Network Detection and Response Becomes More Essential as Nation State Attacks Escalate

Phil Muncaster

On March 21, President Biden declared that US critical infrastructure is likely to soon come under concerted attack from the Kremlin. In fact, these warnings have been coming for several weeks now — ever since Russia invaded Ukraine. The surprise in cyber and national security circles is that such attacks have yet to materialize.

Russian state hackers have proven themselves to be sophisticated and determined enemies.

Indeed, Russian state hackers have proven themselves to be sophisticated and determined enemies. The SolarWinds campaign saw an estimated 1000 operatives working hand-in-hand to breach nine US government agencies. On March 24, it emerged that four Russian government hackers have been indicted for a six-year campaign targeting global energy sector organizations.

Yet as serious as this threat to US businesses and critical infrastructure is, to focus solely on Russian hackers would be dangerously myopic. In the meantime, another prolific state actor, China, has been flexing its muscles. A recent campaign that breached at least six US state governments shows why the cyber threat is constantly evolving and why network-based monitoring and zero trust are an increasingly vital foundation for effective cyber-resilience.

What happened?

The attacks were traced back to the Chinese state group APT41, which researchers have claimed is unusual in that its members are sometimes allowed to moonlight for personal gain. On this occasion, however, it would seem they were acting in the interests of Beijing in a deliberate campaign lasting almost a year (May 2021 – February 2022). The campaign may still be ongoing as the group has been observed re-compromising some of its government victims months after they were first kicked out.

Network-based monitoring and zero trust are increasingly vital foundations for effective cyber-resilience.

Although the campaign's specific goals are still unclear, APT41 focused on exfiltrating personally identifiable information (PII) from the state governments it breached. To do so, it used a variety of new techniques, malware variants, and evasion methods.

The sophistication of APT41

APT41’s primary method for targeting its victims in this campaign appears to have been the exploitation of vulnerable internet-facing web applications, including:

  • An SQL injection in a proprietary web app.
  • A zero-day bug in a commercial application, USAHerds.
  • The exploitation of the notorious Log4Shell vulnerability, just hours after it was published.

Following this initial access, the group displayed a variety of post-compromise techniques, reinforcing its reputation as a “highly adaptable and resourceful actor.” These included:

  • Extensive reconnaissance and credential harvesting via BadPotato, which can be used to elevate user rights, and the Mimikatz password stealer. Active Directory reconnaissance was achieved by uploading the Windows command-line tool dsquery.exe. A new Dustpan malware dropper was used to deploy the popular Cobalt Strike backdoor.
  • Significant anti-analysis efforts designed to slow investigators. This included using a new variant of the Deadeye launcher, with binaries broken down into multiple files to reduce the likelihood that forensics investigators could successfully acquire all samples. And packaging malware with VMProtect to slow reverse engineering efforts. APT41 also changed the VMProtect section names to circumvent detections by basic hunting tools.
  • Persistent work to stay hidden for long periods. This includes embedding command-and-control IP addresses (i.e., dead drop resolvers) into content posted on tech community forums and then changing these resolvers frequently. APT41 also dropped the Lowkey. Passive backdoor into infected servers and frequently configured its URL endpoints to masquerade as normal web application traffic
  • Using Cloudflare Workers to deploy serverless code through the Cloudflare CDN, in order to enhance command-and-control communications and data exfiltration efforts.

Zero trust and network monitoring

As Mandiant concluded in its report: “through all the new, some things remain unchanged: APT41 continues to be undeterred by the US Department of Justice indictment in September 2020.”

Indeed, both hostile nation-state actors and the cyber-criminals such states harbor operate with increasing impunity. It’s also true that many financially motivated organized crime groups operate with similar levels of sophistication to state-sponsored hackers. 

Both hostile nation-state actors and the cyber-criminals such states harbor are operating with increasing impunity.

Increasingly, therefore, a zero-trust approach is the best way for organizations to mitigate cyber risk. This posits that all networks should be untrusted and treated as potentially compromised. Access should be continually authenticated and verified in a risk-based manner via multi-factor authentication, and privileges minimized to reduce the attack surface. 

Most important, organizations must gain better visibility into network behavior. Even with zero trust, breaches are inevitable, which makes spotting and halting suspicious behavior as quickly as possible the best way to limit the impact of those incidents. 

Network detection and response (NDR) tools do precisely this. Even for sophisticated actors like APT41, it’s almost impossible to hide network activity. While they can turn off or circumvent endpoint or log data, threat actors can't alter network information, and they have no way of knowing if they're being watched. This finally gives defenders the advantage. By combining this with micro-segmentation down to the workload level, organizations can make their networks more resilient and act quickly to limit the blast radius of attacks in the event they are breached.

In light of heightened geopolitical tensions, critical infrastructure providers, in particular, should be looking at more intelligent ways like this to manage cyber risk.

Share this story: