02:56 PM
Connect Directly

Anatomy Of A Targeted, Persistent Attack

New report provides an inside look at real attacks that infiltrated, camped out, and stole intellectual property and proprietary information -- and their links to China

A new report published today sheds light on the steps ultra-sophisticated attackers take to gain a foothold inside governments and company networks and remain entrenched in order to steal intellectual property and other data. The bad news is these attacks -- including the recent ones on Google, Adobe, and other companies -- almost always are successful and undetectable until it's too late.

The so-called advanced persistent threat (APT) attack model and case studies outlined in the report from forensics firm Mandiant are based on real-world attacks Mandiant has probed during the past seven years in the government and private industries. Though the report describes the brand of attack that hit Google, Adobe, and 20 to 30 other organizations, Mandiant wouldn't comment on whether its forensics experts are involved in the so-called Aurora attack that allegedly came out of China.

Most of the APT attack cases that Mandiant has worked on for the past few years have had ties to China: "The vast majority of APT activity observed by MANDIANT has been linked to China," the report says. And existing security tools are no match for these attacks -- only 24 percent of the malware used in the attacks Mandiant has investigated were detected by security software, the report says.

"The fact that there is more activity around this [threat] in the past two to three weeks is good. Hopefully, this continues and gets people talking about being aware of it," says Michael Malin, executive vice president at Mandiant. "The APT is a reality; it's out there ... it's not just a government or defense issue. We're seeing it at the commercial level, as well."

As a matter of fact, Mandiant has worked with 10 percent of Fortune 100 companies on APT attacks in their organizations, according to Malin. "And we've responded to computer security incidents at 20 percent of Fortune 100 [companies]," including APT and payment card attacks.

It's not that these attacks are anything new. A published report in the Christian Science Monitor this week revealed a wave of APT attacks that occurred in 2008 against the oil industry, including Marathon Oil, ExxonMobil, and ConocoPhillips, all of which didn't realize the extent of the damage until 2009, when the FBI told them "proprietary" data had been siphoned from their computers. It's more that regulatory -- business pressures are now forcing companies like Google to own up to their victimization, security experts say.

Mandiant's Malin says APT attacks are waged by teams of hackers who go after different levels of the infrastructure: "They are going after the network level, or the host-based level," he says. "There's a lot of coordination."

And sometimes the teams don't even know the other is already inside the victim's network. Even so, they typically are working for the same cause, usually espionage, he says. And once they are in, they don't need to hack through again; they set up camp with a longer-term presence that allows them to move about the company freely and typically undetected.

"From a security point of view, there's no magic bullet" to these attacks, says Alan Shimel, CEO of The CISO Group. "Nothing is going to make you immune."

The most effective way to shut down such an attack, however, is to uncover and block the command and control (C&C) conduit between the compromised systems and the attackers, says Gunter Ollmann, vice president of research for Damballa. "Then they have to go to their backup systems and reinfect the host," Ollmann says. "The Achilles' heel is their C&C. They require interactive access to the systems to control them and to target and extricate information ... by detecting and denying that, you've muted the attack."

APT attacks typically have a correlation between political or business activity or events, Mandiant's Malin says. And they often are waged as a campaign for a specific type of information or intelligence. For example, in one series of attacks on local, state, and federal agencies that Mandiant worked on, which was featured in the report, the attackers were after counter-terrorism intelligence.

Malware used in APT attacks is basically hidden in plain sight, in a low-profile, camouflaged manner. Mandiant says the average file size is a relatively diminutive 121.85 kilobytes, and that only 10 percent of any of these backdoor programs were "packed," a technique that can be easily spotted. But more advanced attackers do pack their malware in. Among the most common file names for the malware: svchost.exe, iexplore.exe, iprinp.dll, and winzf32.dll -- all of which wouldn't raise any red flags and could easily be overlooked. Most of these attackers evade anomaly detection by using outbound HTTP connections, as well as process injection.

Mandiant's report also drew some connections between these attacks and China: The attackers mostly work during daytime hours in China, which is nighttime in the U.S., the report says. "APT-associated activity typically occurs on any given weeknight except for foreign and major U.S. holidays," the report says. "This indicates the attackers know when new information may be available for exfiltration." Kelly Jackson Higgins is Executive Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

1 of 2
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-10-25
The Ethernet Connectivity Fault Management (CFM) handling feature in Cisco IOS 12.2(33)SRE9a and earlier and IOS XE 3.13S and earlier allows remote attackers to cause a denial of service (device reload) via malformed CFM packets, aka Bug ID CSCuq93406.

Published: 2014-10-25
The EMC NetWorker Module for MEDITECH (aka NMMEDI) 3.0 build 87 through 90, when EMC RecoverPoint and Plink are used, stores cleartext RecoverPoint Appliance credentials in nsrmedisv.raw log files, which allows local users to obtain sensitive information by reading these files.

Published: 2014-10-25
EMC Avamar 6.0.x, 6.1.x, and 7.0.x in Avamar Data Store (ADS) GEN4(S) and Avamar Virtual Edition (AVE), when Password Hardening before is enabled, uses UNIX DES crypt for password hashing, which makes it easier for context-dependent attackers to obtain cleartext passwords via a brute-force a...

Published: 2014-10-25
EMC Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) 6.x and 7.0.x through 7.0.2-43 do not require authentication for Java API calls, which allows remote attackers to discover grid MCUser and GSAN passwords via a crafted call.

Published: 2014-10-25
CRLF injection vulnerability in IBM Tivoli Integrated Portal (TIP) 2.2.x allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.