Advanced persistent threats (APTs) don’t crash into networks with noise – they slip in silently, lie in wait, and stay there for months or even years. Their goal isn’t quick disruption or petty theft, but prolonged, covert access that allows them to spy, steal, and sabotage at a strategic level.
By Doros Hadjizenonos, regional director at Fortinet South Africa
South African organisations – especially in the public sector and essential services – are particularly exposed. With cybercrime on the rise and legacy systems still widespread, these hidden adversaries are finding it increasingly easy to bypass traditional security measures and remain undetected until serious damage is done.
South Africa consistently ranks among the most targeted countries in the world for cybercrime. According to Interpol’s 2024 Cyberthreat Assessment, the country remains in the global top five.
This persistent threat landscape creates fertile ground for APT groups, which often pursue strategic, high-value targets – from accessing confidential research and disrupting operations to extracting intellectual property for financial gain.
Understanding the quiet threat
APTs typically begin with spear-phishing or credential theft to gain a foothold. From there, they operate under the radar – mimicking normal network traffic or embedding malicious code into legitimate system processes. These “low-noise” intrusions exploit stolen credentials, use minimal network activity, and employ lateral movement tactics to mask their presence. Encryption, custom malware, and even code rewriting can further obscure their behaviour.
Sectors such as healthcare, education, and local government are particularly exposed. These institutions often rely on outdated systems, face budgetary and staffing constraints, and store large volumes of sensitive data. Fortinet research indicates that state and local governments, in particular, struggle with fragmented security systems and skills shortages – a vulnerability APT groups are increasingly exploiting.
Why traditional defences fall short
Many organisations still rely on perimeter-based defences like firewalls and antivirus tools – expecting them to suffice. But when attackers already have valid credentials or use obfuscation techniques, those defences can be bypassed without setting off alerts.
The threat landscape is evolving rapidly. Fortinet’s 2025 Global Threat Landscape Report notes that the time between vulnerability discovery and exploitation is shrinking, driven by automated scanning and AI-enabled attack tools. This leaves little room for error or delayed response.
Credential theft has also surged – becoming the currency of cybercrime. In 2024 alone, over 100 billion compromised records were found on darknet marketplaces, a staggering 42% increase from the previous year. With these credentials in hand, attackers can purchase access via Initial Access Brokers and infiltrate networks without even needing to hack them.
A defence strategy that’s proactive and layered
Reactive security models no longer suffice. What’s needed is a proactive, continuous, and layered approach – best exemplified by Continuous Threat Exposure Management (CTEM). CTEM is a holistic methodology that continuously evaluates, tests, and reduces risk across an organisation’s entire attack surface.
It involves:
- Ongoing monitoring of external and internal attack surfaces.
- Identifying exposed assets, misconfigurations, and shadow IT.
- Monitoring leaked credentials and dark web activity.
- Prioritising vulnerabilities for remediation based on real-world risk.
- Running simulations to test readiness and response.
Crucially, advanced threat intelligence is what powers this approach.
A Zero Trust security model is also essential. By assuming no user or device is inherently trustworthy, it limits lateral movement – a hallmark of APT behaviour.
Even the most robust security stack must be underpinned by informed and vigilant users. Since APTs frequently exploit human behaviour, especially through targeted spear-phishing, employee awareness training plays a critical role in early-stage defence.
The cost of delay
The longer an APT remains embedded in a network, the greater the damage it can cause – from surveillance and data theft to infrastructure sabotage. But these actors do leave traces. With the right tools and intelligence, their behavioural footprints can be detected and disrupted.
In a threat landscape where silent, strategic intrusions are becoming the norm, it’s no longer enough to guard the gate. Organisations must assume the adversary is already inside – and prepare to detect, contain, and expel them before it’s too late.