2013-02-04
Abstract
‘The general level of insight into network infiltration around the globe is becoming more informed.' Kurt Baumgartner, Kaspersky Lab.
Copyright © 2013 Virus Bulletin
Targeted attacks, determined adversaries, or the APT. Whatever label you use, this is not a new topic, but clearly the general level of insight into the reality of network infiltration around the globe is becoming more informed. There has been at least some level of public discussion about each of the following attacks from the past year: Red October, Madi, miniFlame/SPE, Gauss, Flame, Enfal, Voho, Elderwood, and various Comment Crew attacks. More details are being presented to the public, and this is progress.
The recently reported Red October attack was unprecedented in the breadth and scope of its sustained level of occupation within diplomatic targets, heavily funded research organizations, military interests and more. This was an advanced cyber-espionage campaign that collected geo-political intelligence. The Red October crew poured out a customized toolset to penetrate deeply, blend into their targets and reach beyond. We hadn’t previously seen resurrection modules used by plug in components entrenched in embassy networks around the world, which were prepared to be discovered and then re-entrench from the victim systems themselves. We hadn’t seen modules customized like these to suck data from individual mobile manufacturers’ devices and retrieve contacts and data. To date, we have not had fully comprehensive information presented in an organized fashion on large scale, targeted threats. It required months of effort to collect and research the full Red October toolset, and both interesting components and changes in the components over time and per victim continue to be uncovered. For the first time, a full list of indicators based on the OpenIOC format has been released to coincide with the large Red October public release for CERTs, network admins and legitimately interested parties. Perhaps this exhaustive report is helping to move real discussion and action forward in concrete terms that have not been available during previous incidents that were more likely pushed to generate marketing buzz than for any other purpose.
What else has changed over the past year in relation to targeted attacks? In the US, SEC guidance passed approximately a year ago was supposed to push forward public discussion and investor awareness. Unfortunately, timely, informative breach reports have not materialized. A couple of exceptions come to mind, including Adobe’s, but for the most part, organizations with breached networks (and their contractors with breached networks) seem to continue to hide or ignore the problem. On the technical side, Flash and Reader seem to be on the decline as exploitation targets at victim organizations, having been replaced with Office and Java targets. Defensive technologies and programs have improved, and public discussion around these attacks cannot be ignored at this point.
So what is in store for us this year? Offensive campaigns show no sign of letting up. Attackers will improve their toolsets, and mobile devices will come to light as an initial vector for targeted attack payloads. The demand to access data in the cloud from mobile devices as well as standard workstation/laptop devices will be exploited by the APT. Portions of various cloud implementations will be breached. Overwhelmed and underprepared CERTs across the globe will improve their capabilities, but prolonged absences in some countries (due to national holidays) will continue. Problems within critical infrastructure security will be more widely attacked – and discussed. For better or worse, some victim organizations will attempt to ‘hack back’, and full attribution and active defence will be better used and understood. Potential victims and targeted organizations will be incentivized to share data. Various categories of non-corporate victims will talk more freely about their incidents, especially human rights organizations. The concept of ‘sophistication’ will be replaced within media reports with the concept of ‘efficacy’, and quibbling over the term ‘advanced’ will finally exhaust itself. Whichever way you cut it, there will be an increased level of targeted activity this year.