What Organizations Need to Learn from APT Attacks
Recap from the June 4th, 2019 CISO/Security Vendor Relationship Podcast
by Lydia Pert
Cyber attacks have existed since the adoption of the Internet, evolving over the past few decades — from viruses and worms to malware and botnets; cyber threats continue to advance just as quickly as the Internet itself. In recent years, a new threat, the “Advanced Persistent Threat” (APT) has emerged. In the most recent CISO/Security Vendor Relationship Podcast, the Cloud Security Tip explains what organizational leaders need to be aware of when it comes to these types of attacks.
What is APT?
An “Advanced Persistent Threat” is a covert computer network attack where a cybercriminal gains unauthorized access to a network and remains undetected for an extended period. Advanced persistent threats are especially dangerous because they provide hackers with ongoing access to sensitive organizational data.
APT attacks typically have political or business motives — and can have long-lasting consequences for organizations. An ATP attack can cause temporary or permanent loss of sensitive information, disruption to organizational operations, substantial financial loss, and irreparably damage an organization's reputation.
An APT attack is not something that will happen to every single organization — but every organization needs to be aware of the ramifications, and understand a few key takeaways to improve organizational security. There are several recent examples of large-scale APT attacks that can help provide context and understanding.
Examples of APT Attacks
There are five notable attacks from over the last few years that help illustrate the significance and severity of APT:
- Titan Rain (2003)
Overseas hackers targeted the United States government in order to steal state secrets — primarily sensitive military data — by launching APT attacks against various government systems, including NASA and the FBI.
- Sykipot Attacks (2006)
Attackers leveraged Acrobat and Adobe Reader vulnerabilities in order to launch APT attacks against US and UK organizations such as defense contractors, government agencies, and telecommunications companies.
- GhostNet (2009)
Hackers exploited computers in over one-hundred countries, targeting network devices in embassies and other government facilities. Attackers gained full control of compromised devices, activating cameras and recording functions.
- Stuxnet Worm (2010)
The worm targeted Supervisory Control and Data Acquisition systems, and infected Windows machines via USB keys and then spread throughout entire networks. Stuxnet is credited with causing substantial damage to Iran’s nuclear program.
- Deep Panda (2015)
This APT attack targeted the U.S. Government's Office of Personnel Management, and compromised sensitive personnel records of over four-million individuals — and it is possible that secret service staff information was stolen as well.
These are some of the most large-scale examples to date — so how can these attacks impact organizations on a smaller scale?
APT and the Cloud
Although APT attacks are usually launched against governments and large-scale organizations, these types of attacks are still a concern for other companies — especially in regards to the cloud. Like the Cloud Security Tip explained, the cloud offers limitless volume and is used by millions of organization, all in close proximity to each other — making it an appealing target for cybercriminals because of the large quantities of available data. It becomes an ideal platform for hackers to launch an attack and distribute command-and-control files. Additionally, managed service providers who oversee and maintain cloud infrastructure for their clients can become a natural point for exploitation.
APT and VPN
This US-CERT alert includes recommendations and instructions on how to secure managed service providers (MSPs) and how to detect APT intrusions utilizing VPN. Some of the recommendations are as follows:
- Use a dedicated Virtual Private Network (VPN) for MSP connection.
- Restrict VPN traffic to and from MSP.
- Update VPN authentication certificates regularly.
- Ensure VPN connections are logged, centrally managed, and reviewed.
It is also wise to keep in mind that not all VPNs are created equal — and not all VPNs have good intentions. It was recently discovered that a VPN based in China was actually supported by a network of malware-infected nodes around the globe. The infected nodes were often associated with legitimate organizations in the US and elsewhere — this allowed cybercriminals to piggyback on the compromised organization’s good reputation and target other organizations from there. This should serve as a reminder for all leaders to make sure the technology solutions they implement are actually helping the business, not hurting it.
Wrapping it Up
While your organization might not be at a huge risk for an APT attack, there are still valuable takeaways to help anybody, anywhere. First, make sure you are in control of your network. Have access control features in place so that you decide who has access to what. Second, make sure you have ways to monitor access attempts — and make sure you are following up on unauthorized access attempts. Third, make sure your security solutions are reputable and up to the task. And finally, don’t let APT risks distract you from focusing on your basic cyber hygiene. Don’t dedicate all of your time towards preventing these rare attacks — completely forgetting about the more common threats that are brought on by internal issues such as weak employee passwords. Make sure your network is secured, not just from the major threats, but from the smaller (but equally malicious) threats, too.