Espionage via APT or Advanced Persistent Threat Widespread

Corporate and government secrets are currently being stolen on a grand scale – can anything be done about it?


If you are one of those people not easily rattled, please have a seat and get ready to shake. A new acronym, APT which stands for Advanced Persistent Threat is on the scene and by many accounts is an online threat which is virtually impossible to detect and even worse eradicate. Once your company is infected it seems hackers have access to virtually any and all information on your network. And once again, there may be nothing you can do about it.

Most of these attacks are launched through social interaction consisting of spear phishing – for example where someone poses as a friend via a social network or email and sends a link which includes code which begins the launching of an exploit. This is exact security flaw by the way which recently hit Google and in that case a vulnerability of Internet Explorer was used to begin the infiltration.

Quite often when a company is hacked, they keep it quiet, not wanting to let the world know about the breach. But it seems according to Wired that thousands of companies have been infected since 2002 and Google is one of the first to go public with such news.

“The scope of this is much larger than anybody has every conveyed,” says Kevin Mandia, CEO and president of Virginia-based computer security and forensic firm Mandiant. “There [are] not 50 companies compromised. There are thousands of companies compromised. Actively, right now.”

What you need to know about APT attacks is that they are different than typical exploits which may be targeting credit card information. Advanced Persistent Threats are designed for long-term espionage – siphoning off Microsoft Office files and PDFs. The files are aggregated and stored on your network and then combined into larger files which are then sliced into small files which are encrypted and sent in bursts to servers which are typically in China.

Defense companies, government agencies and oil companies have been hit and another target which may not seem surprising are companies doing business in China – especially law firms. In one case, a company negotiating to purchase a company in China was infiltrated and information pertaining to the negotiations was stolen by a company inside China. As you may have guessed, this information, once discovered — killed the deal.

According to the Christian Science Monitor:

In this new scenario, a single piece of malware often has multiple characteristics. Its digital signatures can morph to evade detection. At the same time, it can spin off decoys intended to be caught to make it appear as if an attack has been thwarted.

More than half of the 600 IT managers operating critical infrastructure in 14 countries reported being recently hit by “high-level” adversaries such as organized crime, terrorists or nation states, according to a new global survey of information technology executives by the Center for Strategic and International Studies in Washington late last month.

A majority of the group hit, 59 percent, said they thought their computer networks and controls systems were under “repeated cyberattack, often from high-level adversaries like foreign nation-states.”

US Director of National Intelligence Dennis Blair’s comments might be news to the Senate, but cybersecurity experts face these threats daily. The “persistent” threat he referred to, for instance, is known widely as the “Advanced Persistent Threat” or APT within the security community. It’s also shorthand for state-sponsored “foreign intelligence” operations and sometimes just “China.”

“These are not ‘slash-and-grab jobs’,” says Rob Lee, a director at Mandiant, a leading cyber security firm. “The goal of the intruder is to occupy the network. These are professionals, not people doing this at night. This is someone’s full-time job from the initial breach to lateral movement across the network, the actual occupation, then the exfiltration of data – there are clear lines of responsibility between different actors going on.”

According to Mr. Lee and other experts, the common thread in the APT is connected to China. Among 40-45 very sophisticated attacks in the past year, about two-thirds were “China related,” he said.

Shawn Carpenter, principal forensics analyst at NetWitness Corporation, concurs. He says that in a number of cases he has traced malware code back to Chinese hacker sites and to Chinese character sets in software compilers used to create the code. “You can put together some pretty compelling links that trace their way back to China,” he says.

Representatives of the Chinese Embassy regularly rebut such criticisms, as they did with a Monitor report last month on cyber attacks targeting the US oil and gas industries.

InformationWeek recently interviewed IT security firm MANDIANT who describes an APT attack as follows:

Phase 1, Reconnaissance: Attackers will watch and take notes on who in an organization they need to target, from administrative assistants to executives. Much of this information is gleaned from public Web sites.

Phase 2, The Initial Breach: They will use spear-phishing attacks to send those identified targets an attachment with an exploit that can be used to hijack the target’s system. Any personal information the attacker knows about the source will be used to entice the target user to open the attachment.

Phase 3, Get a Network Backdoor: MANDIANT says the attackers will do what they can to get network administrative credentials. And they will also implant malware (that they centrally control) designed to avoid detection. These will be used to gain further access to more of the victim company’s infrastructure.

Phase 4, Grab User Credentials: These credentials are used to log-on to end point systems, and siphon data. MANDIANT said the typical victim organization it studied has 40 systems compromised: some had more than 150.

Phase 5, install attack utilities: Now the network is being peppered with backdoors, tools to grab passwords, steal emails, and footprint the network.

Phase 6, Data Ex-filtration: Continuing to move about the infected network and increasing access rights to more sensitive systems, the attackers are now compressing stolen data – imagine anything from financial data, marketing plans, research and development information – and transferring that information to an external server under the attackers control.

Phase 7, Maintain Persistence: The rest is a cat and mouse game: as the organization cleans and updates systems, the attackers establish additional footholds.

If there is any g
ood news to be found on the matter it may be that the above mentioned company NetWitness has received a US Patent for network analysis which may be helpful in detecting and preventing APT attacks. According to TMCnet:

The new patent is a development over its currently held patent NetWitness’ method of capture, reassembly, port-agnostic service identification, and recursive data extraction, covering all the essentials for network and application layer network forensics. The patent applied for in 2002 defends a core investigative technology in the NetWitness NextGen product suite, and stresses on the exclusive method in which NetWitness models and systematizes the captured network data.

As voice, video and fax all ride over IP networks, there is absolutely no reason why these attacks can’t target these mediums meaning video calls between the CEO and the board can be captured. Phone calls, voicemails, contracts… Everything on the network is at risk.

Now that the extent of the problem is being made public I hope that global governments get involved and create harsh penalties for countries caught in wide scale corporate espionage. Moreover, the opportunity for security and vendors seems enormous – one would imagine security experts are salivating at the potential profits they can make from helping companies and governments secure their vital information.

  • war blog
    February 8, 2010 at 5:23 am

    we need a really cyber police of expert to take care about APT problem and low related and the creation of the International SEO defence department.

  • Pascal Longpre
    May 11, 2010 at 7:58 pm

    New software by firms like or and using innovative tecchniques like reverse-whitelisting of digital DNA are designed to battle these kind of threats.

Leave Your Comment


Share via
Copy link
Powered by Social Snap