What's Worse: APTs or Spear Phishing?

Poojitha Trivedi
September 25, 2015 by
Poojitha Trivedi

In this article, we are going to look into advance persistent threat (APT) and spear phishing, the role of spear phishing in APT attacks, the level of difficulty to perform APT attacks or spear phishing attacks, and, last but not least, the comparison of damage caused by an APT attack and spear phishing. But, before we do that, let us get a brief idea on what is advance Persistent threat and what is spear phishing.

What Is an Advance Persistent Threat?

From the name itself, it is clear that such a type of threats or attacks use sophisticated techniques to exploit the vulnerabilities in the system and "persistent" in this scenario means that there is continuous monitoring or extraction of data from the target. Therefore, we can say that an APT is an advance network attack where an attacker gains access to the network and remains undetected for a long period of time.

Two year's worth of NIST-aligned training

Two year's worth of NIST-aligned training

Deliver a comprehensive security awareness program using this series' 1- or 2-year program plans.

What Is Spear Phishing?

Spear phishing is similar to a normal phishing attack, where the email which is sent appears to be from an individual or a business which the victim trusts. It's an e-mail spoofing fraud that attempts to seek unauthorized access to the confidential data present with the target. Such types of attacks are not initiated by random hackers or script kiddies but are more likely to be performed by perpetrators for their financial gain or steal confidential data. In order to increase the probability of this attack, the attacker may gather information about the target prior to the initiation of the attack.

How Is an Advance Persistent Threat Attack Performed?

Abuse or compromise of trusted connections and malwares are the key ingredients to launching a successful APT attack. APT attacks create a growing or changing risk to the targeted organization's financial assets or intellectual property and reputation by following the cyclic chain outlined below:

  1. Targeting specific organizations for a singular objective, which is the initial compromise of the victim. This is performed by the use of social engineering and spear phishing, over email, using zero-day viruses, etc. Another popular infection method is by planting malware on a website that the victim's employees will be likely to visit.
  2. Next, the attacker has to establish or gain a foothold in the target environment. This phase involves planting remote administration software in the victim's network, creating network backdoors and tunnels that help gain stealth access to the target's infrastructure.
  3. Use the compromised system as an entry point into the target network by using exploits and password cracking to acquire administrator privileges over the victim's computer and possibly expanding it to Windows domain administrator accounts; collecting information on the surrounding infrastructure, trust relationships, and Windows domain structure.
  4. Deploy additional tools or software that help in fulfilling the objective of the attack and expand control to other workstations, servers and infrastructure elements and perform data harvesting on them.
  5. Exfiltrate the data from the target computer or network and cover tracks to maintain access for future initiatives and ensure continued control over access channels and credentials acquired in previous steps.

From the above discussed method used for performing an APT attack, it is very clear that spear phishing may play a very important role in initializing few APT attacks.

How Is Spear Phishing Done?

It is more or less similar to a common phishing attack, but spear phishing is targeted at a subset of people, usually employees of the companies or members of an association or visitors to a particular website.

This attack needs a little bit of social engineering or information gathering about the target or the victim. It includes tactics such as victim segmentation, email personalization, sender impersonation, and other techniques to bypass the email filters.

The attack vector is mainly an e-mail message that seems to have been sent from a legitimate sender and requesting some action from the victim. Such mails may include malicious links to websites controlled by attackers, while a few others include malicious attachments that infect the target system.

Damage Caused by an Advanced Persistent Threat Attack

APT attacks are usually not targeted at a specific person but they target your company. Also, when there is an attack whose intent is to just steal the money, then probably such an attack cannot be termed an APT attack. The main goal of an APT attack is to steal valuable intellectual property, such as confidential project data, contract information, patent information, etc., from companies or government sectors. The ultimate goal of APTs is very ambitious. A common myth that APTs usually target the western sites is absolutely incorrect. Studies show that advanced persistent threat attacks render security controls in the organizations ineffective and impact company revenues.

As the APT attacks are usually concentrated highly on the confidential information about the victim company, there may be loss of contracts, projects, revenue and, most importantly, the reputation of the company.

Although the APT attacks are not so easy to identify, the theft can never go invisible. So for detecting or confirming whether your network has been a target of an APT attack, you need to observe few important things like-

  • Anomalies in out-bound data
  • Increase in elevated log-ons during a particular period of time
  • Finding widespread back-door Trojans in your network
  • Unexpected or unnecessary flow of information outside or into the network
  • Discovering unexpected data bundles or chunks of data at places where the data should not be
  • Detecting password cracking tools or the hash hacking tool in any of the systems connected to the network

Damage Caused by Spear Phishing

The damage caused by spear phishing attacks may range from denial of access to email accounts to substantial financial loss. When the spear phishing attacks are targeted at a single person, then such an attack may lead to loss of sensitive information or credentials, compromising the victim's system, installing malwares or virus-like key loggers, etc.

The primary reason for the success of spear phishing attacks is that users easily and continuously fall a prey to these phishing emails. Even the security researchers or security officials easily get affected by spear phishing emails.

Comparing Advance Persistent Threats and Spear Phishing

Spear phishing is a favored vector used by APT attackers to infiltrate into the target networks. APT attacks frequently make use of spear phishing tactics, as these are essential to get high ranked targets/people to open the phishing mails and fall a prey to these mails and launch the attack. Around 91% of the targeted attacks involve spear phishing.

Spear phishing makes the victim user open an email attachment or click on a link to make him download a malicious file, like malware or virus, or to make the victim visit a malicious site where the attacker can steal sensitive or confidential information related to the user. Whereas an APT attack compromises the complete network in the organization, thereby getting access to organizations confidential data, etc., a spear phishing attack, when not targeted, only affects one user's data or one user's machine. On the other hand, when there is an APT attack that is a targeted attack, it compromises the complete network of the organization and there is a huge loss of confidential data.

One can say that a spear phishing attack, when it needs to be performed on an individual, has to be performed every time, whereas an APT attack, once performed, allows the attacker to gain access to confidential data available in the hacked network or the data flowing in the hacked network for a long period of time until it gets detected by the security researchers in the organization.

Upon comparing the severity in performing the attack, we can say that the probability of performing a spear phishing attack on a normal target is more than the probability of performing a targeted APT attack on an employee present in the company network.

Get six free posters

Get six free posters

Reinforce cybersecurity best practices with six eye-catching posters found in our free poster kit from our award-winning series, Work Bytes.

To summarize what's worse between APT and spear phishing: APT attacks usually compromise the company networks using methods that also include spear phishing. Stealing company data is worse for the company but, on the other hand, losing his/her credentials or other sensitive data is worse for a single victim as well. To conclude, we can say that both the attacks cause equal damage to the target when performed separately. But spear phishing attacks may get even more worse when they are used to perform Advanced Persistent Threat attacks.


Poojitha Trivedi
Poojitha Trivedi

Poojitha is an information security researcher who is passionate about application and network security. She has around 3 years of experience in ethical hacking, Network security and vulnerability scanning of web applications. She can be reached at