By: Divya Bora
July 30, 2021
Sources, Motives and Targets of APT
By: Divya Bora
July 30, 2021
WHAT IS ADVANCED PERSISTENT THREAT (APT)?
An advanced persistent threat is a prolonged and targeted cyberattack in which an intruder, or a group of intruders, establishes their illicit presence on a network to infiltrate and/or exfiltrate as much valuable data as possible without being discovered.
WORKING OF APT
An APT's life cycle is much longer and more complex than any other kind of attack. A few examples of APT will be discussed later in the article. The following are the various stages of an APT's lifecycle:
Define target: The attacker(s) begin by determining their target. Then, they further define the type or amount of data they wish to capture and why.
Find and organize accomplices: This stage requires a wise selection of the team members based on the skills required to pursue insider access.
Build or acquire tools: This stage requires discovering existing tools or creating new tools/applications to get the job done.
Research target: This is a key stage to discover who has the access required for the attack. A thorough study of the target's hardware or software is required to plan an appropriate attack.
Test for detection: This stage identifies weak spots by testing tools and communications.
Deployment: This is the stage where the attacker starts the actual attack and begins to infiltrate the target network, as planned.
Initial intrusion: This is the stage when the attacker has entered the target network and has to search for a way to finally reach their actual target (person/people or systems).
Outbound connection initiated: This is when the attacker acquires their final target and now will create a path or a tunnel to exfiltrate the sensitive data from the target back to the base.
Expand access and obtain credentials: This is the stage where the attacker will attempt movement by leveraging the target's access. This can be done by creating a controlled ghost network inside the target network.
Strengthen foothold: This is the stage where the attacker will strive to exploit the utmost vulnerabilities to expand their access to other valuable locations to find more sensitive data.
Exfiltrate data: This is the stage where the attacker has obtained what they were looking for and starts returning information to their base.
Cover tracks and remain undetected: This is also one of the most essential stages of the attack. The entire attack hinges upon the attacker's ability to stay hidden within the network. So the attacker should clear any traces of their presence and continuously perform stealth checks.
SOURCES, MOTIVES, AND TARGETS OF APT
Who is behind APT?
An APT has actors/sources with an apt amount of sophistication, organization, and resources to carry out the attack, unlike other (less sophisticated or determined) attackers. APT actor(s) persistently target the specific organization or entity and adapt accordingly to achieve their goals. Advanced Persistent Threat actors may be:
- Corporate espionage actors
- Nation-state actors
- Organized criminal actors
- Well known APT groups
What are the motives behind APT?
The motives behind these APT vary greatly as different actors may have different sources of motivation. The most familiar motives behind Advanced Persistent Threats may be:
- Intelligence gathering
- To obtain a foothold for further exploitation
- To obtain indirect access to a target or its affiliate
- Financial gain
- Gain a competitive industrial advantage
- Damage an organization's reputation or take down its systems
Who are the common targets for APT?
APT actors have industry-specific targets, which may include valuable information or assets and provide the actors a motive to perform the attack. The types of targeted information and assets included may be:
- Access credentials
- Classified information
- Cash or cash equivalents
- Control system access
- Financial information
- Intellectual property
- Infrastructure access to launch a related exploit or attack
- Sensitive information
APT DETECTION & REMEDIATION
How to detect an APT?
Despite being hard to detect, APTs may have certain warning signs that an organization may notice after or while it's being targeted by an APT, which include:
- Presence of unusual data files as the required data may be bundled into files to assist the exfiltration process.
- Extensive use of backdoors, like trojan horse malware, assists APTs in maintaining access.
- Unusual activity or user accounts created.
- Odd or unexpected database activity like an increase in database operations which involves the movement of enormous amounts of data.
- Traffic anomalies, such as unusual volumes, on non-standard ports or during non-standard times.
How to manage an APT attack?
Since APTs are targeted and skillfully planned attacks, they require a layered security approach:
- Traffic monitoring
The best practice for preventing the installation of backdoors and blocking stolen data extraction is by monitoring incoming and outgoing network traffic. Traffic monitoring helps warn the security teams of any abnormal activity, which may further help them identify malicious activity. Internal traffic can be monitored using network firewalls and provides a granular view of the user interactions within the network. This may immensely assist in identifying internal traffic abnormalities. File share access can also be monitored. Hence, internal traffic monitoring is useful for the detection and removal of backdoor shells.
- Application and domain whitelisting
An APT attack's success rate can be reduced by minimizing available attack surface, which can be done by whitelisting. Whitelisting helps control domains and applications that the users can install. Since the most trusted domains can be compromised, whitelisting is far from being foolproof. Old software versions are prone to be exploited, and mostly malicious files arrive under legitimate software guise. However, to perform effective whitelisting, stern update policies should be enforced to ensure the users are running the latest software versions.
Employees of an organization are the most vulnerable soft spots of their network, which is why intruders target them to infiltrate the organization's security perimeter. The targets usually fall into one of the following categories:
a. Careless users: They ignore network security policies and often end up unknowingly granting access to potential threats.
b. Malicious insiders: They intentionally use their credentials to grant access to the intruders.
c. Compromised users: They are the ones whose network access privileges are compromised and used by the attackers.
To set up effective access controls, a thorough review of the information employees have access to is required. Two-factor authentication should be used to secure key network access points so that unauthorized access can be distinguished from legitimate user access.
Files and the corresponding user activity must be compared to their baseline behaviors to determine whether it is normal or suspicious. Security vulnerabilities and suspicious activities should be tracked and analyzed to prevent a threat. A proper response plan should be created to respond and manage particular threats.
- Protect the perimeter
Limited access should be given to control any firewall or physical space as access points can provide an entrance to APT attacks. Any infiltration sources like open Wifi routers, unpatched servers, insecure firewall, and unlocked server room doors should be fixed as quickly as possible.
EXAMPLES OF APT
A few examples of Advanced Persistent Threats include:
Sykipot is an APT malware family which has leveraged flaws in Adobe Reader and Acrobat. It has been around since 2007 and is used as a backdoor to get full access to the victim's machine. After the machine is infected, the installed backdoor will communicate with the Command & Control (C&C) server and execute various commands on the affected system. Sykipot has been used to steal industry-specific sensitive information through targeted attacks. It can execute both command prompt and backdoor commands on the affected system using the C&C server. Execution of the commands enables the attacker to perform tasks like retrieving system and network information, rebooting the system, managing processes, managing files, and uninstalling itself from the system. Sykipot has been a part of several cyberattacks targeting U.S. and U.K. organizations like government agencies, defense contractors, and telecommunication companies.
GhostNet was large-scale cyber espionage that was discovered in March 2009. It had infiltrated high-value political, economic, and media locations in over a hundred countries compromising more than 1200 computer systems. The C&C server was based in the People's Republic of China. It controlled the audio and camera recording functionalities of computer systems belonging to embassies, foreign ministries, government offices in India, London, and New York.
GhostNet used meticulously crafted social engineering emails to deliver the trojan, and upon installation, it would connect back to the C&C server to receive and execute commands. Although the C&C server was based in China, the Chinese government denied being linked to GhostNet.
Stuxnet was first identified in 2010 by the infosec community but was under development since 2005. It is an extremely sophisticated computer worm that exploits various previously unknown Windows zero-day vulnerabilities to spread into computers. Its specific target is centrifuged, which produces enriched uranium to power nuclear weapons and reactors.
Stuxnet has a widespread infection rate and does minor or no harm to computers not involved in uranium enrichment. It checks the computer's connection to specific programmable logic controllers(PLC) manufactured by Siemens. PLCs control industrial machinery such as uranium centrifuges, so the worm alters the PLCs' programming, leading to the destruction of the centrifuges. Even while this is taking place, the PLCs will tell the controller computer that everything is functioning efficiently, making it difficult to detect or diagnose any warnings until it's too late.
Stuxnet was created by the United States and Israel's intelligence agencies and is intended to delay Iran's development of nuclear weapons.
- Deep Panda
Deep Panda was created on 31 May 2017 and is suspected to be a Chinese threat group that has targeted various industries such as government, defense, finance, and telecommunication. The intrusion into the healthcare company Anthem has been attributed to Deep Panda. Deep Panda has also been called by several other names such as Shell Crew, WebMasters, KungFu Kittens, Black Vine, and Pink Panther. Deep Panda was an APT attack against the U.S. government's Office of Personnel Management and compromised over 4 million U.S. personnel records, including details about secret service staff.
APT28, also referred to as Fancy Bear or Sofacy, is a nation-state adversary group operating since at least 2008 and is a threat to a wide variety of organizations in the world. They generally target the aerospace, defense, energy, government, and media using a sophisticated and cross-platform implant. Fancy Bear uses phishing messages and credential harvesting using spoofed websites to attack their victims and run multiple intrusion operations concurrently. Fancy Bear dedicated a considerable amount of time to develop their primary implant called Xagent and to leverage proprietary tools like X-Tunnel, Foozer, and Downrange.
APT29, also referred to as Cozy Bear, is a Russian hacker group associated with Russia's intelligence agencies. It has different projects with different user groups. Cozy Bear targets commercial entities and government organizations in Germany, Uzbekistan, Korea, and the U.S., including the U.S. State Department and White House.
APT34 conducts cyber espionage on behalf of Iran to establish its regional power in the Middle East. It was identified by FireEye and has been operational since 2014. It has had a wide variety of industrial targets, including financial, energy, chemical, and telecommunication. It uses a mix of public and non-public tools to conduct spear-phishing operations through compromised accounts and social engineering techniques.
APT37, also known as the Reaper and StarCruft, is based in North Korea. It was identified by FireEye and had been operating since 2012. It exploited an Adobe Flash zero-day vulnerability to spread the malware and gain access to the computer systems. Its primary target was to gather information about the South Korean military and government; however, it expanded its efforts to Japan, the Middle East, and Vietnam.
This article offers us wholesome knowledge about Advanced Persistent Threats and is an ultimate guide for looking to deep dive into the topic. Advanced Persistent Threats are one of the most sophisticated forms of cyberattacks. People should be aware of them as the primary aim is to extract as much sensitive information as possible.
https://aristininja.com/apt-lifecycle/(Image 1) https://www.varonis.com/blog/advanced-persistent-threat/ https://www.secureworks.com/blog/advanced-persistent-threats-apt-a https://searchsecurity.techtarget.com/definition/advanced-persistent-threat-APT https://www.imperva.com/learn/application-security/apt-advanced-persistent-threat/ https://community.rsa.com/thread/185437 https://cyber.harvard.edu/cybersecurity/GhostNet https://attack.mitre.org/groups/G0009/ https://www.crowdstrike.com/blog/who-is-fancy-bear/ https://www.cybrary.it/blog/understanding-north-koreas-advanced-persistent-threat-apt-group-37/