Advanced persistent threats (APTs) are targeted extended attacks usually conducted with the goal of stealing and monitoring data, rather than doing immediate harm. In the typical APT attack, malware sits undetected for long periods of time, and may be dormant, waiting to be executed, or silently collecting information.
APTs are often used against high-value targets such as government and defense agencies, manufacturing industries, critical infrastructure (CI), and financial organizations. All of these verticals hold valuable information, which, if stolen, can be incredibly damaging.
While small companies may assume that their APT security systems are immune to threats because they aren’t “high value,” this is a dangerous presumption. Today, small and medium-sized businesses (SMBs) can be targeted because they are part of the main target’s supply chain. Threat actors might think that a small organization can provide an easy infiltration path that leads to the larger, more valuable organization. This means that APTs should be a concern for everyone.
In this article, we’ll discuss the unique security challenges associated with APTs, some notable trends, and attack vectors used by APT threat actors. We’ll also look at how to effectively prevent these threats and keep your business—of any size—secure with APT security systems.
The Security Challenges of an Advanced Persistent Threat
While each security issue is challenging in its own right, APTs present organizations with some special considerations. Today, most malware attacks are “in and out” jobs. The attackers make their way in, grab the information or cash they’re after, and then they’re “outta there” as soon as possible. This is not the case with APTs, which may linger in systems for months, or even years.
For example, in 2014, a highly sophisticated attack called The Mask was found on computers in Brazil and Morocco, among other countries. Experts estimate that the malware had been in operation for over seven years, targeting oil and energy companies, as well as government agencies and embassies.
As opposed to traditional attacks, APTs are “slow and low,” which makes them hard to detect, as they don’t create the normal anomalous events associated with typical attacks. Especially where nation-state-backed attacks are concerned (The Mask was suspected to be of Spanish origin, although that was never proven), attackers often use multiple custom tools, such as specialized rootkits and bootkits, to maintain persistence while they remain hidden. In the case of The Mask, attackers used advanced phishing techniques to con their intended victims into clicking the right links, thereby infecting their machines.
There are also some APT actors that employ custom code for the most important parts of their activities, but use known vulnerabilities for the more external-facing aspects, in order to throw detection mechanisms off. All in all, what makes these actors so dangerous is the advanced level of tools and resources and the sophisticated planning and execution of APT attacks.
Until recently, APT attacks were mainly conducted by nation-state actors for political gain, to disrupt intelligence operations, or to collect data. But we are now witnessing a rise in APTs conducted by cyber criminal groups. These attackers may use APTs to collect information they can use for other criminal activities or for financial gain. Espionage attackers also conduct APTs on behalf of customers, usually corporations, who use this method to spy on other companies.
APTs usually have the following phases: initial access, first penetration and malware deployment, lateral movement, identifying and getting hold of the data, and exfiltration of that data.
Notable Advanced Persistent Threat Trends
Meddling in International Affairs
APTs are often the weapon of choice for nation-states looking to meddle in the affairs of other nations. Cozy Bear (or APT29) and Fancy Bear (or APT28) are two separate Russia-backed hacking groups believed to have launched independent spear phishing attacks against the Democratic National Committee in 2016. Fancy Bear was also fingered in disinformation campaigns in the country of Georgia in an apparent attempt to discredit Kremlin enemies.
Keeping Tabs on Energy Sector Rivals
Though Russian APT groups often make headlines, most APT groups are based in China. In fact, although it was previously assumed that APT groups from China were not linked, new evidence shows that, most likely, they are all part of a centralized military organization called the SSF, or the Strategic Support Force. Recently, there has been a surge in attacks perpetrated against energy companies in Southeast Asian nations such as Malaysia, Vietnam, and Singapore, all stemming from China. Territory deputes in the South China Sea fuel a large percentage of these attacks, where sizeable reserves of natural gas are found.
Targeting IoT Devices
IoT devices are everywhere today. What’s more, they are notoriously vulnerable and compromising them is very simple. This makes these devices the perfect way to enter otherwise well-protected networks.
Examples of Typical APT Attack Vectors: Zero-Day Exploits and More
As we’ve seen, APT actors often use cutting-edge tools and yet undiscovered vulnerabilities, referred to as zero-day exploits, in their attempts to get the information they are looking for. In October 2018, Microsoft released two patches for zero-day vulnerabilities that were utilized by APT groups SandCat and FruityArmor. SandCat, a newcomer to the APT realm, used the elevation of privilege vulnerability in attacks against targets in the Middle East, and FruityArmor used the vulnerability to target government researchers in Thailand, Iran, and Sweden, among other countries.
New Malware Families
APT34, otherwise known as OilRig, out of Iran, mainly targets organizations in the Middle East. The group recently began using a completely unknown malware variant: a backdoor named ToneDeaf. Starting with a phishing campaign, threat actors posed as faculty members at Cambridge University to coax victims into opening infected documents that were capable of communicating with C&C servers.
MuddyWater, the two-year-old APT group also hailing from Iran, is using a whole host of customized attack methods and tools, including deception techniques and custom-made downloading and execution tools. Though they are a relatively new player, they are gaining notoriety as an APT group who, according to security giant Kaspersky, can “adapt and customize the toolset for victims” to get just what they’re after.
The Cynet Solution: Enabling a Complete APT System
As you can see, APT prevention and detection is notoriously difficult. Attackers, being human, have great flexibility in adapting their tools and operations, allowing them to circumvent any security products the targeted organization may have in place. While this is a common problem in the fight against malware in general, it’s even more pressing and complex with regards to APTs, considering the money and tools at the attackers’ disposal. This creates an inherent imbalance in the APT equation. So what’s the solution? A holistic tool for defeating these advanced threats.
The Cynet 360 platform is a tool of choice for many organizations looking for APT protection. This is due to its comprehensive breach protection capabilities that include proactive monitoring and control, attack prevention and detection, and response orchestration across all attack vectors that involve endpoints, network, and users.
Cynet leverages Sensor Fusion technology to analyze all endpoint, network and user activities within the environment, deciphering the context of each activity with unmatched precision. As such, Cynet provides all the threat protection capabilities of NGAV, EDR, UBA, Network Analytics and Deception, as well as the ability to unveil attacks that are invisible to each of these technologies by itself.
All organizations should realize that APTs are a threat vector they need to think about and plan for. No organization is too small to be a target. And as APT security systems become more capable, attackers will ensure that their tool arsenals follow suit, which means that these threats may become commonplace in the coming years.
Now is the time to make sure your organization can adequately handle APT protection. To learn more about Cynet’s solutions, click here.