I’m not sure if dwell times are over a year in these middle east attacks but this shows what a determined attacker can do and why you need a way of detecting lateral movement as these APT groups make their way around your network…:
[…] Researchers at Symantec say the attackers have been operating since July 2018 and appear to be a previously unidentified threat group, which Symantec has christened Tortoiseshell. The group infiltrated at least 11 organizations, mostly in Saudi Arabia and including large IT providers, employing both off-the-shelf tools and its own custom attack malware. And in two of the infected organizations, the attackers obtained domain-level administrative access, so the attackers had access to all machines on those networks.
The researchers say Tortoiseshell does not appear to be related to any existing groups in the Middle East. But one of its victim organizations was infiltrated via a backdoor associated with the Iranian nation-state group Oilrig (aka APT34). Even so, Symantec says there’s no confirmed connection that indicates Tortoiseshell is actually Oilrig.