Advanced Persistent Threat (APT)
15 May 2020
SafeAeon Inc.What is Advanced Persistent Threat (APT)?
Advanced Persistent Threat(APT) is a network intrusion typically carried out by a attackers who use a variety of tools, techniques, procedures to maintain long-term access and escalate their security privileges. APT attackers play multiple tactics across the range of attack vector with the mission to steal data for financial gain, industrial espionage, or intelligence gathering.
APT attacks target assaults, which are very carefully chosen and researched, typically include a large organization or national networks or all those companies that deal with highly valuable information, including intellectual property, military plans, etc.
The goal of most APT attacks is to get a foothold in the organization’s network and maintains on-going access to the targeted system rather than get in and out as quickly as possible. These are not hit-and-run attacks. Once the network is infiltrated, the perpetrator remains in and attain as much information as possible.
What Does A Typical APT Attack Consist of ?
Network Infiltration
In this phase, network security is compromised. Bad actors use advanced methods such as zero-day vulnerabilities or social engineering attacks, and one of the most common types of attack is spear phishing. The primary purpose is to enter into the victim’s network and then establish a foothold in the system, such as installing a backdoor shell without being detected.
Extraction
At this stage, hacker gathers all the sensitive data that is required, now hackers extract all the information out of the network to be undetected. Typically, white noise tactics are used to distract their security teams so that information can be moved out of the system.
Expansion
This phase involves moving up in an organization’s hierarchy, compromising staff members with access to the most sensitive data to consolidate their presence on the network. The motive is to get the root privileges in the network. This includes the use of Man-in-the-middle attack techniques or installing key-loggers in the system to escalate privileges to specific areas of the net.
Covering tracks
In this, the actor deletes all the footprints or logs so that he can’t get spotted and also maintain their presence in the network for future initiatives.
Few Case Studies of APT attacks
Stuxnet
An APT attack was made by both US and Israeli intelligence on Iran’s nuclear program, in which a worm Stuxnet took control and sabotage the centrifuges that were used to enrich uranium. Approximately,1000 centrifuges were damaged by this worm. The parasite infects Windows machines via USB Flash drive, which specially target PLCs(programmable logic controllers) manufactured by Siemens.
The infection then modifies the PLCs programming, making the centrifuges run too fast and for a longer duration, which damages the machine parts, while the PLCs tell the computer operator that centrifuges were working fine.
The cybersecurity researchers detected the attack in 2010. It is still considered as one of the most sophisticated and complicated malware. As the nuclear power plant was not connected to the internet, attackers threw pen drive in their compound, which contained worm in it. An employee of that atomic program picked USB drive and connected to their system, through which the infection replicated in the network.
Ghost Net
A cyberespionage operation that was first discovered in 2009. It was executed from China; the attack was initiated by spear-phishing emails that contained a trojan horse, that was lead to install a trojan called ‘Ghost Rat’ in the victim’s system.
This would connect the victim’s system with command and control server through which an attacker can control the compromised computers.
The Ghostnet compromised computers in almost more than 100 countries across the world and mainly focusing on gaining access to network devices of governmental agencies and embassies. Through this attack, bad actors were able to access their camera and audio recording functions.