Sometimes, a cybersecurity incident can be so minor that if it were a sneeze, it would barely make us blink. Other times, it can be so profoundly earth shaking that we’d know for sure our entire body is about to collapse.
Unfortunately for us, the line between the two is quite easy to cross. Give the viruses enough time to incubate and you’ll go from being active one day to complete system shutdown the next. The key element here? Time. The time required to identify the weak signals of an unknown virus before it grows into a full-blown epidemic.
However obvious this may seem, the average detection time of a cyber-breach remains too high (ranging anywhere between 98 and 197 days according to a study conducted by the Ponemon Institute) for a response to be 100% effective.
This is how the infamous APT (advanced persistent threat) has made a name for itself, topping the list of the most dangerous threats in IT security. APTs are just like silent bombs, waiting to be remotely triggered… or not, seeing how some of the most successful attacks never even resurfaced.
Typically, an APT should be viewed as a set of ongoing and stealthy hacking processes, usually targeting a specific entity, by means of exploiting a vulnerability in the system, with the aim of extracting valuable information. The origins of the term can easily be tracked to the US Air Force, when a representative used it in 2005 to label specific threat actors employing malware as part of their attack.
As opposed to a mindless, automated piece of code, an APT is actively supported by a team of people (the command and control component), continuously monitoring the process and working on achieving the pre-set objectives. It is not just one virus or one malware acting by itself, but rather an exploitation kit, an entire collection of (we will avoid saying ‘sophisticated’ as many others do, but we’ll explain that later) techniques.
APT + Pokédex = APTex
There are a total of 450 attacks detailed in the Pokédex. Now, we will not be listing here every APT that has ever taken place in the history of APTs, but for the purpose of this article, we will make a short listing (our very own ‘best of’) of some of the most important ones.
Everything has a start. In this case, the earliest mention of an APT, as it is defined today, dates back to 1986 when a West German hacker, working for the Soviet KGB, broke into a networked computer at the Lawrence Berkeley National Laboratory (LBNL) in California. The details are vividly described in the book The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage, written by Clifford Stoll, the same computer manager that discovered this foreign presence.
The book (which can be read online here) describes how the hacker infiltrated the network by exploiting the weak security in their satellite communication. The first of its kind, this incident triggered an awareness reaction within the recently blooming cybersecurity community. With connected computers comes great responsibility (or was it vulnerability…?).
Advanced persistent threat
Having started out as nation-state attacks, APTs continued in the same manner throughout the beginning of the millennium. Between 2003 and 2006, the US government fell victim to a series of cyber-hits called the ‘Titan Rain’, including those of the military aircraft manufacturer Lockheed Martin and NASA. Originating from China, the attacks distinguished themselves through an elevated use of foxlike treachery – matching social engineering tactics (read our previous article on the ‘Targeting the human behind the machine’ here).
On top of stirring controversy around the world, Titan Rain also set the tone for using multiple attack vectors (a.k.a. channels) to carry out data manipulation and extraction. By 2009, APT cyber-gangs had reached a turning point and extended their reach to all major industries where cybersecurity proved to be tight. GhostNet is one such example – another Chinese originating operation, that had infiltrated political, economic and media targets in over 100 countries worldwide.
The novelty here was the use of phishing campaigns with malicious attachments (the now so-dreaded technique given its popularity with ransomware). Once loaded on a computer, the virus payload enabled the remote execution of commands on the infected system, including audio and video recordings. In this case, the entry point was unwillingly provided by the human vulnerability. Round lost.
Upping the battle strategy
The paradigm changed once more with the arrival of Stuxnet. Having surfaced in 2010, it is the first malware having been discovered trying to achieve a specific objective against a particular target rather than just carrying out data gathering. Stuxnet was especially designed by the US to spy on Iran’s nuclear facilities, but, most importantly, to disable a part of its hardware, meanwhile remaining off the radar. The collector’s item in the APTex and the perfect example of a sophisticated APT attack.
Yet… the sad truth today is that there are APTs out there that are far from being called ‘sophisticated’ and that still prove to be successful. Take, for instance, the latest APT discovered having infected over 2,500 organizations in Southeast Asia, nicknamed Patchwork or the ‘Copy-Paste’ APT. As the name would have it, this threat doesn’t use a zero-day event, but only makes use of existing code in order to create its payload.
These employed pieces of code are readily available for anyone’s picking on hacking forums. What’s more, Patchwork makes its way in using a known CVE-2014-4114 vulnerability, patched by Windows in 2014. So now, can we all just stare in awe at how such a basic kit, that doesn’t even deserve to be called an ‘advanced’ threat, managed to become so ‘successful’?
As time passed, hacking kits became more and more available to less advanced hackers. While enterprises saw themselves treating threats one by one, the most experienced cyber-criminals went ahead and pushed the boundaries of digital mischief. That is how unknown viruses were born and unique attack vector combinations came to be. Fighting a ‘disease’ that is already there, how can organizations survive? For that answer, you’ll just need to read our previous article, Behavior Analysis, I choose you!
Register or login for access to this item and much more
All Information Management content is archived after seven days.
Community members receive:
- All recent and archived articles
- Conference offers and updates
- A full menu of enewsletter options
- Web seminars, white papers, ebooks
Already have an account? Log In
Don't have an account? Register for Free Unlimited Access