It is a well known fact that cybercrime is on the rampage. More organizations are being hit by financially-motivated cyber attacks during 2019 than ever before. And yet, as scary as cybercrime might be, it is not nearly as ominous as the word “APT”. The term, which stands for Advanced Persistent Threat group, was coined in the early 2000s and made popular after Mandiant’s APT 1 report, revealing the activities of one of China’s elite cyber espionage units. Since then, there has been countless exposés of nation-state campaigns against governments, journalists and ethnic groups.
These cyber attacks are of the highest sophistication, often utilizing purpose-built, never-seen-before tools and elaborate TTPs for realizing the attacker’s nefarious goals. The combination of the (very prominent) threat-actors, their motives and targets have caused the general, corporate population to consider APT threats to be of lesser importance. After all, why should the Chinese/ North-Koreans/Russian/ Iranians care to attack a ‘regular’ corporate entity like ourselves? And if they did, what could we do about it, anyway? The very notion of an APT seems to generate a general feeling of apathy in the face of overwhelmingly sophisticated and powerful threat actors.
But lately, as more and more APT campaigns have become exposed, it seems that the traditional notion of what an APT is, the potential risks it can pose to enterprises and the defensive options available to enterprise is starting to change.
What Are The Motives of APTs?
Let’s take a deeper look at the motives of nation-state hackers:
Diplomatic/ Political – Nation-state hackers operate to execute diplomatic and political policies of their countries. As such, they will target opposing states, dissidents, political leaders in exile and ethnic minorities in order to collect information or interfere with their activities.
Military – In a similar fashion, offensive cyber activities are carried out in order to obtain intelligence, interfere with the opponents’ military operations in order to deter them from acting in the kinetic domain.
Economic – Cyber attacks can be used to hurt enemy states financially. Iran has waged a destructive campaign against US banks and then against the Saudi oil industry. The explicit goal of such attacks is to cause financial losses to their targets.
Obtaining knowledge and IP – Some nations are infamous for stealing intellectual property. As Defense Secretary Mark Esper recently noted, “The PRC is perpetrating the greatest intellectual property theft in human history”. This now involves mostly cyber means, and targets any corporate or institution with IP that could be relevant to the development of Chinese industry. That includes any IP from academia to telecom, defense industries and aviation.
Financial – A rather new motive, currently linked to North Korea’s struggles to obtain sufficient foreign currencies to support its advanced weapons program. As part of these efforts, the North-Koreans have reportedly stole almost $3 Billion in cyber attacks against financial institutes according to a secret UN report. Lately, they have shifted their efforts towards obtaining payment card details from ATMs in India.
Sometime It’s Unclear – Recent evidence indicates that the lines between nation-state hackers and “simple” cybercriminals is blurring. Sometimes nation-state hackers will masquerade as cybercriminals in order to hide their true targets and goals – governments, manufacturing, energy, and utilities.
Are Enterprises Being Targeted by APTs?
As we’ve seen, nation-state hackers can attack businesses, either directly (for financial gain or to steal IP) or as a form of “collateral damage”. The latter is a recent development stemming from the complex structure of today’s supply chains. Nation-state hackers can now work their way up the supply chain, starting from smaller enterprises, compromise these and move on to bigger, more lucrative targets. An attack in this fashion was identified recently by the French cybersecurity agency ANSSI (Agence Nationale de la Sécurité des Systèmes d’Information), which alerted the European aerospace giant Airbus to a series of attacks that targeted its suppliers in their search for commercial secrets. Security sources told AFP that they suspected the attack was linked to a Chinese APT group. These suppliers are not necessarily from the defense or aviation industries themselves and as such are not under the same strict regulations that demand robust cybersecurity systems in place for companies such as Airbus.
Similarly, another attack targeted Saudi IT firms in order to obtain access to more secure targets.
What Can You Do About APT Threats?
Indeed, a nation-state campaign targeting your enterprise, whether directly or indirectly, is a pretty scary affair. But a deeper look at the tools and tactics used by these hackers reveals that, however proficient, they use similar TTPs to all hackers. They perform routine reconnaissance activities like network scanning, employ social engineering to obtain credentials, deliver their payloads via emails (usually hidden within documents or images) and infect endpoints in order to obtain access to data and then exfiltrate it. Regarding the Airbus attack mentioned above, ANSSI stated the attackers gained initial access to the target networks by exploiting security vulnerabilities at endpoints. Once in, they laterally spread across the network to meet their operational objectives.
Or, for another example, consider the North Korean campaign that targeted the 2018 Olympics. An extremely sophisticated and prolonged campaign that started with a malware-laden Word document that supposedly contained a list of VIP delegates to the games, had likely been emailed to Olympics staff as an attachment. The attachment included a macro script that planted a backdoor on the victims’ PCs. These attacks should have been identified and stopped at an earlier stage, if only the victims had had robust security systems (such as email and endpoint security) in place.
APTs: Separate the Fact From the FUD
A number of myths have built up around APTs from the inevitable FUD created by blazing media headlines. Accepting these beliefs uncritically can lead managers into adopting a kind of fatalistic apathy about their security posture. This is not only dangerous, it is unnecessary. Let’s take a look at them.
Myth 1: You can’t stop a determined attacker from getting in; the best you can do is make it as difficult as possible.
Reality: Anyone committed to this belief is committed to it based on faith, not fact. Facts require evidence. Of course, we only ever hear about threat actors’ successes and suspected attributions in the news headlines. “Fancy Bear Fails Again” isn’t a headline we’re likely to see, but the truth is that thousands of attempted and unattributed attacks are stopped on a daily basis. Believing that APT groups never fail and cannot be made to fail when it comes to your own organization is, first, just that: an unsupported belief; and second, a recipe for disaster. As we’ve argued elsewhere, you own your endpoints. And with the right approach, there’s no reason to concede that battleground to external entities.
Myth 2: Nation-state APTs have all the resources necessary to defeat any security.
Reality: As we noted above, most discovered APT breaches are leveraging well-known and cataloged TTPs and succeed, when they do, more often than not by persistently banging on the same door with relentless phishing campaigns. And even when it turns out that zero days are being traded and horded by certain groups, the fact is that even heavily resourced APTs are constrained by reality. You can’t defeat strong encryption; you can’t hide malicious behavior from a solution that sees everything and whitelists nothing, and you can’t change the fact that if you want to steal data, you have to move it from a device inside the organization to a device outside of it. That transfer is always detectable – at least in principle, and very often in practice. These realities provide defenders with opportunities to actively detect and respond to cyber attacks, even those undertaken by the most advanced APT groups. Remember, almost every APT-scary headline you ever read came about as a result of that APTs activity being detected.
Myth 3: Our enterprise isn’t of interest to APT groups; we’re too small or unimportant to be noticed.
Reality: This is the most dangerous myth of all. It’s analogous to the child’s “if I close my eyes the monster can’t see me” defence. Fortunately, an increasing number of senior executives are learning that in this age of ‘big data’ and machine learning, with its requirement for massive datasets, there are many ‘ordinary’ public actors – from Google to FaceBook to University research departments – that are interested in everything, and everyone. These groups know that information is power, and the same holds even more true for nation-states and the cyber groups that work on their behalf. Be assured, in this digital, connected world, information about your business and its activities is of value to someone, somewhere, no matter what you do.
The Russians ARE coming. So are the Chinese, Koreans, Iranians, and all the rest. There is no use in hiding or pretending that your enterprise is not at risk. On the other hand, there is no need to panic either. Employ sufficient security means, ones that can detect never-seen-before threats and contain them, engage in threat analysis, and develop your incident response plan. Lay solid security foundations, and you will be reasonably well secured even from the foreign spooks.