Advanced Persistent Threat
January 05, 2024
Advanced Persistent Threats (APTs) are widely regarded as the most formidable cyber hazards, demanding significant effort for detection and prevention. Safeguarding sensitive data, the ultimate target of these attacks, and securing the network elements affected during a cyberattack are paramount. Cybersecurity experts responsible for implementing and managing Endpoint Detection and Response (EDR) solutions must anticipate and address all potential attack vectors.
Despite the considerable risks posed by APTs, launching such attacks requires substantial resources and effort from the attackers. The three main stages of APT usage - infiltration, expansion, and extraction - demand more meticulous planning and execution compared to traditional attacks. While the potential rewards for attackers can be significant, not all groups are equipped to undertake the complexities of an advanced persistent threat. Engaging in APT attacks is undoubtedly a competition among professionals.
APTs distinguish themselves from ordinary cyberattacks through their advanced nature, resembling special operations rather than common automated assaults. These attacks rely on a multitude of programs, both malicious tools used by attackers and those present in the targeted system. Unlike automated ransomware attacks, APTs are executed manually, emphasizing the persistence and long-term presence within the infected system. The primary objective of APTs is to compromise valuable data, and the longer the attack persists, the more data can be clandestinely accessed.
It's essential to note that precursor malware and tools used to expand malware presence in APTs often overlap with those in simpler attacks. While hackers may use similar exploits in server architecture and user applications, the end goals of APTs differ. Unlike many attacks seeking financial gain through ransom, APTs are driven by diverse motives, including leaking critical information, deletion, or gaining control of servers and associated websites. Although these tasks may take months to complete, the deployment and retention of APTs are intricate processes that go beyond a quick 5-minute endeavor.
Advanced Persistent Threat (APT) Progression
As mentioned, APT attacks progress through three main stages. Throughout the attack, cybercriminals aim to inject malware, make it more persistent (i.e., infiltrate all possible environments), and finally, begin data extraction. All these stages involve specific software and approaches. However, the final payload is more likely to be a backdoor, remote-access trojan, spyware, or their combinations. To provide a more relevant explanation, we will discuss a real case of a cyberattack with an advanced threat that occurred at the beginning of 2024. North Korean hackers targeted the Russian diplomatic sector with Konni RAT.
Stage 1: Malware Infiltration
Malware can infiltrate corporate networks through various methods. In recent years, a notable trend reveals that almost 40% of attacks exploit RDP vulnerabilities. This figure is applicable to all forms of cyberattacks, not just APT-related ones. Nonetheless, other methods, such as SQL injections and social engineering, are also employed. In some cases, crooks may launch a DDoS attack as a distraction. While system administrators and cybersecurity experts focus on network protection, the main action unfolds unnoticed.
In the case of the Konni RAT attack by the eponymous cybercrime gang, they executed a textbook spear-phishing example. Attackers disguised an email to the Russian embassy in Indonesia as a New Year’s greeting with an attached malicious file. The email address was cleverly spoofed to resemble “@mid.ru” – different from the original “@mid.rf” but similar enough to deceive. This, coupled with the typical pre-holiday relaxation, diverted the attention of embassy workers.
Malware Injection Steps
Cybercriminals may inject various elements into the targeted system or network, ranging from scripts connecting to remote servers for payloads to weakening the security system before launching the malware. Precursor malware, used to display phishing pages or facilitate malware installation, may also be employed. However, most hackers aim to minimize reliance on human factors. In the Konni APT attack, the attachment (i.e., the .zip archive) contained a script that connected to the command server and downloaded the remote-access trojan installer. While embassy workers viewed a congratulatory image, the main action occurred in the background. This multi-step scheme aims to obfuscate log readings and eliminate traces. Additionally, such intermediary steps may disable security software. Once the intrusion is concealed, and the payload malware is downloaded, crooks proceed to the second step – expansion.
Stage 2: Malware Expansion
Compromising a single computer in the network is insufficient, even if it is a domain controller. Crooks typically target the DC or a computer with administrator privileges. If the virus initially spreads to a user-profile computer, they attempt to escalate privileges to execute their malware as an administrator. Escalating privileges is challenging and usually requires exploits. However, if the attack is well-prepared, crooks know which exploits to use and have a malicious app ready to exploit vulnerabilities.
Having an administrator account allows crooks to create the same highly-privileged accounts on other devices and manage the network. Taking over the domain controller is a common practice, but it is challenging. Therefore, crooks often resort to tools like brute force utilities or hacktools, acting as a crowbar when the picklock fails. Rude instruments are easier to detect, but crooks typically disable protection on individual computers during DC brute force.
Expanding malware presence in the network has an obvious reason. The more computers are infected, the more data cybercriminals can access and extract. This straightforward equation should guide system administrators. Network clustering, enhanced protection measures, and persistent control are essential when dealing with sensitive and valuable data. However, threat actors executing APT attacks likely have fallback variants. Hence, a well-implemented EDR solution is crucial. It is difficult to disable without taking over the DC and challenging to evade, relying on heuristic detection that is harder to deceive.
Stage 3: Data Extraction
As mentioned earlier, APT threats are called "persistent" for a reason. These threats aim to endure in the corporate system, gathering all potentially valuable data. However, they don't immediately send the data to their command server as they find it on the victim’s PC. Even when security software is disabled, system administrators may detect multiple packages sent from the inside of the network to an unknown address. This scenario raises alarms, potentially exposing the advanced threat. To maintain a silent operation, cybercriminals must employ various tricks.
Tricks may involve creating a disguise for the extracted files and distracting attention. In most cases, crooks opt for the latter. Concealing a massive amount of traffic is challenging. Sending gigabyte-sized files through email raises suspicion, even if the email is successfully delivered by the time of detection. Crooks typically use DDoS attacks or white noise – numerous pointless commands or requests – to obfuscate logs. This tactic can circumvent security solutions and pose challenges for analysts trying to decipher the situation.
However, when APT attack operators decide to end their presence in a network, they may even perform the final extraction "as is". Although uncommon, this may happen, especially if the information obtained from the company can be sold at a high price. Crooks may then resell the method of infiltration to their peers and potentially infiltrate the network again. When they decide to make a swift exit, they might even deploy ransomware as the final act.
Exploring the Most Notorious APT Groups
As the threat landscape evolves, certain Advanced Persistent Threat (APT) groups stand out for their sophistication, persistence, and strategic targeting. These groups, often associated with nation-states or well-organized cybercriminal entities, employ advanced techniques to compromise and infiltrate high-profile targets. Understanding these notorious APT groups is crucial for organizations seeking to enhance their cybersecurity defenses.
The Equation Group
The Equation Group gained infamy for its highly advanced and complex cyber-espionage operations. Linked to the United States, this APT group is known for deploying powerful malware such as Stuxnet, which targeted Iran's nuclear facilities. The Equation Group's capabilities include the development of sophisticated tools and a deep understanding of zero-day vulnerabilities.
APT29 (Cozy Bear)
APT29, commonly known as Cozy Bear, is a threat group attributed to Russia's Foreign Intelligence Service (SVR). Operating since at least 2008, APT29 has consistently targeted government networks in Europe, NATO member countries, research institutes, and think tanks. Notably, it gained international attention for compromising the Democratic National Committee in the summer of 2015.
In April 2021, the United States and the United Kingdom attributed the SolarWinds Compromise to the SVR, explicitly referencing APT29 along with Cozy Bear and The Dukes. Industry reporting also used alternative names such as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm in connection with this campaign.
CozyDuke, also known as CozyBear, CozyCar, and Office Monkeys, is an alias associated with APT29. This threat actor gained prominence in 2014 for orchestrating precise attacks on high-profile targets, including the US White House, Department of State, and the Democratic National Committee.
Key Characteristics of CozyDuke:
- Targets: CozyDuke focuses on governmental organizations, political groups, think tanks, and individuals engaged in defense and geopolitical research.
- Global Operations: The actor's activities have been observed in several countries, including Germany, South Korea, Uzbekistan, and the United States.
- Characteristics: CozyDuke is known for targeting extremely sensitive and high-profile victims. It exhibits evolving crypto and anti-detection capabilities, demonstrating advanced technical proficiency.
- Malware Toolset: APT29's malware toolset shows strong functional and structural similarities to early MiniDuke, as well as more recent components like CosmicDuke and OnionDuke.
APT28 (Fancy Bear)
APT28, also known as Sofacy Group, Pawn Storm, Fancy Bear, and Sednit, is a highly sophisticated cyber espionage group believed to have ties to Russia's General Staff Main Intelligence Directorate (GRU), specifically the 85th Main Special Service Center (GTsSS) military unit 26165. Operating since at least 2004, APT28 has played a significant role in various cyber operations aligned with Russian strategic interests.
APT28 gained global attention for its involvement in high-profile cyber operations:
- 2016 U.S. Presidential Election: APT28 reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in an attempt to interfere with the election.
- 2018 Indictments: The U.S. indicted five GRU Unit 26165 officers associated with APT28 for cyber operations conducted between 2014 and 2018 against various targets, including the World Anti-Doping Agency, a U.S. nuclear facility, and the Organization for the Prohibition of Chemical Weapons.
- Joint Analysis Report (December 29, 2016): The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) released a report confirming that the Russian Government sponsors APT28.
Key features of APT28's operations include:
- Targeted Espionage: APT28 focuses on entities in the U.S., Europe, and former Soviet Union countries, including governments, militaries, defense attaches, media entities, and individuals opposed to the Russian Government.
- Information Operations: In recent years, APT28 has increasingly engaged in information operations aligned with broader strategic military doctrine. After compromising a target, the group steals internal data, which is then strategically leaked to support political narratives aligned with Russian interests.
APT28 is known by various aliases: APT-C-20, ATK5, Blue Athena, FANCY BEAR, FROZENLAKE, Fighting Ursa, Forest Blizzard, G0007, Grey-Cloud, Grizzly Steppe, Group 74, Group-4127, IRON TWILIGHT, ITG05, Pawn Storm, SIG40, SNAKEMACKEREL, STRONTIUM, Sednit, Sofacy, Swallowtail, T-APT-12, TA422, TG-4127, Tsar Team, TsarTeam, UAC-0028
Understanding the tactics, techniques, and procedures of APT28 is essential for organizations seeking to enhance their cybersecurity defenses against this persistent and highly capable threat actor.
APT34, also known as OilRig, is a suspected Iranian threat group engaged in cyberespionage activities targeting the Middle East and international entities since at least 2014. The group's operations span various sectors, including financial, government, energy, chemical, and telecommunications. APT34 is known for its strategic and systematic targeting, often employing supply chain attacks to exploit trust relationships between organizations.
APT34 is a covert cyberespionage group specializing in the collection of sensitive intelligence within the Middle East. Key characteristics of APT34 include:
- Targeted Sectors: The group has targeted diverse sectors such as government agencies, critical infrastructure, telecommunications, and regional entities.
- Attack Techniques: APT34 utilizes spear phishing campaigns and advanced techniques to infiltrate and maintain access within targeted networks.
- Resource Sophistication: The group operates with a high degree of sophistication and seemingly vast resources, posing a significant cybersecurity challenge regionally and beyond.
APT34, or OilRig, has been associated with high-profile cyberattacks against specific organizations, showcasing strategic and careful selection for their operations. The group's tactics include social engineering, exploiting human vulnerabilities, and occasional use of recently patched vulnerabilities during the delivery phase of their attacks.
APT34 is known by various aliases and identifiers, including but not limited to: ATK40, Cobalt Gypsy, Crambus, EUROPIUM, Evasive Serpens, G0049, Hazel Sandstorm, Helix Kitten, IRN2, Twisted Kitten
APT41 is a sophisticated threat group assessed by researchers as a Chinese state-sponsored espionage group that is also involved in financially motivated operations. The group has been active since at least 2012 and exhibits a wide range of targeting, including healthcare, telecom, technology, and the video game industries across 14 countries. APT41's activities overlap, at least partially, with public reporting on groups like BARIUM and Winnti Group.
APT41 is known by various aliases: Amoeba, BARIUM, BRONZE ATLAS, BRONZE EXPORT, Blackfly, Brass Typhoon, Earth Baku, G0044, G0096, Grayfly, HOODOO, LEAD, Red Kelpie, TA415, WICKED PANDA, WICKED SPIDER
APT41 is notable for its dual role in both state-sponsored espionage and financially motivated operations. The group's activities encompass a wide range of industries, with observed targeting in healthcare, telecom, technology, and video game sectors across multiple countries.
APT41 employs various tools and techniques, including but not limited to:
- BLACK COFFEE (S0069): Multiuse tool for reverse shell, enumeration, deletion to C2 communications, and obfuscation.
- China Chopper (S0020): Web shell that provides access back to an enterprise network.
- Cobalt Strike: Commercial tool allowing attackers to drop payloads.
- Gh0st Rat: Remote Access Tool (RAT).
- Mimikatz: Credential dumper for obtaining plaintext Windows account information.
- PlugX: Remote Access Tool (RAT) with modular plugins.
- ShadowPad: Modular backdoor frequently used in C2 communications.
APT24, also known as PittyTiger, is associated with Chinese state-sponsored cyber activities. This group has been linked to various cyber-espionage campaigns, with a focus on targeting Southeast Asian governments, military entities, and organizations in the technology and healthcare sectors. APT24 is known for using custom malware and employing tactics such as spear-phishing to gain unauthorized access.
APT24 has targeted a diverse range of industries, including government, healthcare, construction and engineering, mining, nonprofit, and telecommunications.
Associated Malware: PITTYTIGER, ENFAL, TAIDOOR
Attributed to Chinese state-sponsored actors, APT22, or Barista, has been involved in cyber-espionage campaigns targeting organizations in Japan and other East Asian countries. This group is known for leveraging spear-phishing emails with malicious attachments to compromise its targets. APT22's primary objectives include gathering intelligence and sensitive information.
APT21, also known as Zhenbao, is associated with Chinese state-sponsored cyber activities. This APT group has been involved in targeted attacks against organizations in the aerospace, defense, and technology sectors. APT21 is characterized by its use of advanced malware and techniques for persistent access, emphasizing long-term information gathering and espionage.
Aliases: Crawling Taurus, TH3Bug, VIOLIN PANDA
APT20, also known by aliases Crawling Taurus, TH3Bug, and VIOLIN PANDA, has been linked to a series of watering hole attacks during the past summer. Watering hole attacks have become a popular strategy in APT (Advanced Persistent Threat) campaigns, providing a higher chance of success compared to traditional spear phishing methods. These attacks involve compromising legitimate websites frequented by individuals with specific industry affiliations or political sympathies.
Unlike many APT campaigns that heavily rely on spear phishing, APT20, under the moniker "th3bug," is known for compromising legitimate websites that their intended targets are likely to visit. This approach involves installing malware on popular websites, increasing the likelihood of infecting visitors who may be less cautious about clicking on links or downloading content from familiar sources. During the summer, APT20 compromised several sites, including a well-known Uyghur website, indicating a focus on specific communities and languages.
Attributed to Chinese state-sponsored actors, APT18, or Wekby, has been involved in cyber-espionage campaigns targeting organizations in the United States and other countries. APT18 is known for leveraging various attack vectors, including spear-phishing and the exploitation of software vulnerabilities. This group focuses on stealing intellectual property and sensitive data for strategic and economic purposes.
Mandiant has tracked APT43 since 2018, and its collection priorities align with North Korea's main foreign intelligence service, the Reconnaissance General Bureau (RGB).
APT43 engages in cybercrime, stealing and laundering cryptocurrency to buy operational infrastructure, reducing fiscal strain on the central government. The group's espionage targeting is regionally focused on South Korea, Japan, Europe, and the United States, with a shift to health-related verticals in 2021, likely in support of pandemic response efforts.
APT43 creates spoofed and fraudulent personas for social engineering, masquerading as key individuals within their target area and leveraging stolen personally identifiable information (PII) to create accounts and register domains. The group buys hash rental and cloud mining services, using stolen crypto to mine for clean crypto.
APT43 supports espionage efforts with cybercrime, engaging in operations over longer periods and collaborating with other North Korean espionage operators.
APT43 is a moderately-sophisticated cyber operator supporting the interests of the North Korean regime. Campaigns include strategic intelligence collection, credential harvesting, social engineering for espionage, and financially-motivated cybercrime.
- APT43's focus on foreign policy and nuclear security issues supports North Korea's strategic and nuclear ambitions.
- The group's responsiveness to shifting priorities is evident in its focus on health-related verticals in support of pandemic response efforts in 2021.
- APT43 maintains a high tempo of activity, coordinating with other elements of the North Korean cyber ecosystem.
Regionally focused targeting on South Korea, Japan, Europe, and the United States. Sectors targeted include government, education, research, think tanks, business services, and manufacturing.
- APT43 commonly uses tailored spear-phishing emails to gain access to victim information.
- The group creates convincing personas, masquerading as key individuals, and leverages stolen PII for social engineering.
- APT43 steals and launders cryptocurrency, aligning with North Korea's ideology of self-reliance.
Publicly reported activities attributed to APT43 are often reported as "Kimsuky" or "Thallium." APT43 does not exploit zero-day vulnerabilities, relying on phishing and credential collection campaigns.
Defend Against Advanced Persistent Threats
As highlighted in the preceding paragraphs, advanced persistent threats are exceptionally sophisticated and orchestrated by skilled cybercriminals. Defending against APTs can be likened to a chess game between two grandmasters – both highly skilled with numerous possible moves. However, any spectacle of this game implies that something has gone wrong. While security measures may not guarantee prevention of every intrusion, implementing the right strategies can significantly constrain cybercriminals. Let's explore how to fortify your corporate network against advanced persistent threats.
Ceasing the Human Factor
Human error remains a significant security vulnerability that cannot be completely eradicated. Although cybersecurity knowledge among employees is crucial, it must be complemented by strategies to minimize potential damage resulting from human mistakes.
- Explain the Risks of Email Attachments: Educate employees about the potential dangers of email attachments to reduce the risk of falling victim to phishing attacks.
- Secure Tight Spaces: Restrict the execution of MS Office macros and Visual Basic scripts without the system administrator's permission to prevent potential injection methods.
- Maintain Software Hygiene: Regularly update applications, avoid untrustworthy programs, and monitor applications that collect user information to mitigate the risk of malware exploits.
- Implement Network Clustering: Isolate network segments to impede the spread of infections, providing time to respond effectively to potential breaches.
- Apply Least Privilege Principles: Limit user privileges to the essentials, reducing the impact of potential cyberattacks.
Technical Approaches Against APT
In addition to employee-focused strategies, several technical measures are specifically effective against APTs, focusing on network security and traffic control.
Whitelisting involves granting access only to designated websites/IP addresses within the corporate network. While effective in preventing external connections, consider the potential vulnerabilities associated with relying solely on whitelisting. Regularly update the whitelist to adapt to evolving threats.
Traffic control actively counters APTs, with a primary focus on securing vulnerable elements such as web application servers. Implement additional protection for these servers using firewalls or filters to thwart SQL or RFI injection attacks. Firewalls, crucial for traffic control, log network events, enabling analysis of potential anomalies.
By combining these strategies, organizations can establish a robust defense against advanced persistent threats, enhancing the overall security posture of their corporate networks.