An Advanced Persistent Threat (APT) is a long-running, well-resourced adversary — almost always state-sponsored or state-aligned — that targets specific organisations over months or years rather than going after volume.
Decoding the acronym
- Advanced — the group has access to custom tooling, zero-day exploits when needed, and the operational discipline to deploy them carefully.
- Persistent — once inside, they stay. Dwell times of six months to several years are normal.
- Threat — the group has objectives. They're not opportunistic; they're targeting you specifically.
How APTs differ from ransomware crews
Ransomware groups are loud. They want the encryption to fire and the leak site to fill up so the victim pays. APTs are quiet. They want to read your email for three years without anyone noticing. Same vocabulary — phishing, lateral movement, credential theft — but completely different objectives:
- Espionage — reading sensitive communications, exfiltrating intellectual property, mapping internal politics.
- Pre-positioning — placing implants in critical infrastructure for use during a future conflict.
- Disruption — the rare cases where they do want to be heard (wipers, ICS attacks).
The naming chaos
Every vendor names APTs differently. The same group might be called:
- APT28 by Mandiant
- Fancy Bear by CrowdStrike
- FROZENLAKE by Microsoft
- Forest Blizzard in Microsoft's newer taxonomy
- Sofacy by Kaspersky
MITRE ATT&CK maintains an aliases list, but the naming inconsistency is a real friction in day-to-day work. Most CTI platforms normalise across naming schemes so a search for one name returns reporting that uses any of the others.
Common attribution buckets
- China-nexus — APT41, APT10, Mustang Panda, Volt Typhoon, Salt Typhoon.
- Russia-nexus — APT28, APT29, Sandworm, Turla.
- Iran-nexus — APT33, APT35, MuddyWater.
- North Korea-nexus — Lazarus, Kimsuky, APT37. Notably also conducts financially-motivated activity (cryptocurrency theft) alongside espionage.
Attribution is hard. Public CTI assigns "with moderate confidence" because hard attribution requires evidence most CTI shops never see. Treat attribution claims as probabilistic, not absolute — especially the early ones.
What CTI teams care about
Not every organisation is an APT target. Defence contractors, critical infrastructure, government, large finance, and high-IP tech firms are. If you're in one of those sectors, tracking the APTs known to target your sector — their TTPs, their preferred CVEs, their malware families — is table stakes. Threat hunting against APT TTPs is how mature teams find dwelling adversaries.