APT: These three letters appear in cybersecurity-related news and bulletins more and more. Advanced Persistent Threats have become common.
What is Advanced Persistent Threat? The term actually refers to two different things. Initially, it was hacking groups (possibly government-backed) involved in continuous and persistent (hence the name) attacks towards a specific victim. One example the notorious Comment Crew (aka APT 1), was involved with attacks on the largest media outlets in US.
A Layman’s dictionary: What is #APT and why is it called that #security
Tweet
Now APT also refers to a specific kind of malicious cyber campaign that involves a series of diverse activities with the intent to cause harm or steal important and sensitive information. The groups behind such attacks are now called “APT groups”.
In 2013, Kaspersky Lab’s Global Research & Analysis Team (GReAT) reported that NetTraveler, a long-running APT campaign, had infected over 350 victims in more than 40 countries. At the time of the announcement, NetTraveler had been active for 9 years, and it was mainly stealing valuable data from space research laboratories, nanotechnology and energy production companies, nuclear power plants, medical equipment producers, and laser and communications technology companies. It also targeted Tibetan/Uyghur activists, which suggests that it is most likely backed by Chinese authorities.
However “hi-tech” the targets were, methods used by NetTraveler – mainly phishing messages with attached MS Office documents, which when opened used exploits for old vulnerabilities CVE-2012-0158 and CVE-2010-3333 – were quite primitive, but surprisingly efficient.
This year NetTraveler hit 10 years and was updated with newer malware tools. Still, it’s the same APT campaign with the same people behind it.
Earlier this year security researchers uncovered yet another long-standing APT campaign aimed at the exfiltration of important data from organizations associated with strategic industrial sectors. This campaign received not just one name, but two: Energetic Bear and/or Crouching Yeti. It mainly targeted industrial and machinery sectors, but manufacturing, pharmaceutical, and construction companies were also attacked, along with education facilities and, of course, organizations related to information technology.
Victims were either peppered with spearphishing PDF docs with embedded flash exploit (CVE-2011-0611, quite old, as one may see), or served with Trojanized software installers; then there were waterhole attacks using a variety of re-used exploits.
APT actors don’t need supercustom #malware for their campaigns to be successful
Tweet
Interestingly, none of these exploits were zero-day: All were long known with patches that were available, but not installed by victims. The campaign had been ongoing for at least four years prior to the discovery.
As seen above, the APT campaigns have the following common features:
- Specific targets. Actors behind these campaigns are routinely interested in some specific data and/or intelligence on the activities of the targeted entities.
- A diverse malicious toolset. The primary goal is to infiltrate the targeted entity infrastructure by any means necessary, not just spread around some malware and see what it would yield. So they use various tools such as Trojans, backdoors, exploits, etc., and while exploits may be old and well known, attackers often use sophisticated, multistage methods of infections. For instance, a phishing mail drops a Trojan, which checks whether the infected PC matches specific criteria, then “calls his friends” and downloads other malware.
- Multistage approach. Aside from multistage infection, APT groups often choose not to hit immediately at the points where they are expected. For instance, they won’t attack a CEO of a large transnational pharmaceutical corporation, because he most likely has the most bulletproof workstation around. Instead they may choose to target some low-level employee who’s on the same network as the CEO, then use his PC and mobile devices as a stepping stone towards infecting more valuable machines.
- Persistence. Attackers strive for a long-term presence and continuous exfiltration of the data they are interested in. Sometimes actors behind APT campaigns even pull the plug once exposed, as with Miniduke. However, after a year in a dormant state, it’s back now, heavily upgraded, but still detectable.
It’s easy to imagine the consequences for businesses affected by APT-style attacks: continuous loss of intellectual property, disruption of supply chains and operations, etc.
Here are some recommendations:
- APT groups use mostly known exploits, so if there is a chance of becoming a target, it is necessary to keep track of the commonly used and most vulnerable software products, such as Adobe Acrobat, Adobe Flash, Oracle Java, Microsoft Office, etc. These software packages are almost ubiquitous and problematic. Keeping them up-to-date heavily mitigates the risks.
- Phishing emails/messages is the most commonly used tool. Experienced users are capable of identifying this kind of threat, but most people would likely require specific training in order to detect this threat. Antiphishing software tools are also extremely helpful.
- Automatic exploit prevention technology will help where the zero-day (i.e. yet unknown) exploits are used. Kaspersky Lab’s АЕР can also prevent the escalation of malicious behavior even after the exploit has launched. This technology is based on the analysis of exploit behavior, as well as information on applications most often attacked by cybercriminals: Adobe Acrobat, Java, Windows components, Internet Explorer, and others. Any time these programs attempt to launch suspicious code, special controls immediately intervene, interrupt the launch and trigger a scan of the system.
- It is also necessary to limit access to sensitive data. Only authorized personnel should be able to access certain information, according to their roles and the business processes they are involved with. Other personnel should not have access to that data, and thus attackers won’t be able to get to it just by compromising some “obscure” employee PC.