Phishing APTs (Advanced Persistent Threats)

Ki Nang Yip
May 21, 2016 by
Ki Nang Yip

1.   Introduction

Advanced Persistent Threats (APT) are an increasingly popular notion in cybersecurity. It describes an on-going information security breach process that permits the attack operator to be present on the victim’s network for a considerable period of time. Such a continuous and steady presence will in turn facilitate the attack operator’s extraction of the victim institution’s digital assets.

Two year's worth of NIST-aligned training

Two year's worth of NIST-aligned training

Deliver a comprehensive security awareness program using this series' 1- or 2-year program plans.

Most of the reported APT intrusions, such as Operation Aurora (2009), HBGary Federal hack (2011) and RSA hack (2011), all started with the notorious spear phishing scheme to gain initial access to the victim institution’s network. APT phishers can make use of the targeted institution’s personnel public information available on the Internet to generate vivid phishing emails to lure them into the trap. Once they succeed in entering their targeted network, they will be able to eavesdrop on the victim’s digital assets on a regular basis. The victim institution’s cyber defense will get rotten from within. Their confidential information will then be constantly spied upon and stolen. Spear phishing allows in-depth nefarious infiltration for APT groups. The potential loss for the targeted institution can be unprecedented.

As a matter of fact, APT is no common hacker. It is usually associated with, but not limited to, government agencies and military entities. These state-funded actors have the capabilities and necessary resources to execute high level and on-going missions with precise objectives against high profile targets. Individual hackers or low level cyber criminals adopting the mainstream hit and run strategy do not have the same intents, nor do they have the means to infiltrate as persistently and effectively as APT groups. Many known APT network infiltration incidents in the past few years, notably the Chinese army APT1 and APT30 and the Russian army APT28, were related to cyber-espionage and intelligence gathering for national interests. In order to optimize the mission results, a lengthy duration of the network intrusion is a pre-requisite condition for APTs. Subsequently, they can conduct on-going data extraction endeavors for the pertinent digital assets of the victim institution. Therefore, the level of hostility and destructiveness of an APT is much higher than an individual’s.

It is evident that the APT strategy is about bait and bleed. All of the devastating consequences begin with a compelling spear phishing bait. As soon as the target institution falls victim to the phishing scheme, it will keep bleeding. Worse still, the victim institution is always slow in responding to the presence of APT within their computer networks.

2.   Several infamous APT groups

Many exposed APTs that attract high media coverage are related to state-funded cyber-operations. The Stuxnet virus that targeted Iranian nuclear facilities is believed to be the first APT. It was discovered in 2010, though its vestige could be traced back to 2005 and it continued to be active until 2012. The sabotage attempt is suspected to be an American-Israeli collaboration. Both the time duration and the complexity of the virus showed the extravagant resources necessary for such a mission. The goal of this cyber weapon was obviously to undermine the aggressive nuclear development plan of Iran.

Although Stuxnet achieved a prominent reputation, the first widely recognized APT is considered to be the 61398 division of the People’s Liberation Army of China. In 2013, this military unit was exposed and named as APT1. It was reported that APT1 specialized in intelligence gathering for English speaking institutions and corporations all over the world. It has been spying and stealing valuable digital assets in over 140 corporations since 2006. The APT1 seemed to have a highly experienced team of various experts with strong industry knowledge and computer skills. Most importantly, they were good at delivering spear phishing attacks to entice the victim institutions. Following the initial phishing scheme that allowed APT1 to reach the victims’ computer networks, hundreds of terabytes of data were stolen over the years before the discovery. The APT1 achieved so much fame that a year after its revelation, the U.S. Department of Justice (DOJ) issued an international indictment to pursue five Chinese soldiers of the 61398 division. The allegations detailed precisely that the suspects had adopted spear phishing to gain access to the victims’ computer networks in an attempt to carry out further data theft operations.

In 2014, the Russian based APT28 was unveiled. This APT group was engaged primarily in cyber-activities related to geopolitical interests of Russia since 2007. Victims were mainly government and military institutions in the Caucasus region including the Ministry of Internal Affairs of Georgia, the North Atlantic Trade Organization (NATO) and other European security organizations. Spear phishing was repeatedly adopted by APT28 as the most effective tactic to gain access to the victim’s computer network.

3.   APTs Targeted Digital Assets

APTs have precise objectives in carrying out their missions ranging from monetary gain, political goals to intelligence gathering. Digital assets such as weaponry, high technology and nuclear plant designs, as well as military alliance information, are all targets of APTs. In the case of Chinese based APT1, examples like renewable energy trade and policy development information as well as aeronautics research are all APT1’s targets. On the other hand, the Russian based APT28 is more concerned with the geopolitical development in former Soviet Union states. Information security solutions are equally important for both monetary and non-monetary digital assets when it comes to coping with APTs.

4.   APT Attack Techniques

APTs study their targets in details prior to launching the attack. The following diagram shows the APT attack cycle:

4.1.         Diagram: APT attack cycle


After the initial profiling of the target, the first and foremost tactic that APTs launch to gain access to the victim’s network is spear phishing. The APT threat group crafts its spear phishing emails to mention specific topics pertinent to the targeted victim. This strategy enhances the chance that the recipient will trust the message and thus click or download files from the malicious link in the body of the phishing email. It paves the way for the APT operator to gain the primary foothold in the victim’s network. It is imperative not to underestimate the likelihood of spear phishing messages. Corporations and government institutions such as Target, Anthem, U.S. Office of Personnel Management and U.S. Department of Defense have all suffered from spear phishing schemes despite their avant-garde information security solutions.

Following the first compromised system inside the target institution, the APT operator can then deploy more intrusive tools to deal more damage to the entire network system of the victim. A good example of a following attack would be the Remote Access Trojan (RAT). It permits the attacker to have unlimited access to the victim’s network system. It also grants rights to the attacker to conduct operations such as bypassing strong authentication, spreading the infection, and accessing sensitive applications to exfiltrate data. RAT is just one of the many powerful tools that APTs can use against their targets.

All in all, once the initial malware is deployed through the spear phishing tactic, the APT operator can continue to upload more sophisticated spying and disguising tools to the victim’s computer network so as to cause more damage. Such powerful tools following spear phishing attacks can help APTs to camouflage its presence in the prey’s computer network. The APTs stay in the compromised network as long as they can to explore the victim’s digital assets. Therefore, it is essential to understand the risks that spear phishing launched by APTs can cause to your institution.

5.   Spear phishing training for your colleagues—InfoSec PhishSim solution

APTs are no usual network intruders. It is very difficult to detect their presence and get rid of them once they are inside your network. Spear phishing opens the door to your institution’s digital gold mine. Securing your institution’s gate against spear phishing is a fundamental step to defending against APT network intrusion.

Moreover, it should be noted that well-crafted spear phishing emails can distinguish themselves from common spam and thus slip through the spam filter. APTs have the resources to conduct in-depth social engineering research prior to phishing their targets, making the risks of falling victim to APT spear phishing emails increase dramatically. Therefore, raising the security awareness of personnel about the risks generated by spear phishing is vital for institutions with valuable digital assets.

For over a decade, InfoSec Institute has been on the frontline of combatting cyber threats for its clients. A great deal of governmental and corporate clients exposed to diversified information security risks has sought expert advice from InfoSec Institute. Our institute offers tailor made information security training and products to institutions from both public and private sectors. InfoSec has also been nurturing professionals working in different cybersecurity aspects. They keep themselves informed about the latest cyber threats and defense solutions with InfoSec’s training programs. Please visit the institute’s certification and security awareness programs here for more information.

Since the majority of APT network intrusions begins with spear phishing, this phenomenon has inspired InfoSec Institute to introduce the new service, Infosec IQ, to satisfy the market demand for high quality phishing awareness training service. Infosec IQ allows its users to manage and customize phishing training for the institution’s relevant personnel. A detailed outline of various phishing techniques, suspicious messages and system notifications is available on Infosec IQ . You are welcome to set up your free account here to start phishing your co-workers and colleagues with your own custom-designed spear phishing emails. You will be surprised how user-friendly Infosec IQ is and how vivid the message can be!

Infosec IQ is the perfect platform for the cybersecurity officer to train his associates. He can create his own awareness training program adapted to the business nature of his institution. Phishing email inspirations can be identified from Infosec IQ's existing templates. The default settings of Infosec IQ provide a great deal of well-crafted spear phishing email ideas. The account owner can create, edit and add gadgets to make their phishing emails more appealing to his colleagues and lure them to the trap. The following screenshot shows the handy editing interface page of PhishSim:


For instance, this spear phishing email example adopts one of the corporate victims of the Chinese based APT1, Westinghouse, as the protagonist. The message is about the company’s success in getting a big foreign government contract.


A phishing page containing a malware can be added to the word “here” so as to lure the recipient to download and install it on the targeted computer network. Once this fraudulent message is created, the Infosec IQ account administrator can diffuse it to the relevant personnel to test their awareness about spear phishing. The account administrator will receive notifications about the recipients’ reactions, such as ignoring the message, resending it to more colleagues and clicking the malicious link. He will then be able to identify the weaknesses of his colleagues when it comes to spear phishing.

Phishing simulations & training

Phishing simulations & training

Build the knowledge and skills to stay cyber secure at work and home with 2,000+ security awareness resources. Unlock the right subscription plan for you.

The increasing APT participation in spear phishing schemes will provoke more information security concerns. Improving your employees’ security awareness against spear phishing will significantly mitigate the risks that an APT can generate for your institution. Infosec IQ is the first effective choice for your institution when it comes to raising your colleagues’ awareness about spear phishing.

Ki Nang Yip
Ki Nang Yip

Ki Nang is a researcher in cybersecurity, industrial espionage and political science. He conducts his PhD research in Paris. He studies state-funded cyber-espionage, political impacts in cyberspace for corporate development, and new forms of cybercrime. In his spare time, he also follows cybersecurity and political issues in China, U.S. and Russia.