Apt

APT ( English a dvanced p ersistent t hreat - “developed persistent threat”; also targeted cyber attack ^[1] ) is an adversary with a modern level of special knowledge and significant resources that allow him to create opportunities to achieve goals through various attack vectors (for example , informational , physical and deceptive ). These goals typically include establishing and expanding your presence within the information technology infrastructure of the target organization to realize intentions to extract information , disrupt or interfere with critical aspects of the task, program or service; or in order to take a position that allows these intentions to be realized in the future. APT, as a “developed persistent threat”: achieves its goals repeatedly for a long time; adapts to the efforts of the defenders to put up resistance to the threat; has the intention to maintain the level of penetration in the target infrastructure required for the implementation of intentions. ^[2] ^[3] .

The term APT was originally used to describe cyber attacks on military organizations , but is no longer limited to the military sphere. The APT attack is superior to conventional cyberthreats, as it focuses on hacking a specific target and is prepared on the basis of information about it collected over a long time. APT hacks targeted infrastructure by exploiting software vulnerabilities and “ social engineering ” methods ^[4] ^[5] .

As of 2015, there are no absolute methods for countering APT class threats; they continue to develop. The detection of a targeted attack requires a thorough analysis of security events over a long period of time ^[6] . A distinctive aspect of the consequences of the attack is the lack of guarantee of full recovery and further security. Appropriate countermeasures require a deep understanding of the nature , patterns and risks of APT ^[7] .

Content

1 Definitions
2 Danger of APT attacks
3 Main objectives of attacks
4 Stages
- 4.1 Preparation
- 4.2 Penetration
- 4.3 Distribution
- 4.4 Achieving the goal
5 Ways to Combat APT Threats
6 Examples of successful APT attacks
7 Famous criminal gangs
8 See also
9 notes
10 Literature
11 Links

Definitions

Target cyberattack ( targeted cyberattack ^[1] ) - a type of cyberattack , the process of which is controlled manually in real time by a person who is the center of attack. The purpose of this attack is to steal protected information from the information system of a particular company, organization or public service. Important distinguishing features of targeted attacks include their duration, long and resource-intensive training period, as well as the use of not only technical and computer tools for its implementation ^[8] ^[9] . An integrated approach to building an attack can include an active impact on people using psychology and social engineering methods, together with zero-day exploits on equipment ^[5] .

The term APT can also be used to denote a complex of all kinds of hardware and software, utilities and software necessary to carry out a targeted attack. At the moment, there is a huge variety of all kinds of attack tools that potential attackers can gain access to online or in shadow markets. Most modern security systems do not require the creation of unique hacking tools and lend themselves to existing tools in the right combination and with the right strategy ^[10]

Danger of APT Attacks

A targeted attack can pose a serious threat to the company's information security due to the complexity of detection and the severity of the consequences. On average, an attack is detected 200 days after its onset. And even after the fact of the presence of APT in their network is established, companies are not always able to get rid of the threat or at least minimize its impact ^[7] . This leads to a long downtime caused by attempts to regain control, as well as to investigate the incident. Material losses from large attacks on average around the world are $ 551,000 ^[11] .

The main objectives of attacks

APT attack can pursue a variety of goals ^[10] . Namely, theft of money or personal data ; manipulation of business processes, weakening in competition, blackmail and extortion; intellectual property theft; attempts to make a political statement or disrupt the operation of urban infrastructure ^[12] ^[13] .

Stages

There are 4 stages of the target attack ( preparation, penetration, distribution, goal achievement ), each of which is accompanied by activities aimed at hiding the traces of presence in the system ^[1] .

Preparation

Preparation includes determining the goal, finding the maximum amount of information about it, identifying weaknesses in the security system. Then a strategy is developed, penetration means are selected from previously created ones, or new, specialized ones are created, then they are tested on models.

The choice of an organization as a target, as well as the determination of the tasks of the upcoming attack, is more often carried out by order of interested parties, or, after monitoring the market, in private. As a monitoring tool, generally accessible methods are used, such as RSS feeds, official accounts of companies in social networks, various specialized forums where employees of target companies can be active ^[10] .

Further exploration is carried out to detect vulnerabilities . And, since the technical means used to protect the information network are non-disclosed information, they try to find out the structure of the information system and its weaknesses using any available method, including through social engineering ^[14] .

Some methods of reconnaissance ^[15] ^[16] .

Insider . Criminals receive the necessary information from recently dismissed or current employees of the company. At the same time, it is not necessary through direct bribery or blackmail, the ex-employee may not even realize that he has become a source of private data. For example, a frequent meeting: a former employee of the company is invited to an interview for a new position that may interest him. During the interview, a fake HR specialist provokes an employee to show his qualities as a specialist, thereby giving out information about his previous job ^[10] .
Open sources . The dishonesty of companies in relation to the destruction of paper media , laying out lists with the names of employees on official websites, state portals, etc. allow attackers to collect fairly complete information about the victim company. Namely, the names of employees, e-mails and telephones; work schedules of company divisions; various internal information, as well as information about business partners. All information obtained in this way is successfully used in social engineering methods to gain trust and / or deceive company employees ^[1] ^[5] .
Social Engineering . Includes many methods. For example, communicating with a victim employee through social networks or using phone calls, criminals are represented by the names of internal employees in order to obtain the necessary information or to force them to take the necessary action ^[17] .

After carefully elaborating a strategy that takes into account all stages of penetration (including the actions of criminals in case of emergency situations), they create a so-called stand (a fully operational model of the attacked software and security system). This model allows you to work out implementation techniques, track possible channels of bypassing detection tools and make sure that you can hide all traces of penetration ^[10] .

It should be noted that this and subsequent stages can be very costly for criminals. In particular, it is sometimes more profitable for criminals to write the necessary set of attack tools on their own than to pay for an already prepared and not optimized one. As a rule, such a set (Toolset) consists of a command center (C&C) ^[18] , penetration tools and the main malicious module ^[19] .

Penetration

At this stage, zero-day vulnerabilities are used, as well as all possible social engineering techniques. After verifying that it has penetrated the required host , the attacker gives the command to install malicious code through the control center (C&C).

The main means of penetration and their purpose:

Exploit is the main penetration tool. The most commonly used vulnerabilities in Adobe PDF,

Adobe Flash, Microsoft Office, and Internet Explorer ^[20] . This software can be delivered via email, web sites, or USB devices ^[21] ^[22] .

Validator is a program for collecting and checking information from an infected host and transmitting it (in encrypted form) to the control center, where a person makes a decision on whether to continue the attack. They are given the appropriate command: load Dropper to start the attack, either self-destruct if the data on the host have no value, or enter the waiting process if the decision is delayed ^[10] . Software is delivered via email , through websites, and much less often through USB devices. An important feature of this software is its safety for criminals. Even in case of interception by the security service, the program does not carry information about the attack itself or about the attackers ^[21] .
Downloader - a program for quickly infecting a host, delivered via phishing through email attachments, or through phishing sites. When launched, it loads the main malicious Payload or Dropper module.
Dropper is a Trojan for delivering (via hidden autoloading ) a Payload module to a victim’s machine. Delivered via email, websites, exploit and validator. Usually, a program embeds its own code in the code of the most active process running on this computer, directly in RAM.
The main malicious module in the target attack, loaded onto the infected host by Dropper, may consist of several additional functionalities. modules, each of which will fulfill its function ^[10] :
- Keylogger
- screen recording;
- remote access ;
- distribution module within the infrastructure;
- interaction with C&C and updating;
- encryption
- cleaning traces of activity, self-destruction;
- reading local mail;
- information search on a disk.

The module itself is created with multi-level encryption to protect against attack detection and to conceal information about criminals.

Distribution

In this phase, the attacker tries to distribute his code as much as possible over the information network, focusing on key points - workstations and servers, necessary to achieve the objectives of the attack. It uses RDP remote access, and works under legitimate administrator rights and cannot be seen by the security system ^[23] ^[24] .

Goal achievement

At this stage, either theft (accompanied by compression and encryption) ^[25] , or a change in classified information, or other manipulations required by an attacker. This is followed by concealment of traces and, if necessary, leaving points of return to the system ^[26] .

Ways to Combat APT Threats

The main way to counter targeted attacks is to prevent them from starting , since an active attack is extremely difficult to notice. Among the standard technical means of prevention, we can distinguish signature analysis , enforcing rules for network connections, black and white lists of applications, as well as the use of firewalls and intersegment control, IDS / IPS , SIEM , content filters , the joint use of file antiviruses and current anti-spam Policies to eliminate threats from mass mailings (for example, password-protected archives with malicious code). An important part of preventing APT attacks is the training of personnel in the correct information security policy. ^[7] . ^[27]

If the attack was nevertheless launched, or there is an assumption of its presence, the task of detection and localization is posed. Although there are a number of different measures aimed at detecting APT, they are often ineffective ^[28] . Among such measures, we can distinguish services that offer system checks, sufficiently competent security specialists, automated security event processing systems, as well as current data on existing threats ^[29] , for example, Threat Data Feeds - a service containing the following information ^[30] :

A set of URLs corresponding to the most malicious links and Web sites.
IP Reputation - A ranking of IP addresses by security level.
A set of file hashes spanning malware.
Botnet activity.

If the fact of the attack is confirmed, measures must be taken to stop it, and the damage inflicted is revealed.

However, even if a threat has been detected and corrective measures have been taken, APT may remain in the system for years ^[11]

Examples of successful APT attacks

Not all incidents with APT attacks become known to the general public, since public statements about one attack can provoke new ones, as well as give criminals the opportunity to take into account mistakes. However, some major attacks have been documented ^[31] ^[32] ^[33] .

1998-2000

Moonlight Maze is a successful attack on the Pentagon , NASA , and the US Department of Energy .

2007

The attack on the Oak Ridge National Laboratory is an example of the successful use of social engineering, criminals got legal access to the system via e-mails, after which they allegedly stole information from the laboratory’s databases.
The attack on the Los Alamos National Laboratory is one of the incidents among the mass attack on American laboratories.

2008

Attack on the US Department of Defense . Foreign influence agents managed to install the malware into the ministry’s system using a USB flash drive. The code has spread to a huge number of computers.
Attack on Office of His Holiness the Dalai Lama - the criminals received a user password for the system, and then in a legitimate letter they replaced the contents in order to gain remote access to the OHHDL system.

2009

GhostNet - the largest action of cyber espionage, infected more than 1000 computer networks, including government, in more than 100 countries.
Stuxnet - an attack by some organization, presumably located in Iran, against a number of companies using the Stuxnet worm was carried out with the aim of reprogramming industrial gas pipeline control systems and power plants to gain access to the Iranian nuclear program.
Night Dragon is an attack against global oil and gas companies. Attackers used social engineering and Windows system vulnerabilities to gain access to internal accounts and information.
Operation Aurora is an attack on Google’s infrastructure to steal source code.

2010

Stuxnet - continued.
The Australian Resource Sector is an attack on three large Australian resource companies: BHP Billiton, Fortescue Metals Group and Rio Tinto.
Attack on the French government - criminals were able to remotely control government computers and extract documents, remaining undetected for more than 3 months.

2011

Attack on the French government - continued.
Attack on the Canadian government - criminals managed to fake emails to employees, as if they were coming from the leadership. The letters themselves carried malware that gave criminals access to sensitive data.
Attack on the Australian government - criminals gained access to senior government correspondence for at least a month.
Comodo Affiliated Root Authority — атака на центр сертификации, в результате которой в сети появились поддельные SSL сертификаты известных доменов, например mail.google.com, www.google.com, login.yahoo.com, login.skype.com, и т. д.
Oak Ridge National Laboratory — преступники воспользовались атакой нулевого дня для Internet Explorer , остается неизвестным, были ли похищены какие-либо данные, однако работа лаборатории была остановлена на двое суток.
Атака на международный валютный фонд . Потребовала написания уникального ПО, в результате чего преступники получили доступ к важной политической и экономической информации.

Известные преступные группировки

Разработкой и планированием атак занимаются группы людей, обладающих достаточными знаниями. Чаще всего целью их нападения становятся банковские системы ^[34] .

Carbanac — международная группировка, все ещё активна (2015г).
METEL — русская группа, активна (2015г).
GCMAN — русская группировка, частично нейтрилизована (2015г)
Blue Termit — южно-корейская группа.

Notes

↑ ¹ ² ³ ⁴ Kim & Kim, 2014 , pp. 132.
↑ MITRE, 2014 .
↑ Chen, Desmet & Huygens, 2014 , pp. 2.
↑ Jeun, Lee & Won, 2012 , pp. 145.
↑ ¹ ² ³ Krombholz, Hobel, et al., 2015 , pp. one.
↑ Lee, Lee & Park, 2014 , pp. 215-220.
↑ ¹ ² ³ Awan, Burnap & Rana, 2015 , pp. fifteen.
↑ Kim & Kim, 2014 , pp. 132.137.
↑ SecureWorks, 2016 , pp. 2.
↑ ¹ ² ³ ⁴ ⁵ ⁶ ⁷ Levtsov, Demidov, part 1, 2016 .
↑ ¹ ² Research report (neopr.) . Business Information Security . Kaspersky Lab (2014).
↑ Stood & Enbody, 2014 , pp. 3.
↑ Jeun, Lee & Won, 2012 , pp. 146.
↑ Chen, Desmet & Huygens, 2014 , pp. four.
↑ Krombholz, Hobel, et al., 2015 .
↑ Jeun, Lee & Won, 2012 , pp. 147-148.
↑ Krombholz, Hobel, et al., 2015 , pp. 2-3.
↑ Kim & Kim, 2014 , pp. 132, 134-135.
↑ Chen, Desmet & Huygens, 2014 , pp. 5.
↑ Chen, Desmet & Huygens, 2014 , pp. 4-5.
↑ ¹ ² Kim & Kim, 2014 , pp. 134.
↑ Stood & Enbody, 2014 , pp. 1, 38.
↑ Chen, Desmet & Huygens, 2014 , pp. 5-6.
↑ Jeun, Lee & Won, 2012 , pp. 148.
↑ Chen, Desmet & Huygens, 2014 , pp. 6.
↑ Stood & Enbody, 2014 .
↑ Stood, A. US MILITARY DEFENSE SYSTEMS: THE ANATOMY OF CYBER ESPIONAGE BY CHINESE HACKERS (Eng.) // The Georgetown Journal of International Affairs. - 2014.
↑ Chen, Desmet & Huygens, 2014 , pp. 6-7.
↑ SecureWorks, 2016 , pp. 5-6.
↑ Levtsov, Demidov, part 3, 2016 .
↑ Stood & Enbody, 2014 , pp. 1.5-6.
↑ Chen, Desmet & Huygens, 2014 , pp. 7.
↑ Jeun, Lee & Won, 2012 , pp. 147.
↑ The number of bank APT-robberies using Metel, GCMAN and Carbanak 2.0 (Russian) attacks is increasing , Securelist - All about Internet security (February 15, 2016). Date of treatment October 30, 2016.

Literature

Scientific and technical sources

Awan, MS, Burnap, P., Rana, OF Estimating Risk Boundaries for Persistent and Stealthy Cyber-Attacks // Proceedings of the 2015 Workshop on Automated Decision Making for Active Cyber Defense . - ACM, 2015. - P. 15-20. - 112 p. - DOI : 10.1145 / 2809826.2809830 . (inaccessible link)

Butt, MIA BIOS integrity and advanced persistent threat // 2014 Conference on Information Assurance and Cyber Security: [ eng. ] . - IEEE , 2014 .-- P. 47-50. - DOI : 10.1109 / CIACS.2014.6861331 .
Chen, P. A Study on Advanced Persistent Threats // Communications and Multimedia Security: [ eng. ] / Chen, P., Desmet, L., Huygens, C. .. - Springer Berlin Heidelberg, 2014. - P. 63-72. - DOI : 10.1007 / 978-3-662-44885-4_5 .
Jeun, I. A practical study on advanced persistent threats // Computer Applications for Security, Control and System Engineering : [ eng. ] / Jeun, I., Lee, Y., Won, D .. - Springer Berlin Heidelberg, 2012. - P. 144-152. - DOI : 10.1007 / 978-3-642-35264-5_21 .
Kim, Y. Involvers' Behavior-based Modeling in Cyber Targeted Attack // Eighth International Conference on Emerging Security Information, Systems and Technologies : [ eng. ] / Kim, Y., Kim, I .. - IARIA, 2014. - P. 132-137. - ISBN 978-1-61208-376-6 .
Krombholz, K. Advanced social engineering attacks : [ eng. ] / Krombholz, K., Hobel, H., et al. // Journal of Information Security and Applications. - 2015. - June. - P. 113—122. - DOI : 10.1016 / j.jisa.2014.09.09.005 .
Stood, A. Targeted Cyber Attacks. - Elsevier Inc .. - 2014. - ISBN 978-0-12-800604-7 . .
Lee, C.-Y. The characteristics of APT attacks and strategies of countermeasure // Future Information Engineering : [ eng. ] / Lee, C.-Y., Lee, T.-J., Park, H.-R .. - WIT Press , 2014. - P. 215-220. - DOI : 10.2495 / ICIE130251 .
Virvilis, N. Trusted Computing vs. Advanced Persistent Threats: Can a defender win this game? // 2013 IEEE 10th International Conference on Ubiquitous Intelligence and Computing and 2013 IEEE 10th International Conference on Autonomic and Trusted Computing: [ eng. ] / Virvilis, N., Gritzalis, D., Apostolopoulos, T .. - IEEE , 2013. - P. 396-403. - DOI : 10.1109 / UIC-ATC.2013.80 .

Expert advice

Cyber Risk Remediation Analysis // Systems Engineering Guide: [ eng. ] . - MITER , 2014 .-- P. 184—191. - ISBN 978-0-615-97442-2 .
Pingree, L. Best Practices for Mitigating Advanced Persistent Threats : [ eng. ] / Pingree, L., MacDonald, N., Firstbrook, P .. - Gartner , 2013.
The Advanced Persistent Threat: Practical Controls the SMB Leaders Should Consider Implementing : [ eng. ] . - Internet Security Alliance , 2013.
Advanced Threat Protection with SecureWorks (unspecified) . Date of treatment October 30, 2016 .; Professional Editions
Levtsov, V. Anatomy of a targeted attack, part 1 : [ Russian ] / Levtsov, V., Demidov, N. // Information Security / Information Security. - 2016. - No. 2. - P. 36—39.
Levtsov, V. Anatomy of a targeted attack, part 3 : [ Russian ] / Levtsov, V., Demidov, N. // Information Security / Information Security. - 2016. - No. 4. - P. 40–45.

Journalism

Pauli, D. Security researchers face wrath of spy agencies : [ eng. ] // The Register . - 2015. - October 22.
Weinberger, S. . Computer security: Is this the start of cyberwarfare? : [ eng. ] // Nature . - 2011 .-- Vol. 474, no. 7350. - P. 142-145. - DOI : 10.1038 / 474142a .

Links

Chronicle of targeted cyberattacks (unopened) (inaccessible link) . SecureList Archived November 18, 2015.
Advanced Threat Protection with SecureWorks .
Advanced Persistent Threat (unopened) (inaccessible link) . Anti-Malware.ru . Date of treatment November 17, 2015. Archived November 17, 2015.
Advanced Persistent Threats Infosecurity Magazine
APT (English) . SC Magazine UK.

[_6ffe97e274898d9e-1] ¹ ² ³ ⁴ Kim & Kim, 2014 , pp. 132.

[_b444e04cd7887a69-2] MITRE, 2014 .

[_914eeecd6177899d-3] Chen, Desmet & Huygens, 2014 , pp. 2.

[_05de87544a88c632-4] Jeun, Lee & Won, 2012 , pp. 145.

[_5e7a3cc72fd28c30-5] ¹ ² ³ Krombholz, Hobel, et al., 2015 , pp. one.

[_cb17ab38484f810a-6] Lee, Lee & Park, 2014 , pp. 215-220.

[_f8c682688664deb2-7] ¹ ² ³ Awan, Burnap & Rana, 2015 , pp. fifteen.

[_317d2ad5bad47279-8] Kim & Kim, 2014 , pp. 132.137.

[_b1f50ee1a64dbd9f-9] SecureWorks, 2016 , pp. 2.

[_6b1762c3208821a9-10] ¹ ² ³ ⁴ ⁵ ⁶ ⁷ Levtsov, Demidov, part 1, 2016 .

[Kaspersky_Lab-11] ¹ ² Research report (neopr.) . Business Information Security . Kaspersky Lab (2014).

[_905b7e229d506fe3-12] Stood & Enbody, 2014 , pp. 3.

[_05de87544a88c631-13] Jeun, Lee & Won, 2012 , pp. 146.

[_914eeecd6177899b-14] Chen, Desmet & Huygens, 2014 , pp. four.

[_fe17e8e7bd9bd97b-15] Krombholz, Hobel, et al., 2015 .

[_154c45df88b6195f-16] Jeun, Lee & Won, 2012 , pp. 147-148.

[_2638653712073726-17] Krombholz, Hobel, et al., 2015 , pp. 2-3.

[_8a15cfbd93d3e950-18] Kim & Kim, 2014 , pp. 132, 134-135.

[_914eeecd6177899a-19] Chen, Desmet & Huygens, 2014 , pp. 5.

[_dbb5a6ba3238c828-20] Chen, Desmet & Huygens, 2014 , pp. 4-5.

[_6ffe97e274898d98-21] ¹ ² Kim & Kim, 2014 , pp. 134.

[_266dd067c4896e74-22] Stood & Enbody, 2014 , pp. 1, 38.

[_c7bca6af57455a1e-23] Chen, Desmet & Huygens, 2014 , pp. 5-6.

[_05de87544a88c63f-24] Jeun, Lee & Won, 2012 , pp. 148.

[_914eeecd61778999-25] Chen, Desmet & Huygens, 2014 , pp. 6.

[_f853e79c0899c8f0-26] Stood & Enbody, 2014 .

[27] Stood, A. US MILITARY DEFENSE SYSTEMS: THE ANATOMY OF CYBER ESPIONAGE BY CHINESE HACKERS (Eng.) // The Georgetown Journal of International Affairs. - 2014.

[_d30482a48d105598-28] Chen, Desmet & Huygens, 2014 , pp. 6-7.

[_f0be467b7918fe1c-29] SecureWorks, 2016 , pp. 5-6.

[_e6e40bbd37a8b253-30] Levtsov, Demidov, part 3, 2016 .

[_26934267c4a94c09-31] Stood & Enbody, 2014 , pp. 1.5-6.

[_914eeecd61778998-32] Chen, Desmet & Huygens, 2014 , pp. 7.

[_05de87544a88c630-33] Jeun, Lee & Won, 2012 , pp. 147.

[34] The number of bank APT-robberies using Metel, GCMAN and Carbanak 2.0 (Russian) attacks is increasing , Securelist - All about Internet security (February 15, 2016). Date of treatment October 30, 2016.

Apt