Advanced Persistent Threats
Advanced persistent threats - commonly known as an APT - are cyber based attacks in which an unauthorised user gains access to a system or network and remains there for an extended period without being detected.
Such attacks are particularly dangerous for businesses and enterprise, as attackers have ongoing access to sensitive company data. Advanced persistent threats generally do not cause damage to company networks or devices. Instead, the goal of advanced persistent threats is most often data theft and espionage.
As has been widely reported within Australia and overseas, APT attacks are becoming increasingly common as cyber criminals look to more sophisticated measures to achieve their goals. APTs have caused several large, costly data breaches and are known for their ability to remain undetected for long periods.
Advanced persistent threats do not take a general, broad approach; instead, they are carefully planned and designed with the goal of attacking one specific company or organisation and are different from many traditional threats, such as viruses and malware that exhibit the same behaviour consistently, and are repurposed for attacking different systems or companies. APTs are highly customised and sophisticated, designed specifically to get around the existing security measures in place within a company.
Deployment of malware is critical to the success of an advanced persistent threat. Once the network is breached, malicious code has the capability to hide from certain detection systems, navigate the network from system to system, obtain data, and monitor network activity. The ability for attackers to control an advanced persistent threat remotely is also key, enabling criminals to navigate throughout the organisation’s network to identify critical data, gain access to the desired information, and initiate the extrapolation of data.
APTs are usually sponsored by nation states and/or foreign intelligence services. Major state sponsored cyber attacks such as Operation Olympic Games (also known as known as Stuxnet), Saudi Aramco and attacks against Estonian critical infrastructure highlight the threats and risks associated with state sponsored offensive cyber capabilities. In April this year, the then Australian Defence Minister detailed that approximately 400 Australian businesses may have been targeted by suspected state-sponsored cyberattacks. These attacks were part of a widespread cyber campaign that affected millions of computers worldwide.
Further, recent media reporting also suggests a significant cyber campaign by foreign sponsored hackers against the Australian government and commercial entities - known as Operation Cloud Hopper - by a group identified as an Advanced Persistent Threat 10 (APT10). Two members of this group were recently indicted by the FBI for these attacks.
APTs use a variety of techniques to gain initial access to a network. Attackers may use the internet to deliver malware and gain access, physical malware infection, or even external exploitation to gain access to protected networks. US company FireEye outlines six steps of a typical APT-based attack:
1. The cybercriminal, or threat actor, gains entry through an email, network, file, or application vulnerability and inserts malware into an organization's network. The network is considered compromised, but not breached.
2. The advanced malware probes for additional network access and vulnerabilities or communicates with command-and-control servers to receive additional instructions and/or malicious code.
3. The malware typically establishes additional points of compromise to ensure that the cyberattack can continue if one point is closed.
4. Once a threat actor determines that they have established reliable network access, they gather target data, such as account names and passwords. Even though passwords are often encrypted, encryption can be cracked. Once that happens, the threat actor can identify and access data.
5. The malware collects data on a staging server, then exfiltrates the data off the network and under the full control of the threat actor. At this point, the network is considered breached.
6. Evidence of the APT attack is removed, but the network remains compromised. The cybercriminal can return at any time to continue the data breach.
APT attackers are increasingly using smaller companies (including ICT managed service providers) that make up the supply-chain of their ultimate target as a way of gaining access to targeted organisations. They use such companies, which are typically less well defended, as steppingstones.
In many cases, trusted connections are used to gain initial access. This means attackers may use employees’ or business partners’ credentials obtained through phishing attacks or other malicious means. This assists attackers in the critical goal of remaining undetected long enough to map the victim’s systems and devise a strategic plan of attack to harvest sensitive and private data; whether business, client or staff information.
Despite data loss, the major danger of APT attacks is that even when they are discovered, and the immediate threat appears to have defeated, the attacks may have left multiple backdoors open that allow them to return when they choose.
Additionally, many traditional cyber defences, such as antivirus and firewalls, will not always protect against these kinds of attacks. In order to effectively safeguard and limit successful APT or other cyberattacks, it is essential that a holistic approach to security is adopted by business, large or small. This includes a combination of the following: strong security culture; the conduct of risk assessments to identify gaps in systemic, physical or technical defences; training and awareness; developed and periodically tested response and recovery plans; and security hardware and software measures.