APT (advanced persistent threat) attacks were once considered to be primarily a problem for large corporations, but the number of these (often state-sponsored) attacks against small- and medium-sized businesses has increased significantly.
Everyone is fair game, and the ever-evolving nature of attack vectors requires organizations to be proactive and continually update their defenses, which is a constant strain on resources, especially considering the various tactics, techniques, and procedures (TTPs) used in the attacks.
With time, money and other resources on their side, APTs such as Cozy Bear (aka APT29), OceanLotus (aka APT32), and Grim Spider (aka APT-C-37) conduct technically intricate, cutting-edge attacks that potentially threaten any organization. One victim can also be collateral damage for an attack on a larger target.
While some of their TTPs – such as spear phishing, credential theft, living off the land (LOL), and data exfiltration – are well-known and widely documented, less common TTPs that APTs may use can wreak just as much havoc. These include:
Watering hole attacks: These attacks involve compromising websites that the target organization’s employees or individuals frequently visit. The attackers inject malicious code into these legitimate websites, causing visitors to download malware unknowingly. It’s a tactic that allows APTs to gain access to the target organization through the users’ systems without directly attacking them. One well-known attack involved the website of the US Department of Labor in 2013, where malicious code was injected to infect visitors’ systems and target government employees and contractors.
Island hopping: In these attacks, APTs target not only the primary victim organization but also other organizations within their supply chain, partners, or affiliates. By compromising less secure third-party companies first, they can use them as stepping stones to reach the ultimate target and avoid direct detection. Cozy Bear targeted the Democratic National Committee in 2016 and later used island hopping techniques to breach other US government agencies.
Fileless malware: Fileless malware resides in the system’s memory, leaving little to no trace on the hard drive. It leverages legitimate processes and tools to carry out malicious activities, making it challenging for traditional security solutions to detect. Fileless malware can be delivered through malicious scripts (such as macros and PowerShell commands), malicious registry entries, LOLBins, LOLScripts, WMI/WSH, and reflective DDL-injection (to highlight the most common ones). APT32 (OceanLotus) used fileless malware to compromise multiple organizations in Southeast Asia, including government agencies and private companies while evading detection and attribution.
Hardware-based attacks: APTs may use hardware-based attacks, such as compromising firmware, hardware implants, or manipulating peripheral devices, to gain persistence and evade traditional security measures. These attacks can be difficult to detect and remove without specialized tools and expertise. A notable example is the Equation Group‘s malware for reprogramming hard drives’ firmware.
Zero-day exploits: APTs may deploy zero-day exploits to target previously unknown vulnerabilities in software or hardware. These attacks can be highly effective as no patches or defenses against them are available. Who could forget the Stuxnet attack? Stuxnet was a sophisticated and targeted worm that exploited multiple zero-day vulnerabilities in industrial control systems, making it highly effective and challenging to detect.
Memory-based attacks: Memory-based attacks exploit vulnerabilities in software to gain access to sensitive data stored in the computer’s RAM. These attacks can bypass traditional security measures that focus on file-based threats. APT32, believed to be based in Vietnam, is known for using fileless malware and “living off the land” techniques to operate stealthily in the computer’s memory and evade traditional security measures.
DNS tunneling: APTs may use DNS tunneling to exfiltrate data from the victim’s network. This technique involves encoding data in DNS requests or responses, allowing the attackers to bypass perimeter security measures that may not inspect DNS traffic thoroughly. Cozy Bear used DNS tunneling to communicate with their command-and-control servers and steal sensitive information from targeted organizations in a stealthy manner.
Advanced anti-forensic techniques: APTs invest significant efforts in covering their tracks and erasing evidence of their presence. They may employ advanced anti-forensic techniques to delete logs, manipulate timestamps, or encrypt data to hinder investigation and response efforts. One well-known advanced anti-forensic techniques attack by the Equation Group involved using a rootkit called “DoubleFantasy” to hide and persistently maintain their presence on infected systems, making it extremely challenging for analysts to detect and analyze their activities.
Multi-platform or custom malware: APTs employ malware capable of targeting both Windows and macOS systems to maximize its reach. They can also deploy tailored malware, such as the Scanbox reconnaissance framework to gather intelligence. An example is APT1 (also known as Comment Crew or Unit 61398), which utilized custom malware to infiltrate and steal sensitive data from various organizations worldwide, particularly in the United States.
Password spraying: Password spraying attacks are used to gain initial access by attempting to use a few common passwords against multiple accounts. APT33 (Elfin) targeted organizations in the Middle East and globally, using password spraying to compromise email accounts and gain a foothold for further cyber-espionage activities.
APTs are here to stay
Organizations can make APT groups’ lives more difficult. Here’s how:
- Defense-in-depth strategy: A comprehensive defense-in-depth strategy is crucial to combat APTs. This includes implementing multiple layers of security controls, such as strong perimeter defenses, network segmentation, endpoint protection, intrusion detection systems, data encryption, access controls, and continuous monitoring for anomalies.
- Threat intelligence and sharing: Ideally, organizations should actively participate in threat intelligence sharing communities and collaborate with industry peers, government agencies, and security vendors. Sharing information about APTs and their techniques can help detect and mitigate attacks more effectively.
- Employee education and awareness: Regular security awareness programs, phishing simulations, and training sessions can educate employees about the latest threats, social engineering techniques, and safe computing practices.
- Incident response and recovery: Despite preventive measures, organizations should have a well-defined incident response plan. This includes incident detection, containment, eradication, and recovery procedures to minimize the impact of APT attacks and restore normal operations.
These TTPs underscore the diverse and advanced technical skills exhibited by different threat groups. Organizations can bolster their defenses and protect against APT incursions by studying their tactics, techniques, and procedures.
Continuous vigilance, threat intelligence, and incident response readiness are crucial elements in preparing for and sometimes thwarting these persistent and highly skilled adversaries. Understanding real-world APT attacks’ technical intricacies and TTPs is vital for organizations to enhance their defense strategies and safeguard against these persistent threats.