If this is the first time you’ve heard of APTs, you aren’t alone. Even though this kind of cyber threat has been around for nearly 15 years, it’s the growing professionalism seen over the last few that has seen the number of attacks on infrastructure increase, and reports are shedding light on what’s been happening. The American security company, Mandiant which was later taken over by FireEye, published a report in 2013 claiming that the Chinese state had been involved in cyber espionage as far back as 2006, targeting the USA, but also other English-speaking countries. Since then, numerous groups have established themselves with their sights set on other countries, their industries, organisations and institutions, generally bankrolled by governments.
One group that appears to be making the lives of well-known Germany companies miserable is Winnti. One security expert, who has been investigating the activities of this Chinese hacker group for several years, was quoted as saying “any DAX corporation that hasn’t been attacked by Winnti must have done something wrong.” However, the group isn’t only infamous because of its list of well-known victims. They are also responsible for publishing the first trojan for 64-bit systems, which, with a valid signature, was also able to undermine Windows’ own security.
APTs are very sophisticated attacks on company, institution and organisation’s IT infrastructure or even on entire countries. Whatever the target, the motives tend to be the same and are either related to industrial espionage or have a political background. They use a multitude of attack vectors and are usually carried out in individual, clearly distinguishable phases.
APT attacks normally have a specific client and objective, but as opposed to classic attacks that aim to spread malware as widely as possible to cause maximum damage, APTs have a different goal and therefore have a completely different strategy. An attack usually has the aim of exfiltrating or manipulating specific data or assets, as was the case with the certificates misused by Winnti. Data and information in the sights of your classic cybercriminals hoping to earn some money are of little interest to APT attack groups. They are much more interested in achieving a certain goal.
To find customers, these groups are known to set up organisations that make them seem like serious IT consulting companies—just with a different kind of clientèle. Clients for these dubious companies can range from countries and government organisations, NGOs and institutions or, other companies. In short, anyone who could potentially be a victim can also be a customer, which highlights the fact that really anyone could fall foul of this kind of attack. Take a few moments and think about if you have any assets that could be of interest to someone else. If you do, it’s safe to assume that someone out there knows that.
To demonstrate what it is that makes these attacks so sophisticated, we should think about what is meant by the term Advanced Persistent Threat by breaking it down.
Advanced. To carry out an attack, criminals have at their disposal a wide-range of sophisticated tools, specifically programmed for the purpose and which they can use to enable and manage remote access. But, direct contact is also on the agenda with spies pretending to be employees reporting from the inside and social engineering tactics also employed.
Persistent. The second word of the trio introduces a time factor. APT attacks are designed to cause permanent damage and enable confidential information to be collected in the long term. Attackers take a very structured approach and depend on continuous interaction with the target and monitoring of defence measures. A lot of time and effort is put into trying to suss out the victim, but it pays off. The more you know about your victim, the better an attack can be prepared and adapted to the target, and the more successful it will be.
Threat. By the time you get to the word “threat” it should be clear that this has nothing to do with a target selected at random, but is a well-planned attack. APTs aren’t automated, but being carried out by real people.
All of this combined makes APTs an unusually slow attack process which is very difficult for anyone to predict. Because the attacker adapts to the target—maybe even to the extent of mirroring its behaviour for a certain period of time—they can manoeuvre around the network undiscovered for years. Most businesses never notice what’s happening until stolen intellectual property is published or huge volumes of misappropriated data is sold. If you don’t have an extremely detailed insight into your IT landscape’s status quo, nobody can tell if you’ve already have been or currently are at the mercy of an APT attack.
As we already know, criminal activities are very cloak and dagger, but to make sure it can stay that way for the long haul, attackers need to seamlessly embed themselves into all a company’s everyday activities. To do so, they leverage advanced technologies to circumvent security measures and applications without raising suspicion. As soon as the attackers find valuable information, they can begin to tap into it.
Security experts from various companies and organisations have discovered over the years that these attacks always follow the same patterns that are split into six phases known as the APT lifecycle.
1. Reconnaisance: The first phase involves gathering information about the target. That doesn’t just mean technical details about the infrastructure such as existing hardware, software and network architecture, but also socially and economically relevant information that can generally be found in publicly accessible sources like social networks. This is then all put together in a kind of dossier.
2. Initial compromise: Phase two revolves around the attackers attempting to find a way in—generally using malware, but sometimes with a middleman—to create themselves a base within the corporate network, which will then be used for an outgoing data connection. Once that has been setup, internal information about the underlying network can be gathered to gradually hone the dossier.
3. Maintaining access: This is the phase in which the attackers attempt to maintain reliable access to the systems. The search for additional access points lays the foundations for Phase 4.
4. Lateral movement: Building on Phase 3, the attackers begin to move around the corporate network and try and compromise other devices. The aim is to consolidate access while continuing to search out information about the network, but also to understand how rights are allocated. This is the phase in which sensitive data is found and access is established.
5. Data exfiltration: Once attackers have access to sensitive data, they can begin to sink their claws into it. Generally speaking, the data is copied or even moved to several servers around the world so that it can still be used even if one or other connections and storage locations are discovered. In essence, attackers have their own backup strategy and are therefore streets ahead of many German businesses.
6. Cover tracks: In the final phase, the attackers attempt to erase all trace of their existence to make it seems like they were never there. Seeing as very few tracks are made anyway, this tends to be quite simple. It’s very difficult for the victim to recognise that an attack has taken place, even if was going on for a long period of time and that means the doors are left wide open. It’s unusual for attackers to withdraw completely from the network, and so they can always make return visits when they get a new order.
When extracting data from the victims’ networks, cybercriminals understand the need for their own data security. After all, this data is what they came looking for. Phase 5 of the lifecycle sees the stolen data copied onto a variety of systems which allows the hackers to continue using it even when parts of the network have been discovered and shut down. Shockingly, companies are very naive about the importance of backups and what happens if there aren’t any and this can have far-reaching consequences. If data has been deleted or encrypted, it is very time-consuming and maybe even impossible to save it depending on what the attackers were tasked to do. A sophisticated backup strategy can save you a lot of time and expense, even if you’ve never been the victim of an APT.
Another issue is created by the continuing use of aged technologies and out-of-date security strategies by many European companies. Still commonplace today, APT attacks can fully exploit these traditional security strategies that assume a company is like a castle, protected by its apparently thick walls. Security measures are, of course, at the strongest at the perimeter, but as soon as attackers breach those walls, they can get into the castle with ease. These vulnerabilities are open invitations for attackers. By leveraging a range of means that have been perfectly tailored to the victim, they can get a foot in the door of your defences. Once a base camp has been set up inside the firewall, there isn’t really any resistance left to face, and if that is also poorly configured, even the outer perimeter is no longer a significant hurdle.
It’s not possible to be 100% protected and we all need to accept that, but there are of course ways and means of preparing yourself for a potential attack. The above-mentioned weak points can be used to blunt the attackers’ arsenal. If the initial phase fails and the hackers are unable to set up camp within the target infrastructure, then the entire attack is unsuccessful—at least for a while.
This is why it is more important than ever to leverage modern security solutions such as SASE, next-generation firewalls, IAM and PAM that not only protect your perimeter, but also the assets within it and the interfaces to other parts of the network. We are living in an increasingly digital world and a growing number of applications, data and even entire infrastructures are moving into the cloud. Devices and applications are the new perimeter and must be protected accordingly. The benefit is, if a device or service is impacted, it can be isolated, checked out and any invaders removed before they can spread to other computer systems and services in the corporate network. In this way, every time attackers have a target in sight, they first have to get through a perimeter, making life that little bit more complicated. There are a multitude of technical and organisational measures your company can implement to make sure it is fully prepared for an attack. There isn’t the space here to go into all of them, so get in touch with one of our experts if you have any questions about these solutions or IT security in general.
More often than not, all attackers need to discover how to get past existing security measures is for someone to carelessly disclose some crucial information, so we have put together a few tips for you to make it much more difficult for them to get their hands on information about you, your employees and your company during Phase 1.
With the right combination of technical and organisational security measures, you can avoid a multitude of situations that would otherwise throw open the doors to an APT attack. An optimal security strategy takes your company’s requirements into consideration and can go a long way towards protecting you and your businesses from extensive damage. It can also help you to find anomalies in user behaviour, network traffic and log files. As the criminals do everything they possibly can to stay under the radar, it is essential to know what is going on in your network at any moment and whether its status differs from the previously defined ideal. A comprehensive response to an APT therefore begins before the attack.
If you detect an attack, there are certain steps you have to take to protect yourself and others from damage.
If you are a critical infrastructure operator such as a power station, registration office or telecommunications network provider, the incident has to be reported to the BSI as soon as an outage occurs or the availability of your service is significantly impacted or is likely to be as a result of the incident. You should also get in touch with the BSI if you are a search engine, digital cloud services or online marketplace provider.
The Federal Office for Information Security (BSI) clearly defines what should be included in the incident report.
All details related to the incident that are known at the time of the report must be shared with the BSI. If not all required information can be provided, it should be marked as an initial report. As soon as the missing information has been collected, this should be forwarded as a follow-up / final report.
Once the final report has been sent, the company has fulfilled its obligations to the BSI, but this does not mean there may not be other obligations to report.
If the incident involves data that has been stolen, changed or deleted, which could pose a risk to the rights and freedoms of natural persons, this must be reported to your federal state’s data protection authority and the police within 72 hours. The people and businesses affected by the data theft must also be promptly informed.
As you can see, as soon as you notice something’s gone wrong, there are a lot of reports to write. On top of that though, you have to make sure your business can stay or even get back up and running and secure any evidence. The work involved here is considerable, but carefully selected service providers can help get everything you need done within the given time frame.
Depending on how serious the incident is, you can also decide if you want to let the attackers get away. That might sound like madness, but it could be advisable to allow them to stay within your network so that you can find out more about them and how they operate, and collect valuable evidence for any court cases or insurance claims. In other cases, it is a relief to kick the invaders out of the network as quickly as possible before they can do any more damage.
Whatever the situation, it’s a good idea to get a qualified partner on board to help you implement the right measures at the right time in the event of an attack and then offer their support in the gathering of forensic evidence.
The earlier unauthorised accesses and suspicious behaviour in your network are uncovered, the more likely it is you’ll be able to avert disaster, but this is often very difficult for individual companies. As a certified APT service provider, we support you both in detecting attacks early on and taking the right steps after an incident.
We offer 24×7 availability throughout Germany with a total of 31 regional security teams in 16 Competence Centres who will quickly get you back up and running in the event of an attack. We are also on hand with experienced incident response and IT forensics teams who react immediately when there is a security incident, ensuring compliance with the relevant reporting deadlines as well as the preservation of evidence for use in court.
Bechtle was named a qualified APT response service provider by the Federal Office for Information Security (BSI) at the end of March 2021. The BSI’s aim is to provide the operators of critical infrastructure with an overview of the APT response service providers on the market. If you’ve been impacted by an attack and need support, we are available around the clock through our hotline.
Phone: +49 7132 981 2783