Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:47 PM
Connect Directly

Disclosure In The APT Age

Yet another widespread advanced persistent threat-type campaign has hit the federal government -- this one aimed at civilian agencies

This is part one of a two-part series on security in the "Age of the APT." Part two is here.

A widespread cyberespionage attack targeting high-level officials at multiple civilian federal government agencies has been under way and under investigation for months now, but the names of all of the victim agencies may never be confirmed publicly, or the extent of the damage incurred by the breaches.

Welcome to the age of the advanced persistent threat (APT)-type attack, where cyberespionage by nation-state attackers is going on all the time across government and private industry, but public disclosure by the victims is mostly voluntary, very rare, and not exactly fully forthcoming. This latest attack on civilian agencies began with what has become typical APT fashion: a clever social engineering email with a malicious but legitimate-looking attachment, according to sources familiar with the attack. That method, as well as variants using a convincing-looking URL within the message, has been used to infiltrate other agencies, Defense contractors, and corporations during the past few years.

One thing's for sure: No one is immune from these dogged attacks. "The majority of federal and nonfederal organizations that do any kind of important work of any interest, or overseas -- probably most all of them have been hacked by APT-type actors," says security expert Steven Adair of Shadowserver. Adair says victims span just about every industry, from avionics to international law to human rights.

"Literally, no one has been spared over time," he says.

Will Irace, director of research for Fidelis, echoes that sentiment: "If you find me a security practitioner who has not had a device that has been owned and compromised by an external adversary, you'll probably find a liar," he says. "All of us have been there."

So if "everyone" is getting targeted by APTs, why won't they just go ahead and speak up about it? Security experts say there's still the victim stigma that no organization wants. Government agencies fear revealing their vulnerabilities and, thus, that of the nation, while businesses worry about their shareholders or losing customers, for instance.

"This is a huge problem for the industry," says Anup Ghosh, CEO of Invincea. "One of core reasons is we haven't addressed the shame factor ... All this information is kept hush-hush, and the markets don't have the opportunity to understand what's going on. It wasn't until Anonymous and AntiSec started publicly hacking government agencies and companies that people [gained] awareness of what has actually been going on all along."

Ghosh says companies need to "get over it" and start at least sharing information among one another about the types of attacks they're experiencing. "Once you get public disclosure of what's actually happening, you're putting the dirty laundry out in the open, and now the markets can begin to address the problem."

It wasn't until Google went public two years ago about Operation Aurora -- the attack targeting the search engine giant's intellectual property, in addition to that of dozens of other U.S. corporations, including Adobe and Intel -- that ATP-borne attacks started to become a household word in business circles. But the scope of the problem was highlighted most recently with McAfee's report on the so-called Operation Shady RAT cyberespionage campaign that has been ongoing for five years, so far stealing intellectual property from 79 government agencies, international corporations, nonprofits, and others in 14 countries.

In Shady RAT, the attackers lifted sensitive government information, email, legal contracts, and design documents from their victims, which included Defense contractors. The attack began with a spear-phishing e-mail message that included a URL that, when visited, downloaded a remote access tool onto the victim's machine. That provided a foothold for the attackers to get inside and siphon information from the victim's organization.

But we still don't know all of the organizations and agencies that were targeted by Shady RAT. McAfee categorized the victims by their industries and regions, and disclosed the actual names of a few: Asian and Western national Olympic Committees, the International Olympic Committee (IOC), the World Anti-Doping Agency, and the United Nations.

Meanwhile, the APT attackers who went after U.S. civilian federal agencies in the recent attack campaign were able to wrest control of some of the victims' domain controllers and file servers, according to sources close to the attacks. Some of the breaches took months to clean up at agencies, one source with knowledge of the attacks said.

PAGE 2: Persistent doesn't mean advanced. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

1 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
A Realistic Threat Model for the Masses
Lysa Myers, Security Researcher, ESET,  10/9/2019
USB Drive Security Still Lags
Dark Reading Staff 10/9/2019
Virginia a Hot Spot For Cybersecurity Jobs
Jai Vijayan, Contributing Writer,  10/9/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-10-15
An issue was discovered in 74CMS v5.2.8. There is a SQL Injection generated by the _list method in the Common/Controller/BackendController.class.php file via the index.php?m=Admin&c=Ad&a=category sort parameter.
PUBLISHED: 2019-10-15
qibosoft 7 allows remote code execution because do/jf.php makes eval calls. The attacker can use the Point Introduction Management feature to supply PHP code to be evaluated. Alternatively, the attacker can access admin/index.php?lfj=jfadmin&action=addjf via CSRF, as demonstrated by a payload in...
PUBLISHED: 2019-10-15
In the Rapid Gator application 0.7.1 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat.
PUBLISHED: 2019-10-15
An issue was discovered in Zoho ManageEngine OpManager before 12.4 build 124089. The OPMDeviceDetailsServlet servlet is prone to SQL injection. Depending on the configuration, this vulnerability could be exploited unauthenticated or authenticated.
PUBLISHED: 2019-10-15
In the Seesaw Parent and Family application 6.2.5 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat.