Security Experts:

When the Advanced Persistent Threat (APT) Meets Industrialization

Advanced Persistent Threat (APT) - What happens when APT Meets industrialization?

 (Part VI in a Series on Cybercrime. Read Part IPart IIPart IIIPart IV, Part V)

Our watchful eyes are focused on protecting our systems from hackers. This should come as no surprise, especially in the wake of a new report showing that digital theft has for the first time surpassed physical theft. However, we cannot dismiss the fact that there is another threat lurking behind the scenes – one that is not driven by the profitability of information. Rather, its driver is ideology. This is the Advanced Persistent Threat (APT). The question now is - what happens when APT meets industrialization?

Advanced Persistent Threat (APT)

When comparing an industrialized attack to an APT attack, it’s easy to make the analogy between a machine gun and a sniper rifle. The first is designed to hit as many targets as possible. The second is very precise.Advanced Persistent Cyber Threat (APT)

In fact, there are certain key characteristics which define an APT:

Targeted – The victim is chosen based on political, commercial and security interests.

Persistent – If one attack fails, the attacker will not relent. Rather, the attacking party will change strategy and find a new attack technique to deploy against the victim.

Control focused – APTs attempt to wreak havoc on the victim. This includes attacks against Supervisory Control and Data Acquisitions (SCADA) systems (these are in a broad term power and industrial infrastructures), as well as communication systems. Other attacks include theft of sensitive national information, or an enterprise’s intellectual property.

Not ROI focused – APT hackers are not as concerned with costs or revenue. Large budgets are allocated in the name of “nation-security” or “technological-competitive edge.”

Classic examples of APT are the Russian Distributed Denial of Service (DDoS) attacks against the states Estonia in 2007 and Georgia in 2008. Through a series of such attacks, Russia rendered these countries’ online services unavailable. This was clearly a state-sponsored attack, very much targeted against the countries’ Internet infrastructure. If they hadn’t knocked them offline, they would have probably attempted a different type of attack. We cannot even rule out an attempt to physically sever the communication lines.

APT Adopts Industrialized Hacking Concepts

There is a clear distinction between two different attack classes: APT and the hacking industry. Yet recently, we have witnessed APTs incorporating concepts and techniques from the latter. Specifically, there are two methods which APT-hackers have applied in their attacks. The first method borrows the notion of viral distribution in order to cover their tracks. The second method uses large-scale automation and existing infrastructure, belonging to the hacker industry, in order to carry out their specific attack. By adopting these methods they can make their attacks all the more powerful and all the more successful.

Stuxnet – An APT Distributed Virally

A few months ago a worm, Stuxnet, appeared. This worm specifically targeted SCADA systems. Stuxnet consisted of four different attack vectors, each exploiting a different vulnerability. The code, very deceptive, had to be written by a group of dedicated hackers, taking some 6 months of development. Although speculative, there is much agreement that this worm had one specific target – Iran. Much of the worm’s deception laid in its propagation. In the course of reaching Iran the worm distributed itself through Windows machines in multiple countries: Germany, Russia, India and others. Upon dropping its payload on a SCADA system, Stuxnet called home and announced that the eagle has landed.

Stuxnet is an Advanced Persistent Threat (APT). It’s personal – whether or not the target was the Bushehr Nuclear Plant, it is obvious that the attack source had in mind a specific target. Stuxnet was not searching for data to monetize, rather it was focused on gaining control of crucial infrastructure. And as mentioned, all fingers point to government agencies as the Stuxnet driver. However, as opposed to traditional APT attacks, the worm’s target was not direct. The worm hopped around different countries and it seems like the developer’s plan was to unleash the worm on the world only to reach a precise target. This technique should sound familiar: target as many systems, and sooner or later, there will be a victim.

Hiring Botnets - for better APT ROI

In mid-2009 botnet armies sponsored by North Korea targeted US governmental institutions. When those did not fall prey to the attack, the attacks started targeting private US sites. Similarly to industrialized attacks, these attacks were ROI focused - the target shifted while the existing infrastructure remained. It is this point which distinguishes the North Korea-generated DDoS attack, and above- mentioned Russia’s attacks against Estonia and Georgia. In the North Korea attack, the attack resources were optimized to achieve a full-fledged campaign.

A New Taxonomy Required

To be clear, we are not seeing the merging of Industrialization of Hacking with APT. Rather, the security industry should be watchful of the incorporation of industrialized hacking techniques into APT. It’s even time to give this adoption a new name. Any suggestion is welcomed using the comments section below this article.

Advice

Both classes of attack (industry and APT) are going to use some of the same techniques so some security controls are applicable to both. On the positive side, given you’re covered against the cyber-mafia you should have some of the controls to be protected from certain APT attacks. On the negative (and scary?) side, as the name represents, APT is persistent. If a certain attack does not succeed, another one will come into play. The traditional security controls do not deter these relentless state-sponsored hacker organizations. For the enterprise this means increasing monitoring visibility of traffic and setting security controls across all organization layers. To keep in mind, if an attacker is really persistent in doing damage to the target, there is always another way to enter the organization. That is, through the insider.

Coming Up Next – Hackers Wreak Financial Havoc

We’ve discussed the impact due to state-sponsored, governmental or nation-inspired attacks when combined with ideas from the hacker industry. But what about the true life-stories from the trenches – those actually hit by the commercialized hacker industry? Stay tuned as I talk about the most financially burdensome and interesting attack schemes which organizations have suffered from during the past year.

 This article is Part VI In a Series on Cybercrime. Read Part IPart IIPart IIIPart IVPart V

view counter
Noa is a private consultant specializing in building thought leadership teams within tech companies. She is one of SecurityWeek’s first columnists with previous columns focusing on trends in the threat landscape. Her current interest lie on the business-side of security. Noa has worked for Imperva as a Sr. Security Strategist and before that, as a Sr. Security Researcher. She holds a Masters in Computer Science (specializing in information security) from Tel-Aviv University.