Advanced Persistent Threats (APTs) are sophisticated and long-lived attacks that are often backed by nation-states. Despite the security community’s efforts to design and deploy specialized systems to combat them, APTs have remained prevalent while persisting undetected for significantly more time than commodity cyber threats. In this paper, we measure this difference by conducting the first longitudinal analysis of APT infrastructure by shedding light on the lifecycle of their domain names. To enable this study, we build Atropos, a novel measurement methodology that automatically and accurately labels DNS records of APT domain names, enabling us to understand their lifecycle and gain a more comprehensive and contextualized infrastructure picture than the one that is shared in public reports. Using the comprehensive infrastructure view that Atropos provides, we study 405 APT actors over a period spanning a decade and unveil several novel findings regarding their utilization of network infrastructure that have practical implications.

We find that APT actors provision their IPs to their domain names 317 days on average before an attack is publicly reported. Furthermore, 73.6% of the APT IPs that are part of the attack infrastructure no longer point to their domains at the time of first public disclosure, highlighting that researchers and security practitioners need to consider historic DNS data in order to get a more comprehensive and accurate picture when training network detection, investigation, or attribution systems. Organizations that are more sensitive to APT attacks will need to retain network logs for at least 19 to 25 months in order to have higher probabilities of discovering whether they have been a target of an APT attack. Finally, we provide evidence that APT actors re-use hosting providers, deploy APT network infrastructure close to their intended attack targets, and increasingly utilize more cloud-fronting. These findings are important because they can guide future threat detection and attribution works.