors lean on valid credentials, identity is the richest detection surface: impossible-travel logins, abnormal privileged access, anomalous service-account use.
- Map detections to MITRE ATT&CK. Organize coverage around the techniques these groups actually use so you can see your gaps, rather than collecting disconnected rules.
- Shrink and segment the attack surface. Patch internet-facing systems quickly, enforce least privilege and MFA, and segment the network so lateral movement is hard and noisy. A firewall and network controls that block free east-west movement buy detection time.
- Use threat intelligence. Knowing which groups target your sector, and the indicators of compromise and techniques tied to them, turns generic monitoring into focused hunts.
- Be ready to respond. Have an incident response plan that assumes a sophisticated adversary. Eviction must be complete and coordinated, because a partial cleanup just teaches the APT how you hunt and invites them back. Prevention is not the only thing that matters; once activity surfaces, how fast you contain it decides the impact.
The thread through all of it is that APT defense is a detection-and-response discipline, not a prevention checklist.
Getting started with APT detection
If you are building the skill, the path is hands-on, because this is pattern recognition under noise, and that only comes from reps.
- Learn normal first. You cannot spot an APT's quiet lateral movement if you do not know what authentication, process, and network baselines look like in your environment.
- Learn MITRE ATT&CK. It is the shared map of attacker behavior. Knowing the techniques they use turns "something is off" into "this looks like credential dumping followed by lateral movement."
- Hunt behavior, not just indicators. An IP or hash dies the moment the attacker changes it. A technique like credential abuse persists across campaigns.
- Reconstruct real intrusions. Working an end-to-end attack chain, from first foothold to exfiltration, is how the stages stop being a diagram and become something you recognize.
The bottom line
An advanced persistent threat is a patient, well-funded human adversary that gets into a network, stays hidden, and works toward a strategic objective over months. The defining trait is not exotic malware, it is persistence and intent. They use whatever gets them in, often something as simple as a stolen password, then go quiet and dig in. They run the same three-stage playbook, infiltrate, escalate and move laterally, exfiltrate, and they map cleanly onto MITRE ATT&CK, which is what makes them huntable.
Because an APT is designed not to make noise, you cannot defend against one by waiting for an alert. The job is proactive detection and complete response: assume an intruder is already inside, hunt for the behavior they cannot hide, and evict them entirely.
Frequently asked questions
Most are run by or for nation-states, primarily Russia, China, North Korea, and Iran. Russian and Chinese groups focus largely on espionage and strategic access, North Korea steals money including cryptocurrency to fund the state, and Iranian groups mix espionage with disruption.
Well-documented examples include APT29 (Cozy Bear), the Russian SVR group behind the 2020 SolarWinds compromise; APT28 (Fancy Bear), the Russian GRU group tied to the 2016 DNC breach; APT41, a Chinese group that mixes espionage with financial crime; and North Korea's Lazarus Group, which the FBI blamed for the 2025 Bybit cryptocurrency heist.
Because they are built to evade signature-based alerts, detection relies on proactive threat hunting and behavioral analysis: watching for abnormal privileged logins, new persistence and backdoors, staged data, beaconing, and valid accounts behaving strangely. Deep endpoint, identity, and network visibility with long log retention, organized around MITRE ATT&CK techniques, is what makes the activity findable.
<p>An advanced persistent threat (APT) is a skilled, well-funded attacker, usually a nation-state or a group backed by one, that breaks into a network and stays hidden for a long time to steal data or achieve a strategic goal. Unlike a smash-and-grab attack, an APT prioritizes stealth and long-term access over a fast payout.</p>
<p>The three stages are infiltration (gaining an initial foothold through spear-phishing, an exploited vulnerability, or a supply-chain compromise), escalation and lateral movement (establishing persistence, stealing credentials, and spreading toward the target systems), and exfiltration (collecting and stealing the data or achieving the objective). These groups often leave footholds in place afterward to return.</p>
<p>Regular malware is usually opportunistic and automated, hitting any vulnerable target and acting fast. An APT is a human-directed campaign aimed at a specific organization, designed to stay undetected for months and adapt when defenders push back. Malware is often just one tool it uses, not the threat itself.</p>