Kathy Gibson reports from Kaspersky Labs’ conference in Lisbon – 2015 is gearing up to be the year that advanced persistent threats (APTs) become mainstream – and they have the potential to dangerously affect millions of people.Sergey Lozhkin, senior security researcher at Kaspersky Lab’s global research and analysis team, points out that we live in a world for everyone spies on other people.
“Ordinary people are now spying on each other: husbands on their wives; students on one another; teachers on their students; governments on their citizens; and on other governments. But the implications of your wife discovering that you are spying on her is that you may have a fight,” Lozhkin says. “At a government level it is a lot more serious.”
Advanced persistent threats (APTs) are designed for one purpose only: to spy on people. “It is a modern James Bond story,” Lozhkin says. “And it is completely automated. It gets into you PC, stays there are collects information.”
The first APT – Stuxnet – was uncovered in 2011, but they have been growing steadily since then, with three big APTs already uncovered in 2015.
“Governments and states understand how APTs can be effective; that they can create a malware app and use it to spy on people.
The three big APTs unmasked in 2015 are Carbanak, which was used to steal hundreds of millions of dollars from banks around the world; Equation Group, which can be detected but not removed and is probably sponsored by a nation-state; and Desert Falcom, the first known APT created by Arabic-speaking authors.
“You can think of an APT like a mite,” Lozhkin says. “It sucks data rather than blood, but it’s hard to detect, almost impossible to get rid of and even if you do get rid of it, it comes back again.”
APTs tend to be deployed to look for information. This could be innovations or blueprints, business plans or budgets, ways to reach shareholders and partners. Other targets
What they are actually looking for is information like innovations and blueprints; business plans and budgets, and routes to shareholders and partners.
Digital certificates are also a target, as are virtual credentials and physical access codes, all of which could allow criminals to target other information. In addition, they could be looking for scientific research results, government links or lists of secret studies.
“The ultimate goal for APTs is power and money,” Lozhkin says. “Probably 90% of it is about power: if you control the information and the networks, productions plants and other areas, you could control the world. And, of course, money is always a motive.”
So how do APTs get into a corporate or government computer system. Lozhkin says the first and most popular way is via spear phishing, and 99% of all APTs have this initial vector of attack.
“An employee would get a mail with a document attached to it. The mail will be relevant because the criminals to their homework and make sure they know about the victim. So the e-mail is specially drafted, addressed directly to the victim and he will definitely open the document. If his computer is vulnerable he will then become infected.”
Social networks and instant messaging are also popular ways of infecting systems. The victim would receive a message that appears to come from a trusted friend, but it is from a cybercriminal who hacked the friend.
Watering holes are an interesting way to trap victims. “Imagine you are an antelope in the desert, and you see a waterhole. You run to it and drink water. But a crocodile attacks you,” Lozhkin explains. “In the digital world, the antelope is an employee; the waterhole is a popular site on the Internet; and the crocodile is the cyber-criminal. Victims go to sites that interest them, unwittingly download infected documents and get infected.”
External media are also still used to infect computers, with malware distributed via USB sticks or mouses to targeted computers.
APTs can get such as foothold in organisations’ computers due to the fact that they are often zero-day threats, exploiting system vulnerabilities that only the cybercriminals are aware of. Plus, when companies and users fail to implement patches and updates, old vulnerabilities can still be used to infect their systems. Crooks also exploit undocumented procedures.
Attacks are generally launched using malware tools and have capabilities that include file system control, cached password stealing, sound or video recording, screen grabbing, video casting, keylogging and removable media monitoring.
“And some APTs have capabilities that go beyond these,” Lozhkin says. “To create all these capabilities requires big investments so they are big groups, possible sponsored by nation-states.”
Among the more advanced capabilities observed in APTs is live modification of operating system updates which is trusted by the computer because it appears to come from an official software vendor. In addition, criminals can jailbreak a user’s mobile phone without him being aware of it.
Among the most damaging capability is the HDD firmware injection, which means that even if the hard drive is completely reformatted and the operating system reinstalled the malware will still be there. “This is completely persistent and really scary,” Lozhkin says.
At the moment, APTs appear to still be in use by big groups and nation-states, so there are few of them. However, if they are adopted by regular criminals they could become a much bigger problem. “These threats may be developed by government but once they get into the wild they will be uncontrolled,” says Lozhkin.
“In addition, we are seeing the rise of cyber mercenaries; groups of people who develop threats for money and don’t care how they are used or who they are doing the work for.”
Fortunately there are ways the companies and governments can protect themselves from APTs.
Mitigation strategies include setting up security policies and doing a lot of education. People need to know that this is not fantasy: it really exists and there should be specific policies for dealing with it, Lozhkin urges.
Having a properly configured network will help to prevent infection, so network security is vital; proper system administration also goes a long way to mitigating attacks; and organisations should implement a full range of security solutions. Patch management and vulnerability assessment are also important. As Lozhkin says, companies running un-updated computers are potential APT victims.
The fact that it’s very difficult to know if systems have been compromised by an APT attack makes it really difficult to combat these threats. Lozhkin points out that it’s often only when a company’s data appears somewhere else, or is seen to be missing, that these attacks are noticed.