Security researchers are calling Madi an example of an advanced persistent threat, but what makes an APT an APT?

Dark Reading Staff, Dark Reading

July 19, 2012

3 Min Read

Earlier this week, security researchers at Kaspersky Lab and Seculert reported the presence of a cyber-espionage tool known as Madi (also spelled Mahdi). The malware was quickly added to a growing list of Trojans that fall under the umbrella of advanced persistent threats (APTs).

However, there were some things about Madi that weren't very advanced at all, raising the question about just what constitutes an APT.

"We see many attacks from 'APT' where the 'A' really isn't applicable," says Roel Schouwenberg, senior researcher at Kaspersky, who added he does not like the term APT because of the confusion it causes. "[These attacks are] persistent, but that's about it. But as we can see, like with Madi, persistence by itself will still get you somewhere."

The Madi attacks qualify as APT, however, because they are also go after industrial designs, meaning there is IP theft, he said. Once on a system, Madi is capable of not only stealing data from infected Windows machines, but also monitoring email and instant messages, recording audio, capturing keystrokes, and taking screenshots of victims' computers. Researchers at Seculert and Kaspersky worked in concert to sinkhole the malware's command and control servers and analyze eight months of the campaign. Their efforts uncovered a targeted attack campaign with more than 800 victims in Iran, Israel, and other countries from around the globe.

Many of the victims were discovered to be businesspeople working on Iranian and Israeli critical infrastructure projects, Israeli financial institutions, Middle Eastern engineering students, or various government agencies in the region. All totaled, multiple gigabytes of data are believed to have been uploaded from victims' computers.

To infect computers, the attackers relied on social engineering ploys designed to get users to open up PowerPoint slideshows containing the malicious file. Unlike Flame and Stuxnet, the attack did not rely on any zero-day exploits, and no evidence has been made public so far linking it to a nation-state.

The notable differences between APTs and common cyber-crimes are focus and patience, explains Richard Wang, director of North America SophosLabs, the research arm of Sophos. APTs focus on a particular target as opposed to attacking many in the hopes of success, he said.

"The additional resources of an APT attacker can provide them with tools that are unavailable to common attackers, for example the certificate compromises and zero-day vulnerabilities we have seen used," Wang says. "However some of the other tools they use can be those of more common attackers when trying to navigate a target network."

Aviv Raff, CTO of Seculert, agrees that the same tools are sometimes used by both types of attackers, but added that APT attackers also use their own custom-made malware for their operation. Opportunistic hackers on the other hand tend to use malware kits and not invest in development, he said.

In the case of Madi, the "P" in APT -- persistent -- is the key factor, he argues.

"If the attack went under the radar for long enough time it should be considered APT ... The focus in APT is not always the motive, but rather the ability to have a stealth and successful attack over a long period of time," he says.

Unfortunately, the term APT is used to describe multiple different types of threats and there is no agreed upon exact definitions, says Liam O Murchu, manager of operations at Symantec Security Response.

"Originally, it was coined to describe targeted attacks that used zero day vulnerabilities -- often in PDFs and other document formats -- that tried to stay undetected while siphoning intellectual property out of infected networks," he says. "However, the term has since been used to describe all sorts of threats doing all sorts of things. Due to this, the term APT can mean many different things depending on who is using it and what their definition is."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights