APT Lifecycle: Initial Access to Persistence

An Advanced Persistent Threat (APT) is a sophisticated, long-term cyberattack campaign typically conducted by nation-state actors or well-funded criminal groups with specific strategic objectives. The three defining characteristics are: Advanced — uses custom malware, zero-days, and novel techniques; Persistent — maintains a covert presence for months or years, not a smash-and-grab operation; Threat — a coordinated, targeted attack against a specific organization. Famous APT groups include APT28 (Fancy Bear) linked to Russia's GRU, APT41 linked to China, and Lazarus Group linked to North Korea.

APT campaigns typically begin with one of a small number of proven initial access techniques. Spear phishing with weaponized attachments or credential-harvesting links is the most common method — the email appears to come from a trusted colleague or partner. Supply chain compromise (as in SolarWinds/SUNBURST) inserts malicious code into trusted software updates. Exploitation of internet-facing services (VPN appliances, Exchange servers, web applications) using unpatched CVEs. Watering hole attacks compromise websites frequented by the target organization's employees and deliver drive-by exploits to visitors.