How Advanced Persistent Threats Work: Long-Term Cyber Espionage Explained

They Were Inside the Network for 14 Months Before Anyone Noticed

When FireEye (now Mandiant) disclosed the SolarWinds supply chain compromise in December 2020, investigators determined that Russian intelligence operators linked to SVR — known as Cozy Bear or APT29 — had maintained covert access to U.S. government networks, including the Treasury Department, the Department of Homeland Security, and portions of the Pentagon, for approximately nine months before discovery. They had accessed email systems, exfiltrated data, and monitored communications — all without triggering a single security alert. This is what an Advanced Persistent Threat looks like in practice.

What Makes an APT Different From Ordinary Cybercrime

The term Advanced Persistent Threat was coined by the U.S. Air Force in 2006 to describe a category of cyber operations distinguished by three characteristics:

• Advanced — sophisticated techniques including custom malware, zero-day exploits, and anti-forensic methods; well-resourced teams with operational security discipline
• Persistent — the objective is long-term access, not quick financial gain; operators maintain presence for months or years
• Threat — a coordinated, targeted campaign with specific objectives, typically nation-state sponsored or organized criminal groups operating at nation-state capability levels

Criminal ransomware groups prioritize speed and profit. APT operators prioritize stealth and information. They would rather remain undetected for two years collecting intelligence than be discovered after two weeks. This distinction shapes every tactical choice they make.

The APT Lifecycle: Seven Phases of an Operation

Initial Access: How APTs Get In

Despite their sophistication, most APT intrusions begin through relatively straightforward initial access methods:

Spear phishing remains the most common vector. APT29's phishing emails targeting think tanks and NGOs were documented by Microsoft in multiple campaigns — each email carefully crafted with contextually relevant subject lines and sender addresses spoofing known contacts. When clicked, these delivered custom remote access trojans.

Supply chain compromise — the SolarWinds method — involves injecting malicious code into a legitimate software update. When the vendor pushes an update to customers, the malware installs automatically in what appears to be a routine, trusted process. 18,000 SolarWinds customers installed the compromised update; roughly 100 were then actively targeted for deeper exploitation.

Zero-day exploitation targets previously unknown software vulnerabilities. Nation-state actors maintain stockpiles of zero-day exploits, buying them from researchers or developing them internally. These are used selectively — burning a zero-day against a low-value target wastes an asset that might be needed against a harder one.

Establishing Persistence: Staying Invisible

After initial access, APT operators immediately establish mechanisms to maintain access even if the initial entry point is closed. Common persistence methods include:

• Registry run keys that execute implants on system startup
• Scheduled tasks disguised as legitimate system operations
• DLL hijacking — placing a malicious DLL where a legitimate application will load it
• Modifying legitimate remote access tools (web shells on compromised servers)
• Living off the land (LotL) — using Windows built-in tools like PowerShell, WMI, and PsExec rather than custom malware, making detection harder because these tools are expected to run

The SolarWinds implant, called SUNBURST, communicated with command-and-control servers using legitimate HTTP/S traffic that blended with normal network activity. It used domain-generation algorithms to change its communication endpoints, and it waited up to two weeks after installation before initiating any activity — evading behavior-based sandbox analysis that typically runs samples for only a few minutes.

Lateral Movement and Privilege Escalation

Once inside a network, APT operators methodically expand access toward their objectives. They harvest credentials using tools like Mimikatz (which extracts plaintext passwords and NTLM hashes from Windows memory) and use those credentials to authenticate to other systems as legitimate users. Pass-the-hash and Kerberoasting attacks allow operators to authenticate without knowing actual passwords. Each compromised system provides new credentials and new vantage points for further exploration.

The objective is typically to reach Active Directory — the central authentication authority for Windows networks. Control of Active Directory means control of every system in the domain. APT operators who achieve domain administrator privileges can create new accounts, access any system, and cover their tracks by manipulating logs.

Detection and Defense: What Actually Works

The average dwell time — the period between an attacker's initial access and detection — dropped from 24 days in 2021 to 10 days in 2023 according to Mandiant's M-Trends report. For nation-state APT operations targeting critical infrastructure, however, dwell times measured in months remain common. Detection still depends heavily on threat intelligence sharing and anomaly detection that requires establishing a baseline of normal behavior — a time-consuming process that many organizations have not yet completed.