However, an anonymous comment on one of the recent taosecurity posts brought up a point that I have not seen anyone else talk about. The comment stated:
Reading the Mandiant Report, we see:The part I'd like to focus on is the last statement. The APT problem is not only the problem of those seen as the enemy of certain nation states. It is the problem of everyone.
2.) Defense Contractors
3.) Fortune XXX acquiring a Chinese compnay
4.) A Law Firm involved in a Chinese civil litigation case
5.) A non-profit trying to spread "democracy and free enterprise in China" (maybe they could also do that in the USA).
Look, it doesn't take Arthur Conan Doyle to piece together the storyline here. This clearly isn't "everyone's problem". It's a problem for those that are seen as an enemy of certain nation-states.
If you read Mandiant's excellent report, you will see specific examples (mentioned in the comment above) which are documented APT targets. Yes, these are what you think of as nation-state attack targets.
However, I have personally seen the APT attack and compromise systems in networks which have no ties to that nation-state and you would not consider enemies of that nation-state (or any for that matter). In these cases, the organizations were small-medium sized companies whose systems were compromised in order to be used as command and control systems for the APT's backdoors.
Of course, there are those that will say that this is the same technique that all attackers use - compromise less secure systems and use them as a go-between to attack other systems. And I will 100% agree with them on that! But that re-enforces my point as well! No one is safe from attack from APT and therefore there should be no reason why organizations should not take every reasonable precaution to against these (or any) attackers and learn as much as they can.
Yes, there will be those companies that use the term APT as a marketing tool. Yes, there will be those who say this is a limited threat to some organizations (and to some extent I agree with that). But in the end, it is a real threat that exists and any organization that does not perform the due diligence to at least learn about the potential threat will be at a disadvantage when they do get attacked; maybe not by the APT but by the next threat.