02:56 PM
Connect Directly

Anatomy Of A Targeted, Persistent Attack

New report provides an inside look at real attacks that infiltrated, camped out, and stole intellectual property and proprietary information -- and their links to China

A new report published today sheds light on the steps ultra-sophisticated attackers take to gain a foothold inside governments and company networks and remain entrenched in order to steal intellectual property and other data. The bad news is these attacks -- including the recent ones on Google, Adobe, and other companies -- almost always are successful and undetectable until it's too late.

The so-called advanced persistent threat (APT) attack model and case studies outlined in the report from forensics firm Mandiant are based on real-world attacks Mandiant has probed during the past seven years in the government and private industries. Though the report describes the brand of attack that hit Google, Adobe, and 20 to 30 other organizations, Mandiant wouldn't comment on whether its forensics experts are involved in the so-called Aurora attack that allegedly came out of China.

Most of the APT attack cases that Mandiant has worked on for the past few years have had ties to China: "The vast majority of APT activity observed by MANDIANT has been linked to China," the report says. And existing security tools are no match for these attacks -- only 24 percent of the malware used in the attacks Mandiant has investigated were detected by security software, the report says.

"The fact that there is more activity around this [threat] in the past two to three weeks is good. Hopefully, this continues and gets people talking about being aware of it," says Michael Malin, executive vice president at Mandiant. "The APT is a reality; it's out there ... it's not just a government or defense issue. We're seeing it at the commercial level, as well."

As a matter of fact, Mandiant has worked with 10 percent of Fortune 100 companies on APT attacks in their organizations, according to Malin. "And we've responded to computer security incidents at 20 percent of Fortune 100 [companies]," including APT and payment card attacks.

It's not that these attacks are anything new. A published report in the Christian Science Monitor this week revealed a wave of APT attacks that occurred in 2008 against the oil industry, including Marathon Oil, ExxonMobil, and ConocoPhillips, all of which didn't realize the extent of the damage until 2009, when the FBI told them "proprietary" data had been siphoned from their computers. It's more that regulatory -- business pressures are now forcing companies like Google to own up to their victimization, security experts say.

Mandiant's Malin says APT attacks are waged by teams of hackers who go after different levels of the infrastructure: "They are going after the network level, or the host-based level," he says. "There's a lot of coordination."

And sometimes the teams don't even know the other is already inside the victim's network. Even so, they typically are working for the same cause, usually espionage, he says. And once they are in, they don't need to hack through again; they set up camp with a longer-term presence that allows them to move about the company freely and typically undetected.

"From a security point of view, there's no magic bullet" to these attacks, says Alan Shimel, CEO of The CISO Group. "Nothing is going to make you immune."

The most effective way to shut down such an attack, however, is to uncover and block the command and control (C&C) conduit between the compromised systems and the attackers, says Gunter Ollmann, vice president of research for Damballa. "Then they have to go to their backup systems and reinfect the host," Ollmann says. "The Achilles' heel is their C&C. They require interactive access to the systems to control them and to target and extricate information ... by detecting and denying that, you've muted the attack."

APT attacks typically have a correlation between political or business activity or events, Mandiant's Malin says. And they often are waged as a campaign for a specific type of information or intelligence. For example, in one series of attacks on local, state, and federal agencies that Mandiant worked on, which was featured in the report, the attackers were after counter-terrorism intelligence.

Malware used in APT attacks is basically hidden in plain sight, in a low-profile, camouflaged manner. Mandiant says the average file size is a relatively diminutive 121.85 kilobytes, and that only 10 percent of any of these backdoor programs were "packed," a technique that can be easily spotted. But more advanced attackers do pack their malware in. Among the most common file names for the malware: svchost.exe, iexplore.exe, iprinp.dll, and winzf32.dll -- all of which wouldn't raise any red flags and could easily be overlooked. Most of these attackers evade anomaly detection by using outbound HTTP connections, as well as process injection.

Mandiant's report also drew some connections between these attacks and China: The attackers mostly work during daytime hours in China, which is nighttime in the U.S., the report says. "APT-associated activity typically occurs on any given weeknight except for foreign and major U.S. holidays," the report says. "This indicates the attackers know when new information may be available for exfiltration." Kelly Jackson Higgins is Executive Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

1 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Current Issue
5 Security Technologies to Watch in 2017
Emerging tools and services promise to make a difference this year. Are they on your company's list?
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.