For years, cyberespionage campaigns have relied on well-known techniques, from phishing to exploiting email servers. However, APT (Advanced Persistent Threats) groups have begun to modify their way of operating. New research points to a silent shift toward a much more sensitive target, corporate databases. This shift is reshaping the cybercrime map and poses an urgent challenge to enterprise defense strategies.
The transformation does not respond to a simple tactical fashion. Experts agree that the tightening of security measures in corporate mailboxes (with more effective filters, multi-factor authentication and awareness campaigns) has increased the cost and difficulty of traditional attacks. On the other hand, databases, which store high-value structured information, such as customer lists, financial records or internal documentation, tend to take a back seat in cybersecurity policies.
The appeal of structured information
The interest of APT groups in databases is explained, in part, by the richness and organization of the information they contain. Unlike email, where data is often dispersed and contextual, a database concentrates a company’s most valuable knowledge in an easy-to-query and exfilter format.
In this sense, Palo Alto Networks analysts have detected that several groups of Asian and Eastern European origin are adapting their tools to directly access these environments. According to their latest reports, “attackers are automating connection, extraction and deletion processes on database servers, with the aim of maintaining persistence without being detected.”
These types of operations are carried out remotely, using scripts and legitimate administration mechanisms, which complicates their detection by traditional security solutions. “We are no longer talking about phishing or fake emails, but rather SQL queries designed to steal information with surgical precision,” warns one of the Unit 42 team researchers.
AI has become the key to detecting APT attacks before they compromise corporate databases
Phantom Taurus: the example
The tactical turn of APT groups towards databases not only reflects a technological adaptation, but a strategic evolution. Government agencies, telecommunications companies and financial entities are among the main targets of these attacks, whose purpose goes beyond immediate economic benefit. In many cases, the motivation is geopolitical: accessing data that offers competitive or diplomatic advantages.
The most recent example, documented by Unit 42 under the name Phantom Taurus, showed how a cyber espionage group modified its techniques in 2024, stopping compromising Exchange mail servers to focus on Microsoft SQL Server systems. Their method relied on using stolen administrator credentials and running automated queries to extract logs into CSV files. The entire process was carried out without direct human intervention, evidencing a leap in operational maturity.
AI, key in early detection
Artificial intelligence has become the main ally to counteract these types of advanced attacks. Machine learning-based systems make it possible to identify anomalous behavior, correlate traffic patterns, and detect suspicious queries before data is exfiltrated. Platforms such as Cortex XDR or XSIAM, both developed by Palo Alto Networks, already integrate models capable of recognizing activities that deviate from the usual behavior of users or administrators.
Additionally, AI is also helping to redefine incident response. Thanks to automated analysis, security teams can prioritize critical alerts and react in real time, reducing attackers’ room for action. In the words of a spokesperson for the sector, “AI not only detects threats, but also allows us to anticipate them, and that completely changes the defensive approach.”
