There is much we can learn about coordinated online activities of skilled attackers with nation-state affiliations. The following two write-ups provide a wealth of information about one such attack group, which has been targeting organization in South Asia over the past few years and appears to reside in India:
According to these reports, the group engaged in industrial espionage and spying on political activists. The victims resided in many countries, but Pakistan stood out as the most targeted location. The attackers relied on spear phishing to gain initial access to the targeted environment. The emails were thematically appropriate to the targets and included malicious documents that exploited unpatched vulnerabilities. Some of the malware was digitally signed.
The analysts attributed these cyberattack activities to specific source by examining:
As the result, Norman and Shadowserver researchers concluded that the attackers apparently operated from India “and have been conducting attacks against business, government and political organizations.” Similarly, ESET analysts concluded “that the entire campaign originates from India.”
In addition, Norman and Shadowserver researchers concluded that the malicious software used in these campaigns was created by multiple software developers who were “tasked with specific malware deliverances.” The developers collaborated, “working on separate subprojects, but apparently not using a centralized source control system.”
Some organizations have encountered Advanced Persistent Threat over 5 years ago—earlier than most of us. Because of the types of data they process, these initial APT victims were exposed to carefully-orchestrated, espionage-motivated attacks before they spread to a wider range of targets.
Now, half a decade later, might the time to look at the attacks that the initial APT victims are fighting nowadays to forecast the threats that will eventually reach other companies. I am wondering:
It’s hard to answer these questions without first-hand access to the companies that witnessed the first wave of APT attacks. Furthermore, the dilution of the term APT by marketing departments makes it harder to differentiate between reliable APT insights, such as what Mandiant has been publishing, from generic APT-themed sales collateral peppered throughout the web.
Based on public information and observations, I suspect the threat landscape over the next few years will involve:
These are just conjectures. I don’t have the answers to the questions I posed above; however, I thought I’d at least ask them and explore the idea of looking at early APT targets’ current state to anticipate advanced threats that will later affect other organizations.
Related articles you might like:
The need to define custom, incident-specific signatures is slowly gaining traction in the mainstream enterprise. A few years ago this concept, often called Indicators of Compromise (IOCs), was mostly discussed by government organizations and defense contractors who were coming to terms with Advanced Persistent Threat (APT) attacks.
Madiant began popularizing the term IOC around 2007. Kris Kendall’s paper Practical Malware Analysis mentioned IOCs in the context of malware reversing at Black Hat DC 2007. For a precursor to this, see Kevin Mandia’s Foreign Attacks on Corporate America slides from Black Hat Federal 2006. At the time, few organizations saw the need to go beyond antivirus-based detection by analyzing the adversary’s artifacts to define custom host-level signatures.
Now, several years later, the term IOC is pretty well-known in the infosec industry. More companies are adding malware and related analysis skills to incident response teams. As Jake Williams put it, such firms know how to examine new malware and extract IOCs. “These are then fed back into the system and scans are repeated until no new malware is found.” Automated analysis products from vendors such as Norman, Mandiant, FireEye and HB Gary are being increasingly positioned as IR triage-enablers.
That said, the knowledge and skills for deriving and using IOCs is far from being mainstream. Anton Chuvakin highlighted the distinction between security haves and have-nots along the lines of this capability. The haves know how to reverse-engineer malware to “extract the IOCs FAST (or get those IOCs shared with you by trusted friends) and then look for them on other systems.”
IOC techniques haven’t entered the mainstream just yet. But we’re heading in that direction, as more people attain forensics skills and as more tools become available for defining and making use of such custom, incident-specific signatures.
To learn how to define and make use of IOCs, take a look at:
APT is a geopolitical problem.
We commonly see APT shift to using stolen credentials and no malware at all.
If you follow this blog, you may have noticed that I made fun of Advanced Persistent Threat on several occasions. I published APT haiku (thanks to all who contributed) and a series of APT cartoons. I established the Certified APT Nerd (CAPTN) professional credential with an exam. I also launched the APT Merchandise Store, where the most popular item is the "My APT Can Beat Up Your APT" t-shirt.
Why do I make fun of this serious topic? Because I care.
Many computer security incidents result from mass-scale attacks. Some incidents result from targeted attacks. A subset of targeted attacks, affecting relatively few organizations, is being called APT. (This is a form of malicious market segmentation.)
APT attackers are highly-skilled, determined and have a long-term perspective on their mission. As the result, it is difficult to detect and respond to such incidents, with the IR process spanning months or even years. Dealing with APT is expensive. The impact of the data loss resulting from an APT incident is costly, too.
The media’s attention to high-profile APT incidents has turned APT into a marketing buzzword. It is simply too convenient for security product and service vendors to use APT as part of sales and marketing efforts, even though the majority of these offerings don’t directly deal with APT.
I make fun of APT in the hopes that this will make it harder to use APT as a generic marketing buzzword or a boogeyman du jour. I also make fun of it because FUD-based marketing techniques, when taken to an extreme, can be quite humorous, and the job of an information security professional is too hard if it is always taken seriously.
And with that in mind, I present to you APT cartoon #6: APT Goes Mainstream on TV.