PERSPECTIVES FROM THE CAMPUS

One of the strengths of Indiana is that we bring together a variety of perspectives from the plethora of areas that touch the field of cyber, especially through the colleges, universities, and other institutions of higher education throughout our state. Hence the name, “Perspectives from the Campus”, we invite experts – immersed in the pursuit of educating their students – to offer their knowledge for finding solutions in cybersecurity that benefit all Hoosiers.

In the latest installment of this series, David Dungan, who serves as the executive director at the Center for Security Services and Cyber Defense at Anderson University, shares his perspective on what’s involved with Advanced Persistent Threats (APTs) and discusses some of the tactics that the groups – behind these threats – may try to use in 2026 and he offers some tips to help us avoid trouble.

By David Dungan

In the deep depths of the internet, organized groups of hackers wait for months, or even years, to launch strategic attacks. These groups are reshaping the modern battlefield because they wait until the most opportune moment to uncover secrets and strike critical infrastructure.

What are APTs?

Advanced Persistent Threats are groups that target high-value organizations (shown in the image from the MicrosoftThreat Intelligence 2024) with custom malware and advanced social engineering. These tactics and techniques are constantly evolving, with the intention to sabotage a multitude of networks while staying undetected for long periods. Although these groups are often backed by nation-state actors, such as Cozy Bear and Wicked Panda, they can also operate without sponsorship. The various tactics they employ may differ, but they all follow a similar attack pattern structure including:

• Reconnaissance
• Initial access
• Execution
• Privilege Escalation
• Data Exfiltration

As mentioned, nation-state actors are government-sponsored APTs whose aim for attacks is to achieve political, economic, and/or strategic goals. The biggest countries that the U.S. that receives nation-state-backed cyberattacks from include China, Russia, Iran, and North Korea. They are motivated by strategic aims such as espionage, sabotage, and disrupting critical infrastructure.

What APT groups and tactics are we going to see in 2026?

APT 29 (AKA Cozy Bear) is a threat group that has been closely linked with Russia’s Foreign Intelligence Service and has been in operation since 2008. They often target the networks of NATO members or European countries. They are well known for their SolarWinds attack, which compromised multiple global victims accounting for 50 million affected users in 2020.

Some of their known persistence techniques include:

• A compromised software supply chain, the software installs payloads along with updates to software packages
• Unsecured credentials and domain accounts
• Disabling of Windows event log
• Lateral movement through windows, remote management
• Exfiltration of data to cloud storage

APT 41 (AKA Wicked Panda) is another prominent threat group that is Chinese sponsored. Their operations are mainly targeted at financial gain. Active since 2012, they target various industries in 14 countries. They employ a wide range of malware and tools to complete their mission. This group is well known for exploiting Google’s Red Teaming Tool, accomplished by trying to adversely impacting the Google command control tool to facilitate sophisticated attacks on organizations globally.

Some of their known persistence techniques include:

• Scheduled Tasks
• Registry Run Keys
• Modification of Windows Services
• Bootkits

How to stay safe

To protect against these threats, there are several steps you can take including:

• Blocking IPs from certain regions by using firewalls
• Keeping systems up to date through security patches
• Using the least privilege methodology on accounts/services that are vulnerable
• Implementing zero-trust network access for a network
• Using a VPN to protect transmitted data
• Segmenting the network to limit exposure

While it’s safe to say that the threats associated with APTs are not going away and new types of attacks are emerging daily. Fortunately, there is a wide range of no-cost cybersecurity services that are available through the Cybersecurity and Infrastructure Security Agency (CISA), SANS Institute and the National Institute of Standards and Technology (NIST).

In addition to using these resources, it’s vital – whether you’re a small business owner, local government agency or a non-profit organization, to proactively follow these best practices. In doing so, you’ll possess the ability to provide a greater measure of protection for your personal data and financial information, as well as safeguard your critical systems.