Subscribe

The changing face of APTs

Kirsten Doyle
By Kirsten Doyle, ITWeb contributor.
Budapest, 22 Apr 2014
By looking into APTs attacks, we are getting insight into the most advanced techniques be used to steal information, says Kaspersky's Stefan Tanase.
By looking into APTs attacks, we are getting insight into the most advanced techniques be used to steal information, says Kaspersky's Stefan Tanase.

Viruses are nothing but an urban myth like 'alligators in the New York sewer system'. This quote by Peter Norton in 1988, illustrated how the face of malware and cyber attacks has changed.

From viruses, to cyber espionage to nation state attacks, the face of malware is completely different now from a few years ago. "Stuxnet was the first example of a cyber weapon, because it showed us that some code can influence or destroy or modify things in real life. It was the first malware that realised the notion of sabotage. However, it was just the beginning. It was the tip of the iceberg."

So said Stefan Tanase, senior security researcher, Global Research and Analysis Team at Kaspersky Lab, discussing some of the recent advanced persistent threats (APTs) that were active worldwide last year and a few predictions about what we might see in the near future.

There is an erosion of trust we are seeing from governments trying to access our information, he says. "You need to be sure you are the only person with access to your information. By looking into APTs attacks, we are getting insight into the most advanced techniques be used to steal information."

The first he discussed was NetTraveler, that was most active from 2010 to2013. The group's main targets for cyber-espionage campaigns were very advanced sectors, including space exploration, nanotechnology, aerospace, drilling, energy production, nuclear power, lasers, medicine and communications.

This threat, that was most likely of Chinese in origin, worked by targeting victims through ingenious spear-phishing e-mails with malicious MS Office attachments loaded with two highly exploited vulnerabilities.

NetTraveler had a global reach, and was used to compromise over 350 high-profile victims in 40 countries. "By looking at the victims, we could see the authors were most interested in government data, as establishments targeted in the public and private sectors included government institutions, embassies, the oil and gas industry, research centres, military contractors and activists."

Thirty-two percent of those attacked were represented by diplomatic bodies and 19% were governmental institutions.

Another notorious threat uncovered by Kaspersky Lab last year called Icefog, targetted the supply chain, affecting Windows PC and Macs. "Calling themselves Dagger Three, Icefog was very interesting and special as it was the first cyber espionage operation that showed us these actors could act as cyber mercenaries. It was a small APT group of five to 10 members, that focuses on targets in South Korea and Japan, hitting the supply chain with 'surgical precision', knowing exactly what they are after, making us believe they are working under a contract."

Again Icefog targeted advanced organisations in military, shipbuilding and maritime operations, computer and software development, research companies, telecom operators, satellite operators, mass media and television sectors.

The Mask, which is the latest threat uncovered by Kaspersky Lab, seems to be created by Spanish speakers, says Tanase. This particular threat intercepts all communication channels and collects the most crucial data from the target machine.

In addition, detection is highly tricky as the threat employs stealth rootkit capabilities, built-in functionalities and additional cyber-espionage modules.

He said Kaspersky Lab is identifying several trends through its scrutiny of these and several other APT attacks.

Firstly, the costs of entry is decreasing, and more APT groups are being formed. "We are also seeing the emergence of small groups of cyber-mercenaries available for hire to perform surgical hit-and-run operations."

Also, critical infrastructure and supply chain attacks are becoming more and more common.

Tanase says nobody is safe, not even the high-profile entities. All we can do is make it more expensive for an attacker to reach your machine. "There is no such thing as 100% security, but we can get as close as possible, making it more and more difficult for attackers."

Share