Many of today’s most destructive advanced persistent threats (APTs) were conceived a decade ago, so enterprises that rely on most traditional approaches to cybersecurity are unlikely to succeed against the next generation of attacks. This is one of the cautions in a new book published by global IT association ISACA in cybersecurity awareness month.
Advanced Persistent Threats: How to Manage the Risk to Your Business advises that traditional defenses such as firewalls and anti-malware are not up to the challenge of today’s APTs and that organizations need to add skills, processes and technology to their cybersecurity arsenal.
While new tools are needed to combat ever changing security threats, it is helpful to examine the history of the APT, because it is possible to derive many important lessons for defending against them in the future. The earliest use of the term “advanced persistent threat” emerged from the U.S. government sector in 2005, describing a new, deceptive form of attack that targeted selected employees and tricked them into downloading a file or accessing a website infected with Trojan horse software. This slideshow summarizes known facts, anecdotal evidence and reported claims behind some of the most well known attacks experienced over the last 15 years.
Click through for some of the most famous APTs in history, as Identified by ISACA.
The earliest published attack on military research establishments was detected as far back as the late 1980s when West German hackers penetrated networked computers in California to steal secrets relating to the “Star Wars” program.
A fascinating account of this particular set of attacks is related in the 1989 book The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage, by Clifford Stoll, a computer manager at the Lawrence Berkeley National Laboratory, who stumbled across the activity when investigating a minor accounting discrepancy in the computer usage accounts.
Stoll discovered that the intrusion was coming from a university in West Germany across a satellite link. He set up a trap with enticing details of a fictional Star Wars contract, enabling the West German authorities to locate the hacker, a student called Markus Hess, who had been selling the stolen information to the Soviet KGB. Hess was tried and found guilty of espionage in 1990 and sent to prison.
The incident helped raised awareness across the intelligence and security communities of the potential for offensive attacks as well as the vulnerability of networked computers to compromise. It was a portent for future attacks that would materialize in years to come.
At the turn of the century, a widespread series of attacks on government sites was discovered by the U.S. government. The attacks, codenamed Moonlight Maze, had been going on undetected for nearly two years, penetrating systems at the Pentagon, NASA and U.S. Department of Energy, as well as universities and research labs involved in military research. Some experts point to these attacks as perhaps the first major example of an APT, although the term was not in common use at that time.
The attacks stole tens of thousands of files, including maps of military installations, troop configurations and military hardware designs, resulting in damage amounting to many millions of dollars. The attacks were traced back to a mainframe computer in the former Soviet Union, although the Russian government denied any involvement. It is possible that the stolen information might have been sold to the highest bidder.
Titan Rain was the code name given by the U.S. government to a series of cyber espionage attacks launched in 2003 on U.S. defense contractors, including those at Lockheed Martin, Sandia National Laboratories, Redstone Arsenal and NASA. The attacks were claimed to be of Chinese origin, although the Chinese government denied any involvement.
What was new in the attacks that began to emerge at this time was the level of deception and the use of multiple attack vectors (channels of attack), which combined well-researched social engineering attacks on specific, targeted individuals with stealthy Trojan horse attacks using malware techniques that were calculated to bypass contemporary security countermeasures.
The sensitive nature of the incidents and targets encouraged a blanket of government secrecy, which was understandable but, with hindsight, unfortunate because it helped the perpetrators to broaden their attacks to steal data from a wider spectrum of enterprises, encompassing all major sectors of industry including aerospace, defense, energy, financial services, manufacturing, pharmaceutical, technology and others.
For several years, perhaps going back to 2006 but not detected until much later, an APT attack called Sykipot has been collecting and stealing secrets and intellectual property, including design, financial, manufacturing and strategic planning information. The attacks employ spear-phishing emails containing a malicious attachment or a link to an infected website, as well as zero-day exploits.
Sykipot attacks have targeted many U.S. and UK companies, including those operating in the defense, computer, telecommunications, energy, chemicals and government sectors. An analysis of these attacks carried out in 2011 by AlienVault Labs indicated that the vast majority of servers are based in China. The targets and information gathered suggest an intelligence agency would be the likely beneficiary.
GhostNet was a large-scale cyber espionage operation discovered in March 2009. Its command and control infrastructure was reported to have been based largely in China, although the Chinese government has denied any involvement.
The GhostNet attacks were initiated by spear-phishing emails containing malicious attachments that loaded a Trojan horse on the victim’s system, enabling the execution of commands from a remote command and control system, which downloaded further malware to take full control of the compromised system. The malware included the ability to use audio and video recording devices to monitor the locations housing the compromised computers.
GhostNet was reported to have infiltrated the computers of political, economic and media targets in more than 100 countries, including the embassies of India, South Korea, Indonesia, Romania, Cyprus, Malta, Thailand, Taiwan, Portugal, Germany, Pakistan and the office of the Prime Minister of Laos. The foreign ministries of Iran, Bangladesh, Latvia, Indonesia, Philippines, Brunei, Barbados and Bhutan were also targeted. Computers in the Dalai Lama’s Tibetan exile centers in India, London and New York were also compromised.
Some researchers have suggested that GhostNet might have been an operation run by citizens in China for profit or patriotic reasons. Alternatively, it may have been created by intelligence agencies from other countries such as Russia or the U.S. One factor that is consistently encountered when attempting to identify the source of APT attacks is the preponderance of unsubstantiated rumor or spin associated with the attacks. Every expert has a different opinion on who is behind them.
Operation Aurora (claimed to be original name of the operation) was a series of cyber attacks launched in 2009, reported to have originated in China. The attack used a zero-day exploit to install a malicious Trojan horse named Hydraq, designed to steal information.
Early victims of APT attacks had generally been unwilling to publicize their experience or confront the suspected perpetrators. Fear of antagonizing their attackers or upsetting their customers and shareholders discouraged public announcements and retaliatory action, which served only to encourage attackers to go even farther. To its credit, Google was an exception to this culture of silence.
In January 2010, Google disclosed the attacks, claiming that 20 other companies had also been attacked, although it is now widely believed that the number was much higher. Victims were known to include Adobe Systems, Juniper Networks and Rackspace. Many other companies that were attacked preferred to remain anonymous, although reports indicated that they included leading banks, defense contractors, security vendors, oil and gas companies as well as a number of other technology companies. The email accounts of Chinese human rights activists were targeted as well.
McAfee investigators reported that the primary goal of the attack was to gain access to and modify source code repositories at these high-tech, security and defense contractor companies. At the time, these repositories were not generally protected to a high security standard.
By publicizing its experiences, Google helped to promote awareness of the risk and encourage investment in better security countermeasures. Many companies still remain reluctant to admit being victims of similar attacks, although regulatory compliance requirements have been progressively forcing enterprises to be more open about their security incidents.
The Gozi virus, named by the security experts who first discovered it in 2007, was a banking virus that infected more than one million computers in the U.S., UK, Germany, Poland, France, Finland, Italy, Turkey and elsewhere, causing tens of millions of dollars in damages. Systems at NASA were also penetrated by the attacks. The malware was rented or sold to criminal gangs by Nikita Kuzmin, a Russian national who created the Gozi virus with the support of accomplices from neighboring countries.
Initially designed simply to capture and transmit personal banking information, later versions contained a capability to intercept browser traffic and modify Web communications. Gozi was controlled through a so-called “bulletproof hosting” service that helped cyber criminals distribute the Gozi virus in a manner designed to enable them to preserve their anonymity. Gozi was disseminated to its victims through various methods, most commonly disguised as a benign PDF document.
Nikita Kuzmin was arrested in the U.S. in November 2010 and pled guilty to computer intrusion and fraud charges, but banks have continued to experience attacks from Gozi, which continues to be enhanced. A new variant of Gozi, which appeared in early 2013, infects the hard disk master boot record — an attack that cannot be easily eradicated even by reformatting and reinstalling the operating system
First discovered in 2007, when it was used to steal information from the U.S. Department of Transportation, Zeus is a Trojan horse used to steal credentials used for banking and credit card payments or for logging in to social networks. Zeus is not a specific attack from a single source, but a complete tool kit providing a wide range of automated and manual tools used by criminals as part of an APT attack.
APTs created using Zeus can spread to victims through a phishing email or a visit to an infected site. The Trojan then mounts a man-in-the-browser attack to capture keystrokes and Web form data from users. Using this technique, Zeus is reported to have compromised tens of thousands of FTP accounts on company websites and infected several million customer computers.
In 2010, more than 100 people were arrested in the U.S., UK and Ukraine on charges of conspiracy to commit bank fraud and money laundering after using Zeus to steal around $70 million.
In 2009, a new banking Trojan known as SpyEye emerged, retailing for $500 on Russian underground forums. Like Zeus, SpyEye is designed to steal customer credentials and initiate transactions when a victim logs onto his/her bank account. A variant of SpyEye discovered in 2012 was able to modify displays of bank statements and balances. Newer variants of Zeus and SpyEye, generally with increasing levels of sophistication, continue to emerge in response to improvements in security defenses. In May 2013, the alleged developer and controller of SpyEye, Hamza Bendelladj, an Algerian hacker, was extradited from Thailand to the U.S. and charged with numerous count of fraud.
One of the SpyEye command and control servers sited in Atlanta, Georgia (U.S.A.) allegedly contained information from 253 different financial institutions.
In March 2011, approximately a month after hosting the world’s largest cybersecurity conference, RSA (the security division of EMC) announced that it had been the victim of a successful APT attack. Although many experts would not place this attack in the same category as some of the more sophisticated intelligence-gathering attacks that have been mounted on governments and Fortune 500 companies, this was clearly a professional, targeted attack by a major APT actor.
The attack itself was relatively simple, but effective: It was initiated by a phishing email exploiting an Adobe flash vulnerability embedded in an attached spreadsheet. The intrusion resulted in the theft of confidential information, including data relating to RSA’s best-selling SecurID authentication technology. The attack used a piece of malware named PoisonIvy, which at the time was a widely available remote access Trojan that had been used to steal information from companies in the chemical and motor sectors as well as from human rights organizations.
The disclosure sent shock waves across the security community because the SecurID product, widely regarded as a security best practice, had long been the product of choice for many Fortune 500 enterprises. Shortly after the RSA breach, several defense contractors, including Lockheed Martin, disclosed that they had experienced cyber attacks on their networks. At least one of these attacks was reported to have used spoofed passcodes from a cloned RSA SecurID token.
The consequences of this attack were potentially highly damaging for both RSA and the customers of its security authentication product. Fortunately, RSA acted quickly to contain the damage, immediately informing customers and advising them to take action to strengthen their SecurID implementations. EMC reported that it had spent at least $66 million on remediation. According to RSA executives, no customer networks were breached, although the breach eventually affected over 700 organizations and was estimated by a Gartner analyst to have cost the banking industry $50-100 million in replacement costs for new tokens.
There are several lessons to be drawn from the RSA incident:
- It is possible for security products to be compromised through an attack on the supplier. Contingency plans should, therefore, be considered for possible breaches of this type where the consequences would be highly damaging.
- The incident demonstrated that even the most security-aware companies handling highly sensitive material can have weaknesses in their security posture. There is certainly an element of truth in the old adage that “the cobbler’s children have the worst shoes.”
- With speedy identification and response, it is possible for the immediate damage from an intrusion to be contained. RSA acted swiftly, decisively and candidly to minimize the consequences to customers.
- The incident demonstrates that enterprises with good crisis management and public relations can ride out even the most severe incidents. RSA is still in business today and has maintained a good reputation.
The Stuxnet computer worm, discovered in June 2010, was the first piece of malware found in the public domain that is designed to spy on and subvert industrial process systems. Stuxnet was claimed to have been created by the U.S. and Israel in order to attack Iran’s nuclear facilities. The malware was reported to have caused substantial damage to the centrifuges at the Natanz nuclear enrichment laboratory in Iran.
The worm specifically targeted Siemens industrial software and equipment, making itself inert if the target software was not found and containing safeguards to limit the spread of the infection. It was the first piece of malware to include a programmable logic controller (PLC) rootkit. It was also programmed to erase itself on a specific date in June 2012. The design of the worm suggests that it was intended to achieve a specific objective against a particular target rather than to support a general intelligence-gathering operation.
Stuxnet was designed to spread initially through an infected USB drive and then use other exploits to infect or update other computers. It was controlled through two websites in Denmark and Malaysia. The malware contained four different zero-day exploits, a considerable investment for a single attack because such exploits can be sold for hundreds of thousands of dollars.
The size and sophistication of the code indicated that the development cost would have been substantial, requiring on the order of a dozen or more man-years. Further derivatives of Stuxnet, called Duqu and Flame, were discovered over the next two years, suggesting that these attacks were part of an ongoing development program.
Duqu was discovered in 2011 and named after the prefix ~DQ, given to the names of the files it creates. The code has been found in a limited number of enterprises, including those involved in the manufacturing of industrial control systems.
Analysis showed it to be very similar to Stuxnet, suggesting that it was created by the same authors or a source that had access to the Stuxnet source code. Server addresses were scattered across many countries, including Germany, Belgium, the Philippines, India and China, suggesting that some sites were selected to help mask the real source of the attacks.
Duqu is designed to gather information rather than cause damage. In particular, it captures information such as keystrokes and system information, most likely for the purpose of enabling a future APT attack on industrial control systems.
Researchers at Kaspersky Lab have pointed out that, unlike many other pieces of malware, the code shares similarities with professionally produced commercial software, suggesting that it was developed by software professionals rather than computer hackers.
Analysis of Duqu also indicated that the malware was built on an earlier platform called Tilded (because of the ~d at the beginning of the file names it creates), which originated as far back as 2007.
Flame was discovered by Iran’s National Computer Emergency Response Team in 2012. It was used to mount sophisticated cyber espionage attacks on governmental ministries, educational institutions and individuals in Middle Eastern countries, infecting around 1,000 machines in Iran, Israel, Sudan, Syria, Lebanon, Saudi Arabia and Egypt.
The Flame malware was large and complex, designed to spread over local networks or via USB sticks. It could record audio, screenshots, keyboard activity and network traffic, including Skype® conversations. It was also capable of stealing contact information from any nearby Bluetooth®-enabled devices.
The malware was designed to be killed instantly by a remote instruction from the central command and control server. Attacks ceased when the malware was publicly disclosed. The Washington Post claimed that Flame was jointly developed by the U.S. National Security Agency, CIA and Israel’s military at least five years prior to discovery, although this was officially denied.
Red October, a malware program designed to steal secrets from government and research organizations (including data on mobile devices), was discovered in October 2012 by Russian firm Kaspersky Lab. It was believed to have been operating worldwide for at least five years prior to discovery, stealing a wide range of information, including secrets from diplomatic, trade, military, aerospace, energy and research organizations in Russia, Iran, the U.S. and at least 36 other countries.
The Red October attacks were designed to target multiple platforms, including routers, switches, mobile phones and external storage devices, and adapt their actions to different software environments. Among other things, the malware targeted files associated with cryptographic systems, including systems used by NATO, European Union, European Parliament and European Commission departments.
Analysis of the malware by Kaspersky Lab uncovered a sophisticated framework of more than 30 different categories of module, each designed to carry out a specific task, such as identifying the software environment, infecting machines, installing back doors, searching for files, grabbing information, stealing credentials, recording keystrokes or uploading collected files. It also included special software to enable infected machines to be resurrected automatically upon the receipt of an email attachment in the event that the main body of malware should be discovered and removed, or the system patched.
There are contradictory views among experts as to the source, which remains unknown. Analysis of the malware indicated that it was different from the code found in Stuxnet, Duqu and Flame, suggesting that it was created by a different source.
In December 2012, security vendors Versafe and Checkpoint publicized details of a sophisticated Trojan horse they named Eurograbber, which had stolen an estimated 36 million euro from more than 30,000 customers in over 30 banks across Europe. The attacks began in Italy and quickly spread to Spain and Holland.
This attack began by infecting the computers of bank customers through a phishing email, which downloaded a Trojan (a variant of Zeus) designed to recognize and inject instructions into banking transactions, diverting money into a “mule” account owned by the criminals.
The attack was able to circumvent the SMS-based authentication system used by the targeted banks by asking the user to install new security software on their mobile device.