Advanced Persistent Threat (APT) groups are not typical cyber adversaries. Often nation-state sponsored, they operate with scale, sophistication, and patience. Their objectives extend well beyond financial gain – from espionage and intellectual property theft to preparing the ground for future disruption.
These campaigns are deliberate and are designed to evade detection and endure - often remaining in environments for months, or even years.
In recent years, we’ve seen a number of successful APT intrusions and one element they have in common is that they rarely stay contained. A single point of compromise in a widely used software can create exposure far beyond one organisation.
Weak identity controls or delayed patching in one organisation can become a shared vulnerability across an entire sector.
In 2017, Sandworm, a unit of Russian military intelligence, released NotPetya which masqueraded as ransomware but was engineered for disruption. That same year, WannaCry spread across 150 countries in 72 hours. The NHS alone faced significant losses and widespread disruption to the treatment of patients.
SolarWinds, in 2020, demonstrated how malicious code could be embedded in a routine update. It reached around 18,000 organisations, including US military agencies, and remained undetected for nine months.
More recent campaigns show what sustained access enables and what happens after the breach. Salt Typhoon reportedly remained inside US telecommunications networks for over three years, compromising critical infrastructure and sensitive data at scale across nine major carriers.
Industry reports support an upward trend in APT activity. According to the CrowdStrike 2026 Global Threat Report, China-nexus activity increased 38% in 2025, with DPRK-linked incidents rising more than 130%. Cloud-conscious intrusions from state-nexus actors rose 266% as adversaries shifted focus to cloud environments for intelligence collection. AI-enabled adversaries also increased their activity by 89% year-over-year, with nation-state actors using LLM-enabled malware to automate reconnaissance and evasion.
APT attacks begin with reconnaissance by mapping exposed assets and identifying points of entry. Edge technologies such as VPNs, gateways, and firewalls are common targets, particularly where monitoring is limited.
From there, attackers move to credential theft and identity abuse, blending into legitimate activity to move laterally across environments. Persistence is then established, ensuring access is retained even if initial footholds are detected.
Throughout this process, their advantage comes from stealth, adaptability, and the ability to exploit structural weaknesses in patching, identity governance, and software supply chain security.
This makes APT campaigns exceptionally difficult to defend against.
Against a capable, targeted APT actor, the likelihood of initial compromise is not the right thing to optimise for. Well-resourced, persistent actors will find a way in. It’s therefore critical to understand how bad could it get, and can the organisation absorb it?
This is where most traditional approaches to cyber risk will struggle. Threat intelligence can describe attacker behaviour, and mapping your controls against known attacker techniques can show where your defences would and would not catch an attack. Neither tells leadership what the financial and operational consequences of a successful campaign actually are, nor does either support decisions about where investment will have the most material impact on outcomes.
This is where cyber risk quantification (CRQ) becomes valuable. By modelling the range of potential losses across realistic attack scenarios, from a contained intrusion through to full operational disruption, CRQ gives organisations a basis for three key decisions:
For APT specifically, the third question is especially important. An actor with nation-state backing and long-term objectives doesn’t need to cause immediate financial damage to cause severe harm. Operational disruption can stretch over weeks. Systems that were compromised months earlier have to be forensically assured before they can be trusted again. Regulatory reporting, legal counsel, board-level assurance further add to the accumulating costs. Organisations that have modelled this in advance are materially better placed to respond, because they already know what they’re dealing with and what it’s worth fixing.
APT activity will continue to target critical organisations, infrastructure, and governments. Like other elements of cyber risk, the threat is also not static. AI-enabled automation of reconnaissance and lateral movement is already accelerating the pace at which campaigns develop, compressing the window between initial access and material impact.
Organisations that have already mapped their exposure and understand their worst-case scenarios are in a fundamentally different position when an incident occurs. They know what’s at stake, where the critical decisions are, and what response looks like before the pressure is on. That preparation is itself a risk management outcome.
Come and visit us at booth F112 at Infosec to see how organisations are using CRQ to understand the real impact of advanced threats – and prioritise investment accordingly.
