Disclosure In The APT Age

  /     /     /  
Publicated : 22/11/2024   Category : security


Disclosure In The APT Age


Yet another widespread advanced persistent threat-type campaign has hit the federal government -- this one aimed at civilian agencies



This is part one of a two-part series on security in the Age of the APT. Part two is
here
.
A widespread cyberespionage attack targeting high-level officials at multiple civilian federal government agencies has been under way and under investigation for months now, but the names of all of the victim agencies may never be confirmed publicly, or the extent of the damage incurred by the breaches.
Welcome to the age of the advanced persistent threat (APT)-type attack, where cyberespionage by nation-state attackers is going on all the time across government and private industry, but public disclosure by the victims is mostly voluntary, very rare, and not exactly fully forthcoming. This latest attack on civilian agencies began with what has become typical APT fashion: a clever social engineering email with a malicious but legitimate-looking attachment, according to sources familiar with the attack. That method, as well as variants using a convincing-looking URL within the message, has been used to infiltrate other agencies, Defense contractors, and corporations during the past few years.
One things for sure: No one is immune from these dogged attacks. The majority of federal and nonfederal organizations that do any kind of important work of any interest, or overseas -- probably most all of them have been hacked by APT-type actors, says security expert Steven Adair of Shadowserver. Adair says victims span just about every industry, from avionics to international law to human rights.
Literally, no one has been spared over time, he says.
Will Irace, director of research for Fidelis, echoes that sentiment: If you find me a security practitioner who has not had a device that has been owned and compromised by an external adversary, youll probably find a liar, he says. All of us have been there.
So if everyone is getting targeted by APTs, why wont they just go ahead and speak up about it? Security experts say theres still the victim stigma that no organization wants. Government agencies fear revealing their vulnerabilities and, thus, that of the nation, while businesses worry about their shareholders or losing customers, for instance.
This is a huge problem for the industry, says Anup Ghosh, CEO of Invincea. One of core reasons is we havent addressed the shame factor ... All this information is kept hush-hush, and the markets dont have the opportunity to understand whats going on. It wasnt until Anonymous and AntiSec started publicly hacking government agencies and companies that people [gained] awareness of what has actually been going on all along.
Ghosh says companies need to get over it and start at least sharing information among one another about the types of attacks theyre experiencing. Once you get public disclosure of whats actually happening, youre putting the dirty laundry out in the open, and now the markets can begin to address the problem.
It wasnt until Google went public two years ago about Operation Aurora -- the attack targeting the search engine giants intellectual property, in addition to that of dozens of other U.S. corporations, including Adobe and Intel -- that ATP-borne attacks started to become a household word in business circles. But the scope of the problem was highlighted most recently with McAfees report on the
so-called Operation Shady RAT cyberespionage campaign
that has been ongoing for five years, so far stealing intellectual property from 79 government agencies, international corporations, nonprofits, and others in 14 countries.
In Shady RAT, the attackers lifted sensitive government information, email, legal contracts, and design documents from their victims, which included Defense contractors. The attack began with a spear-phishing e-mail message that included a URL that, when visited, downloaded a remote access tool onto the victims machine. That provided a foothold for the attackers to get inside and siphon information from the victims organization.
But we still dont know all of the organizations and agencies that were targeted by Shady RAT. McAfee categorized the victims by their industries and regions, and disclosed the actual names of a few: Asian and Western national Olympic Committees, the International Olympic Committee (IOC), the World Anti-Doping Agency, and the United Nations.
Meanwhile, the APT attackers who went after U.S. civilian federal agencies in the recent attack campaign were able to wrest control of some of the victims domain controllers and file servers, according to sources close to the attacks. Some of the breaches took months to clean up at agencies, one source with knowledge of the attacks said.
PAGE 2: Persistent doesnt mean advanced.
The attackers used sophisticated malware and an SSL-encrypted connection for siphoning information from the civilian agencies and sending it back to their home servers. I think they knew the networks better than the agencies do, the source said. It was a heavily funded group or a nation-state, possibly China, the source said.
While most cyberespionage campaigns are persistent, not all are necessarily advanced like this one. According to one forensics expert, if its advanced, youre less likely to catch it. Most APT guys want to be in and out and not want you to know theyve been there, he says.
David Amsler, president and CIO of Foreground Security, says his firm sees plenty of attacks that are persistent but not advanced. They continuously knock down doors, and if they do get in, they create five different backdoors to make sure they are consistently there, Amsler says.
Says one forensics investigator, who requested anonymity: Weve seen organizations owned 50 layers deep by APTs. In one case, they had to throw it all away and start over.
For forensics investigators, the tricky part is to gather intelligence on what the attackers are doing without letting them know they are there. That means letting them continue with their attack in order to analyze what kinds of data they are going after and siphoning out of the victim organization.
The key thing for organizations is not to overreact and unplug or turn off the devices because that lets the adversary know youre there, Foregrounds Amsler says. It can also corrupt any evidence that hasnt already been gathered, he says.
You leave it online as long as you can to gather as much relevant information as possible. In incident response today, you dont just take the computer and do forensic analysis: You need full packet capture analysis. And not just on one system, he says.
[Those] attackers [who] are more persistent and continuous is what concerns me, he adds.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Disclosure In The APT Age