Imagine a paratrooper landing silently behind enemy lines at night. His mission's success hinges on remaining undetected long enough to locate command centres and weapon stores. This, according to cybersecurity experts, is the perfect analogy for an Advanced Persistent Threat (APT) in the digital realm.
The Silent Digital Invasion: APTs Unmasked
This chilling reality of modern cyber warfare took centre stage at the seventh session of Hacked 2.0, a cyber awareness campaign by The Times of India in partnership with the National Forensic Sciences University (NFSU) in Ahmedabad. The session, titled ‘Unmasking Advanced Persistent Threats (APT and dark web marketplaces)', was attended by a high-profile audience including chief secretary M K Das, Isro-Space Applications Centre director Nilesh Desai, senior bureaucrats, scientists from PRL, and officers of the Indian defence forces.
Sijesh Sreedhar, head of customer engineering at Google Cloud Security India and SAARC, explained that these are not random hackers but often government-funded cyber units linked to hostile states. Their objectives are sinister and strategic: long-term access to systems, intelligence gathering, and, when required, crippling sabotage. Their targets are the lifelines of a nation: power grids, telecom networks, defence installations, rail systems, nuclear plants, space research facilities, and large corporations.
Enter, Wait, and Strike: The 11-Day Window
Citing the 2024 Mandiant M-Trends report, Sreedhar revealed a critical metric: the average "dwell time" for an APT actor is now 11 days. This is the window between when hackers first breach defences and when they execute their damaging attack. During this period, they are far from idle. They meticulously map server networks, identify an organization's "crown jewels," and plan data extraction or attacks. For ransomware attacks, this window shrinks dramatically to just six days before data is encrypted for extortion.
Sreedhar highlighted a major shift in hacker tactics. While traditional software exploits saw a slight decline, attacks using stolen credentials surged from 10% to 16% in just one year. "Attackers have understood that instead of using a traditional mode of targeting an organization, it is much easier to hit it using stolen credentials," he said. Once inside with legitimate login details, the attacker becomes invisible, blending in as a trusted user and potentially causing far greater damage.
From Dark Web Leaks to Sophisticated Campaigns
Nilay Mistry, associate dean and head of the Centre for Excellence in Digital Forensics at NFSU, demonstrated how easily credentials are compromised. Using an NFSU-developed tool, he entered his phone number to instantly fetch his personal data leaked on the dark web. "This kind of data is now available on the dark web for free," he warned, underscoring the ease with which attacks can begin.
Backed by substantial funding from adversary nations, APT campaigns are highly sophisticated. Sreedhar pointed to groups like APT36, which focuses on defence, aerospace, and critical infrastructure. These actors conduct "dry runs" to find weak detection points and often launch their final attack during festivals or holidays when security teams are understaffed.
He detailed advanced methods: groups like UNC3569 use malicious code hidden within seemingly legitimate PDF or Word documents, while UNC3886 exploits "edge devices" like firewalls and VPNs where security logging is typically weaker. "You cannot stop every breach, but you can stop every breach from becoming a disaster," Sreedhar emphasized.
Building Defences: From Baselining to Beacon Hunting
The experts outlined a robust defence strategy. Sujit Patnaik, regional manager for the public sector at Google Cloud Security, introduced the concept of ‘baselining'—creating a security zero-point for an enterprise to manage threats effectively. Organizations must move beyond mere protection to a cycle of protection, detection, and remediation.
Key recommendations include focusing on attackers' Tactics, Techniques, and Procedures (TTPs) rather than just blocking IP addresses, hunting for signs of lateral movement or communication with attackers' servers, employing ethical hackers for simulated attacks, and accepting that breaches are inevitable while aiming to detect them within the critical 11-day dwell time.
Your Personal Cyber Shastra: Daily Phone Safety
The session also provided actionable personal security advice. A simple yet powerful tip: switch off your mobile phone for five minutes daily. This restart flushes out sophisticated malware that resides in temporary memory (RAM). For iPhone users, Mistry recommended disabling iMessage and FaceTime if unused, as they can be exploit vectors, and using the ‘Lockdown Mode' if targeted. Tools like iVerify or MiSecure can scan phone logs for suspicious data leaks.
The overarching message from Hacked 2.0 was clear: in an era where digital paratroopers are constantly attempting landings, vigilance, advanced threat detection, and proactive personal hygiene are the best defences for both nations and individuals.
