Code APT: An Examination of Advanced Persistent Threats

Published on
3,850 Points
Last Modified:
Adam DiStefano
2017 Graduate with M.S. in Cyber Security Specializing in Cyber Operations. Follow me on Twitter @CyberSecNinja
One of the biggest threats facing all high-value targets are APT's.  These threats include sophisticated tactics that "often starts with mapping human organization and collecting intelligence on employees, who are nowadays a weaker link than network components" (Curry et al., 2011).
In today's world, society is dependent upon access to information immediately. Medical professionals rely on patient information to be both accurate and rapidly accessible in seconds. The availability of this information could mean the difference between life and death. Government agencies also rely on access to reliable information in real-time, in order to make decisions that pertain to national security.  In both cases, security is essential. Whether it is ensuring the security of patient records or transmitting classified information between government agencies, the goal of all security professionals should be committed to ensuring the highest levels of confidentiality, integrity, and availability of all sensitive information.

One of the biggest threats facing all high-value targets is advanced persistent threats, or APT's.  These threats include sophisticated tactics that "often starts with mapping human organization and collecting intelligence on employees, who are nowadays a weaker link than network components"  (Curry et al., 2011). This enables these cyber criminals a higher chance of gaining access to a target network. Using tactics like social engineering, spear phishing, even CDROMs that appear to be innocuous, criminal organizations can begin to gain access and lay the framework for their objectives.  These objectives can be political in nature - as in the case of the Estonia cyber attack, they can be targeted attacks similar to the Stuxnet worm, or they can be simply to steal valuable data.

Advanced persistent threats are best understood by understanding the components that make up the name. For example, these types of threats are considered advanced in that they are massively sophisticated in their approaches. According to a white paper published by A Hitachi Group, the "attacker possesses skills and capabilities beyond those of the threat actor" (2015). These threats are persistent in that they generally go undetected and easily spread to other nodes on networks through the promulgation of  malware. Easily stated, APT's are highly sophisticated, well-equipped individuals or groups, looking to gain entry to a system in order to retrieve information or accomplish an objective, over an extended period of time.  Additionally, APT's often have a very specific target. They ensure that they have a sound and comprehensive understanding of a target's assets (both human and technical) in order to exploit their vulnerabilities.  Lastly, APT's generally rely on intrusion techniques to gain access to a target system, although other tactics and techniques can be employed to accomplish the objective.

As mentioned previously, the cyber attack on Estonia is one example of "transnational digital mobilization to exploit the vulnerabilities of nation-states for political purposes"  (Horzog, 2011). Between April and May of 2007, Estonia's critical infrastructure was subjected to a series of distributed denial-of-service (DDoS) attacks. Many believe that these attacks were in response to the Estonian government's decision to relocate a statue that was in honor of the Soviet liberation of Estonia by the Nazi's during World War II.  The relocation of the statue sparked riots across the country and "from April 27th - May 18th, distributed denial-of-service cyber attacks targeting the country's infrastructure shut down the websites of all government ministries, two major banks, and several political parties" (Horzog, 2011). It was also noted that the hackers were able to disable the email server for the parliament (Ruus, 2008).

What makes the Estonia attack an advanced persistent threat? For starters, the attacker we able to use a botnet in order to facilitate the attacks. The development of botnets requires both sophisticated command and control functions. The fact that these botnets can acquire zombie machines for an extended period of time - perhaps indefinitely - show that these attackers are committed for the long haul. Additionally, many of these zombies can lay dormant for months.

The Stuxnet worm " is a computer worm that targets industrial control systems that are used to monitor and control large-scale industrial facilities like power plants, dams, waste processing systems and similar operations. It allows the attackers to take control of these systems without the operators knowing. This is the first attack we’ve seen that allows hackers to manipulate real-world equipment, which makes it very dangerous" ("The Stuxnet Worm", n.d.). Stuxnet used four Windows zero-day exploits in order to spread malware rapidly throughout the network. Once it has access, Stuxnet elevates its permissions to administrator level. Additionally, the worm had a number of additional advanced features "including a Windows rootkit, a distributed command and control network, the ability to peer-to-peer update, legitimate signed digital certificates, and various anti-virus evasion techniques" (Falliere and Murchu, 2011).

It is speculated that development of the Stuxnet worm began sometime around the time Iranian President Mahmoud Ahmadinejad stated that Iran had successfully enriched uranium in 2006. While no single nation-state has claimed responsibility for Stuxnet, it  is most plausible that Israel or the United States were indeed behind it, as this announcement put the national security of Israel and the international interests of the United States in a potentially precarious situation. The Stuxnet worm, by all appearances, had a specific target  and objective. The goal was to disrupt the controllers that operate the centrifuges at the Iranian enrichment center. In fact, this attack was so advanced and sophisticated that many future APT's such as the Fanny worm for example, used the Stuxnet LNK exploit.

The Fanny worm was an attacked launched by the Equation APT Group. According to Michael Mimoso, "the group, which researchers at the Kaspersky Lab speculate has been active since 2001 - perhaps as far back as 1996" (Mimoso, 2015). What is interesting about the Equation group is that they have been linked to the developers of Stuxnet.  The Fanny worm used two Windows  zero-day exploits in order to gain access to the target systems  in addition to compromised USB sticks. It is interesting to note that the Fanny worm used "the same LNK exploit as Stuxnet to  spread but used it before Stuxnet"  (Constantin, 2015). There are additional similarities between Equation's Fanny worm and Stuxnet, indicating that Fanny was the predecessor to Stuxnet. For example, Kapersky Labs found that the programmers all followed a certain coding guideline that included implementing unique number identifiers (A Fanny Equation: “I am your father, Stuxnet”, 2015).

While Stuxnet and Fanny used the same zero-day exploits in order to gain access to their target networks, it is important to note that they did not in fact use the exploits in the same manner. According to an article published by Kapersky Labs, "Stuxnet targets a specific OS version while Fanny is designed to be universal and is capable of running on multiple platforms" (A Fanny Equation: “I am your father, Stuxnet”, 2015).  Fanny operates by using its own modified FAT storage system that is in the hidden storage area. This allows the worm to remain undetected as many operating systems ignore these files, treating it as if it were a corrupt data block.

The ultimate goal of the Fanny worm is to map the air-gapped networks. According to Kim Zetter, "a true air gap means the machine or network is physically isolated from the internet, and data can only pass to it via a USB flash drive, other removable media, or a firewire connecting two computers directly" (Zetter, 2014). Since the air-gapped networks are the intended target of the Fanny worm, USB sticks are essential in order to access the physically isolated nodes.

Not all APT's use such technical means of achieving their goal. Some, in fact, rely more on social engineering techniques as opposed to malicious exploits. Darkhotel for example, used a myriad of techniques ranging from deploying corrupt .hta files, utilizing stolen certificates, and spear phishing. Spear phishing is an email that, by all appearances, looks to be from a trusted sender or organization. One of the biggest email scams today is using CEO email spoof in order to get a user to download malware.

One of the spear phishing campaigns used by the Darkhotel APT uses a dropper. According to Techpedia.com,  "droppers are programs that contain viruses that impede the functioning of targeted computers. They can install themselves onto a disk or a hard drive. They typically do not duplicate themselves as worms do. Instead, droppers launch their payloads while disguising themselves within computer systems and directories" (What is a Dropper?, n.d.). These droppers are hidden within .rar attachments with right to left override (RTLO). According to a Pieter Arntz, "systems that support Unicode filenames, RTLO can be used to spoof fake extensions. To do this we  need a hidden Unicode character in the file name, that will reverse the order of the characters that follow it" (Arntz, 2014). This technique is obviously employed in order to obfuscate file extensions. If this is used in conjunction with CEO spoof emails, one could certainly begin to see the potential of this type of APT.

Advanced persistent threats are going to continue to increase in prevalence for the near and foreseeable future. As noted in the 2011 RSA Security Brief Mobilizing Intelligent Security Operations for Advanced Persistent Threats¸ "the defining hallmark of APTs is their characteristics are deliberately randomized to make detection using traditional threat indicators extraordinarily difficult" (Curry et al., 2011). Attackers employing APTs utilize sophisticated tactics to accomplish their objectives and are committed for the long term. Simply because of this nature, one can postulate that the targets are of high value. This includes critical infrastructure,  governmental and non-governmental organizations, financial institutions, medical facilities, data from the education sector, and more. As these attacks become more prevalent, businesses will need to educate their staff and implement systems to mitigate the risk of these threats. Both nation-states and criminal networks will begin to utilize these tactics in order to keep up the shifting paradigm. Lastly, organizations - governmental, NGOs, and MNCs alike -  will need to be adaptive and proactive in their system defense. Understanding the risks and formulating a plan to mitigate against these types of attacks is paramount to an organization's operational security.

Works Cited

Advanced Persistent Threats and the Case for a Security Intelligence and Response Program. (2015). A Hitachi Group Company.

Arntz, P. (2014, January 9). The RTLO method. Retrieved April 15, 2016, from https://blog.malwarebytes.org/cybercrime/2014/01/the-rtlo-method/

Constantin, L. (2015, February 17). Fanny superworm uses decoys and cloaking techniques, and probably spawned Stuxnet. Retrieved April 12, 2016, from http://www.pcworld.com/article/2885192/fanny-superworm-likely-the-precursor-to- stuxnet.html

Curry, S., Hartman, B., Hunter, D., Martin, D., Moreau, D., Oprea, A., . . . Wolf, D. (2011, February). Managing Intelligent Security Operations for Advanced Persistent Threats.  Retrieved from https://www.emc.com/collateral/industry-overview/11313-apt-brf.pdf

Darkhotel's attacks in 2015. (2015, August 10). Retrieved April 15, 2016, from https://securelist.com/blog/research/71713/darkhotels-attacks-in-2015/

Falliere, N., & Murchu, L. O. (2011, February). W32.Stuxnet Dossier Version 1.4. Retrieved  April 12, 2016, from https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepaper s/w32_stuxnet_dossier.pdf

Herzog, S. (2011). Revisiting the Estonian Cyber Attacks: Digital Threats and Multinational Responses. Journal of Strategic Security JSS, 4(2), 49-60. doi:10.5038/1944-0472.4.2.3

Mimoso, M. (2015, March 11). Equation APT Group Attack Platform A Study in Stealth.  Retrieved April 15, 2016, from https://threatpost.com/equation-apt-group-attack- platform-a-study-in-stealth/111550/

Ruus, K. (2008). Cyber War I: Estonia Attacked from Russia. European Affairs, 9(1-2), winter/spring. Retrieved from http://www.europeaninstitute.org/index.php/component/content/article?id=67:cyber-war- i-estonia-attacked-from-russia 

Stuxnet Worm – Malware Virus Attack | Norton. (n.d.). Retrieved April 10, 2016, from http://us.norton.com/stuxnet

What is a Dropper? - Definition from Techopedia. (n.d.). Retrieved April 16, 2016, from https://www.techopedia.com/definition/54/dropper

Zetter, K. (2014, December 8). Hacker Lexicon: What Is an Air Gap? Retrieved April 6, 2016,  from http://www.wired.com/2014/12/hacker-lexicon-air-gap/
Ask questions about what you read
If you have a question about something within an article, you can receive help directly from the article author. Experts Exchange article authors are available to answer questions and further the discussion.
Get 7 days free