In a previous article I explained what an APT looked like. Most organisations I talk to believe they are not likely to be a target of an APT, the logic being that they have nothing of interest that a foreign government would need.
It is true certain organisations are more likely to be targeted by a foreign government, other government organisations for example, organisations that make up part of the critical national infrastructure, that would include most banks, oil and energy companies, broadcasters or power generating organisations, however there are a bunch of other organisations that are of interest to nefarious groups.
If for example you were a fast growing country that needed new infrastructure and didn’t have the required knowledge to build new planes, trains, ships, roads or buildings, you might go to your private sector and ask them to build it for you. The problem is, if your private sector also lacks those skills, abilities and technology they would have to acquire them from somewhere. You could buy established organisations, as long as the target organisation was not seen as being strategic asset to another country, I could not imagine France or the UK being in a hurry to sell British Aerospace (BAE) to China for example.
You could buy the technology from the experienced organisations, again if it is strategic knowledge and a foreign government owned asset that could be difficult. Then there is the option to steal it.
If you need to steal it, you likely have a good knowledge of who has the technology, you just need to target that organisation OR that organisations supply chain.
Recent examples of targeted attacks include compromising third parties that work with or interact with the target organisation, for example a media news company had their website compromised via a zero day attack against their web servers, because members of a certain financial organisation were known to frequently visit the news website.The exploit code was downloaded to all of the website visitors including a number of users within the target organisation.
Another example was a System Integrator that was compromised specifically because they had consultants that worked at a train manufacturer, which was the ultimate target organisation.
So are you a target of nefarious group that is attacking you? Well if you are an organisation or part of the supply chain with an organisation that has expertise in finance, aerospace, energy, engineering, shipping, military research, defence, infrastructure or a leader in unique manufacturing or research, then YES.