A Summary of the Advanced Persistent Threat

I went to a presentation this evening from Rob Lee of Mandiant Corporation. He described what is known in information security circles as the Advanced Persistent Threat. This is a summary of what Mr. Lee discussed.

When we think of hackers attacking a network, we tend to think of “smash and grab” attacks, in which the hackers gain access to a network, take everything they can scoop up, and try to get out as quickly as possible. This is the characteristic style of attacks emanating from Eastern Europe, which aim primarily at stealing credit card numbers, bank account information, and other information that can be quickly converted into cash.

Unlike these “smash and grab” attacks, the Advanced Persistent Threat tends to target documents and email. The hackers in this case are after trade secrets, intellectual property, business plans, research and development information and other valuable information. And unlike smash and grab, an APT attack plants virtually undetectable software on your network that provides the hackers with persistent access to your internal systems. The APT software often goes undetected for months or years, even on systems with strong firewalls, intrusion detection, anti-virus software and strict auditing. So long as the APT software persists in the network, the hackers continue to siphon off documents, emails, account credentials, and any other information they want to steal.

Mr. Lee said that in tracing APT attacks on business and government targets, virtually all attacks originated in China. These attacks follow a common procedure.

The hackers typically target a C-level executive within the organization. They learn everything they can about him online, and with this information, craft a highly tailored spear-phishing email that typically includes a link to a web site designed to deliver malware.

For example, the hackers may follow an executive’s blog posts, tweets, Linked-in profile, or other source of information to learn that the target is attending a conference on a particular date. After that date, the hacker sends the executive a legitimate looking email saying he is following up on a discussion from the conference.

If the executive clicks the link in the email, he downloads the malware onto his computer. (The malware may install itself silently through a security hole in the browser, or the infected site may prompt the executive to download a plugin or some other file– which is actually the malware.)

Virtually all of the malware involved in APT attacks evades detection by anti-virus scanners. In their investigations, Mr. Lee and his colleagues found that the malware programs were typically compiled only hours before the executive downloaded them. The programs are likely recompiled every few hours, around the clock, with slight changes each time, so that they will never generate any consistent signatures in anti-virus scans.

Once the malware is on the executive’s machine, it steals the executive’s login credentials and searches for other machines on the local network. It copies itself onto another machine on the network, and often deletes itself from the executive’s machine.

From its new location, it begins to scan the network, stealing other credentials, often as users type in login names and passwords. It finds another machine that it can access and use as a repository. So at this point, the network currently has two infected machines: one containing the malware (machine A), and another containing a directory that the malware has set up as a repository for stolen documents (machine B).

The executive’s machine may no longer be infected, since the malware has deleted itself, but the executive’s machine is still being accessed from machine A, which is copying documents from it onto machine B.

The malware, by the way, often has a name like iexplore or svchost, so that when it appears in the task list, it raises no suspicion. There are typically several processes by those names running at any given time on a Windows machine, and it’s impossible to tell at a glance if one of those processes is misbehaving.

At some pre-determined time, the malware initiates an outgoing request to its controller. The outgoing request almost always uses a well-known protocol, such as ssh, ftp, or most commonly, http. Since virtually no organizations monitor outgoing requests, the malware can talk to its controller without raising suspicion.

Mr. Lee pointed out that one of the hallmarks of APT attacks is that the hackers get someone within the organization to unwittingly install the malware, and from then on, 100% of the hackers’ access to the organization’s network is initiated through outbound requests originating from behind the organization’s firewall. APT uses no port scanning, and no inbound requests of any kind. This means that firewalls and intrusion detection systems will not give you any hint that someone has even attempted to compromise your systems.

When the malware connects to its controller, often through https, the controller sends it code to execute. The malware application itself tends to be tiny. Mr. Lee said the size of the average executable was around 128k. Code of this size is not capable of doing everything the hackers want it to do, such as scanning documents and databases for important information, creating compressed archives, etc.

So the malware connects to a remote hosts, downloads more software, then saves it to a RAM disk and executes it from there, or executes the new code within its own process space. In either case, there will be no trace of the downloaded code once the process exits. Again, this is all part of keeping a low profile. One of the malware’s primary goals is to provide persistent access to the infected system.

When connected to the remote host, the malware often gets code that enables it connect to Exchange Server or another IMAP server. It logs in with all of its stolen user credentials, and copies all of the email in every account it can access. It may then scour the local network for targets of particular interest. It then compresses the emails, the documents on the repository (machine B), and any other documents it recently swiped, and sends the whole compressed archive to its controller.

It ends its run by removing the applications it loaded into memory or RAM, cleaning out the repository on machine B, copying itself to another machine on the network, and optionally deleting itself from the machine it just ran on.

There is very little evidence anywhere on the network that an infection exists, or that any data has been stolen. Mr. Lee mentioned that there may be only two things to tip you off. First, the malware tends to connect to its remote host wither weekly or monthly. The malware is patient. It wants to occupy the network as long as possible without being noticed. However, in order to run weekly or monthly, it has to either be running all the time, or it has to set up a scheduled task. When you see a scheduled task that you know you did not set up, this can be a sign of infection. The malware typically deletes the scheduled task when it moves to another machine.

Secondly, Mr. Lee pointed out, whoever is writing the malware has a very strong preference for RAR archives. RAR encryption is very hard to crack, so if anyone happens to intercept the archive that the malware created, they won’t be able to open it.

In instances where the malware runs as a continuous process disguised as svchost (or some other common Windows process name), it often creates RAR archives in its repository (machine B). These are commonly stored in .rar files.

Mr. Lee pointed out that several APT attacks were discovered simply by an administrator coming across a directory containing a set of .rar files. The files may sit in the directory for a week or a month, until the malware reconnects to its controller. The rar program is not widely used on Windows, and rar archives, or even the presence of the rar.exe program is often a sign that you need to investigate your network.

APT breaches are very hard to clean up. The APT malware typically inhabits several machines at any given time. If you remove it from one machine in your network, it can (and will) be reinstalled from another machine in the network, often within hours or days.

Cleaning up an APT infection requires a full OS reinstall on all machines on the entire network. This typically means your network is offline for several days.

Mr. Lee mentioned that once a network has been cleaned, the hackers tend to target the organization again, and as in the initial targeting, the preferred exploit is spear phishing. The hackers know that they can circumvent all of a network’s security if they can fool the right person within the organization.

Mr. Lee also mentioned a few other important points:

  • Compromised systems may be compromised for months or years before the breach is discovered.
  • Once a breach is discovered, it is very hard to tell what information was stolen.
  • Since all network connections used by the malware are outbound connections initiated from within the network, firewalls are useless. And since most organizations don’t monitor outbound requests– especially for common protocols like http and https, there is little to indicate that anything is amiss.
  • Using a hosts file with whitelists and blacklists is somewhat effective in preventing the malware from creating outbound connections, though whitelists and blacklists are easier to implement on non-user machines. Users visit thousands of websites, but machines like file servers and database servers do not need to initiate outgoing connections, and should be prevented from doing so.

In addition to government, military, and business targets, APT has begun targeting law firms, knowing that these firms hold legal documents that expose essential information about businesses and their activities. Security systems at most of the law firms that Mr. Lee and his colleagues examined tended to be much weaker than the systems at governments and other businesses. So even if you are able to keep your own systems safe, your organization’s information may still be at risk.

All in all, this was an interesting and frightening presentation. The hackers, said Mr. Lee, are very sophisticated. For every new protective measure that our security experts devise, they have an effective counter-measure, often within hours. The attackers are patient and persistent. They are in for the long haul, and are good at identifying and obtaining important information.