Cybersecurity firms such as CrowdStrike, SecureWorks, ThreatConnect, and Fireeye’s Mandiant have all indicated that APT 28 is sponsored by the Russian government and has probably been operating since the mid-2000’s.
Similarly, Crowdstrike has suggested that APT 29 is associated with Russian agencies. Symantec believes the organization has been attacking government and diplomatic organizations since at least 2010.
The US Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) released a joint analysis report, named GRIZZLY STEPPE, that provides detailed information on these two groups.
What is an APT?
An advanced persistent threat (APT) is a group of highly organized individuals, typically sponsored by a government, with the ability to coordinate sophisticated attacks. In the CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide, I wrote about Mandiant’s report on APT1 operating out of China.
Mandiant concluded that the group they named APT1 operates as Unit 61398 of the People’s Liberation Army (PLA) inside China. Mandiant estimates that APT1 includes over 1,000 servers and between dozens and hundreds of individual operators and has:
- Released at least 40 different families of malware
- Stolen hundreds of terabytes of data from at least 141 organizations
- Maintained access to some victim networks for over four years before being detected
- Established footholds within many networks after email recipients opened malicious files that installed backdoors, allowing attackers remote access
Chinese officials have denied these claims.
GRIZZLEY STEPPE documents how Russian civilian and military intelligence Services (RIS) compromised and exploited networks associated with the 2016 U.S. election. Cozy Bear (APT 29) first compromised networks maintained by a US political party in the summer of 2015. Fancy Bear (APT 28) later compromised networks in the spring of 2016.
One Click Lets Them In
A common way that APTs get into a network is by sending phishing emails with a malicious link. It only takes one user to click on the link to infect the entire network. The following figure shows the overall process.
- The attacker uses open-source intelligence to identify a target. Some typical sources are social media sites and news outlets. Other times, attackers use social engineering tactics via phone calls and emails to get information on the organization, or individuals employed by the organization.
- Next, the attacker crafts a spearphishing email with a malicious link.
Spearphishing is a phishing email targeted at a single person or group. The email might include links to malware hosted on another site, and encourage the user to click the link. In some cases, this link can activate a drive-by download that installs itself on the user’s computer without the user’s knowledge. Cozy Bear (APT 29) used this technique and at least one targeted individual clicked the link.
It might indicate that the user’s password has expired and the user needs to change the password or all access will be suspended. Fancy Bear (APT 28) used a similar technique.
- The attacker sends the spearphishing email to the recipient.
- If the user clicks on the link, it takes the user to a website that looks legitimate, with text boxes for the username and password, or it might attempt a drive-by download.
- If the malicious link installed malware on the user’s system, the malware collects the user’s credentials and sends it back to the attacker. If the malicious link tricked the user into entering credentials, the website sends the information back to the attacker.
- The attacker uses the credentials to access targeted systems.
- The attacker installs malware on the targeted systems.
- This malware examines all the available data on these systems, such as emails and files on computers and servers.
- The malware gathers all data of interest and typically divides it into encrypted chunks.
- These encrypted chunks are exfiltrated out of the network and back to the attacker.
It’s worth stressing that only one user needs to click a malicious link to infect the entire network. Once attackers gain a foothold into a network, they use other techniques to increase their access. This includes using Remote Access Tools (RATs), escalating privileges, and listing all active directory accounts.
Prevent or Respond?
GRIZZLEY STEPPE includes several pages on mitigation strategies that can help prevent attacks from APTs. Of course, staff training is one method. If organizations can get individuals to understand the danger of phishing emails, these attacks can be prevented.
That’s one reason why organizations value security certifications such as the CompTIA Security+ certification. It helps more and more people understand threats, and educate others within the organization.
If organizations can’t prevent these attacks, they’ll have to respond to the losses.
Here’s a simple question to consider.
Do employees at your organization understand the risks?
In other words, is your organization actively trying to prevent these types of attacks, or is your organization willing to wait until they happen and then respond?
If you’re preparing for the Security+ exam, see if you answer this sample test question.
Security experts at your organization have determined that your network has been repeatedly attacked from multiple entities in a foreign country. Research indicates these are coordinated and sophisticated attacks. What BEST describes this activity?
C. Spear phishing
D. Advanced persistent threat
The correct answer is D. An advanced persistent threat is a group of highly organized individuals, typically from a foreign country, with the ability to coordinate sophisticated attacks. Fuzzing is the practice of sending unexpected input to an application for testing and can be used in a security assessment. Sniffing is the practice of capturing traffic with a protocol analyzer. Spear phishing is a targeted phishing attack.