Advanced Persistent Threat

Advanced Persistent Threats

Targeted cyber attacks against government and commerce have been on-going for years. These attacks are today known as advanced persistent threats (APT), and are a major element of the cyber threat.

Advanced Persistent Threats are not a new problem – they are quite simply espionage. These attacks are designed to steal information that will fulfil a clear set of requirements set by the attacker and furnish them with political, commercial and security/intelligence information. These requirements are carefully and clearly identified, shared with government departments and constantly updated. There is clear evidence of worldwide targeting.

Motives

Advanced Persistent ThreatAPT attacks are neither random nor speculative – these attacks happen for a reason. Motives vary widely depending on the attacker and the target, but the data at risk usually falls into three categories:

  1. Communications data (emails) between key individuals in the company, usually at Board level.
  2. Intellectual Property (IP).
  3. Documents related to strategy, negotiations or disputes, particularly those directly concerning the ‘sponsor’ of the attack.

The motive for APT attacks is the same as any act of espionage: gaining an advantage. Whether the advantage is military, political, commercial, economic or intelligence, the sponsor of the attack is seeking to use the information gathered to lead to a chosen goal.

Malware

Internet identity theftThe malware used in APT attacks is usually relatively unsophisticated. Attackers tend to use malware which is good enough for the task at hand. The main reasons for this are:

  • Publicly available malware which is  offers a higher degree of deniability given that anyone could use it. It may throw investigators off the scent of a state level attacker.
  • Hackers use a tool which is as effective as it needs to be to get the job done.
  • Sophisticated tools take a long time to design and once detected can be countered.

Attackers often try to find a way to access a network remotely without the need for malware, usually with stolen credentials. This activity is less likely to be detected by security tools and is a more reliable form of access for attackers. Another technique which does not rely on malware is he use of scheduled tasks which can be set on a compromised machine to conduct tasks chosen by the attacker. This ensures a compromise can continue without raising suspicions.

Phishing Emails

Phishing emailAttackers are familiar with crafting emails with an element of social engineering to entice recipients to perform an action, whether that is opening an attachment or clicking on a web link.

The levels of the social engineering cyber threat vary widely between groups. Often an email with virtually no more social engineering other than ‘Please see attached’ or ‘Please visit [URL]’ is sent to a wide distribution in a target organisation. Sometimes, but not always, this email will be sent from an email address unlikely to be recognised by the recipient.

The next level of sophistication is for the attacker to create or hijack a webmail account in the name of someone within the target organisation, giving a degree of authenticity which may be enough to make a user open the email and carry out an action. Often the name chosen for the webmail account will be a senior manager or board member whose name will be familiar to the intended victim.

Finally, emails can be crafted either for individuals or targeted groups where the sending email address will be familiar, the language in the email will be authentic from that sender and the document attached or link will be one the intended victim would expect to receive. Such phishing attacks are almost impossible to differentiate from a legitimate email and often result in a successful compromise.

Attachment types are varied, but usually involve PDFs or Microsoft Office formats such as Excel spreadsheets or Word documents. These first stage implants typically exploit known, recently published vulnerabilities for which software patches exist, although the patching cycles of companies mean that there is a window of time where the vulnerability is unpatched. This window often extends for several weeks or months. Where intended victims receive a URL, visiting the webpage will result in compromise through malware being downloaded and executed in the background. This technique is often referred to as a ‘drive-by’ download.

Source: Rob Sloan Context Information Security, London, UK