Why are we naming animals on a cybersecurity site? The world would be a better place to inhabit if these were just cute animal names! Unfortunately, these are names of the most dangerous cyber organizations that deploy nefarious Advanced Persistent Threats i.e., APT attacks. They keep governments and corporate giants on their toes. APT attacks are the wars in cyberspace, generally between countries, and they can be as brutal as the wars on the battlefield.
What Is the APT Attack?
Advanced Persistent Threats, commonly known as APT attacks, are the long-planned, multi-staged attacks executed against government agencies and corporate giants. These attacks are well-organized, and most of the time, they are state-sponsored.
- Slow progression: Attackers study the target’s online systems for weeks or months, notice each security component, and research the defense mechanism thoroughly before launching a foolproof plan. They don't run on the trial-and-error method or act spontaneously when they suspect a vulnerability. They penetrate the system stealthy in the background.
- Experts on the board: APT attacks are not meant for newcomers and cybersecurity amateurs. They are executed by highly skilled professionals, who have expertise in breaking into the toughest defense walls. They use custom-built malware and advanced pieces of equipment and tools.
- Undetectable infiltration: APT attacks are known for their long-term undetectable nature. They are made in a way that even the sharpest pen testers, anti-malware software, and intrusion detection systems can’t expose them for a long period. An APT attack can stay undetectable for even five years.
- Walk-through the system: Once they get entry to the victim’s IT infrastructure through a customized malware or hacking, they don’t simply start acting quickly. They move laterally through to the system, study it, and subtly start stealing the data, eavesdropping, monitoring the actions, and weakening the defenses. They keep everything low profile to avoid any detections.
The common motives for APT attacks are:
- Eavesdropping military-related information.
- Stealing research data and intellectual properties from universities’ websites.
- Espionage sensitive political data, internal treaties information, and election-related data.
- Spying on nemesis country’s plans, strategies, and projects.
Although the main APT target is government, these attacks are occasionally launched against some of the corporates giants in healthcare, telecommunications, financial, high-tech sectors too.
Here are the three infamous APT attack vectors you should know about.
Fancy Bear, also known as APT 28, is the Russian cyber espionage group. One of the most (in)famous incident under its belt is the US presidential election 2016, in which Fancy bear was behind the email hacking of the Democratic party to manipulate the election results.
Here are the more nefarious attacks on Fancy bear’s portfolio:
- In August 2020, Fancy Bear attacked Norwegian Parliament’s e-mail system and abstracted sensitive information from affected email accounts.
- In February 2019, Fancy Bear deployed a credential phishing attack by sending phishing emails to 104 employees to trick them into sharing their login credentials, with a goal of inserting malware in the websites of Aspen Institute Germany, the German Council on Foreign Relations, and German Marshall Fund.
- February 2017, APT 28 hacked the International Association of Athletics Federations (IAAF)’s servers and accessed confidential applications received for Therapeutic Use Exemption.
- In Oct 2016, Fancy Bear exploited Microsoft’s two zero-day vulnerabilities in Adobe Flash and the down-level Windows kernel, to deploy spear-phishing attacks on a few selected high-profiled users.
- In August 2016, APT 28 deployed Spear phishing attacks on German parliament members to influence 2017’s federal elections.
- In Aug 2015, Fancy Bear executed spear phishing on the White House and NATO using a zero-day exploit of Java.
- From Dec 2014 to May 2015, Fancy Bear crippled down German federal parliament’s IT system, which forced the entire parliament to go offline for a couple of days.
If you are picturing a cute smiley kitten, hold on to your imagination as Charming Kitten we are referring to here is a dangerous Iranian state-sponsored cyber gang. Charming Kitten, which is known as ATP35 targeted Israel, U.S., and Western Europe’s academic institutes, media sector, and government agencies. They are using sophisticated phishing techniques and a backdoor Trojan named The DownPaper.
These are some of the mischief Charming Kitten has made so far:
- In April 2020, Charming Kitten was involved in the cyber-attack against Gilead Sciences Inc, which was an active player in conducting research COVID-19.
- In 2019, one of the US’s federal district courts indicted a former Air Force technical sergeant guilty of supplying classified government data to APT35.
- In 2018, APT35 made fake email accounts and social media profiles of political activists who had influence in the military sanctions placed on Iran to brainwash the people, carry out fake surveys and deliver malicious attachments.
- In 2017, it stole and leaked 1TB of data of HBO employees and shows which were not aired officially.
Double Dragon is a Chinese government-sponsored hacking group which is known as ATP41 or Wicked Panda. Their goals were espionage and individual financial gains. They deployed ATP operations in 14 countries, but their main target was the United States of America. Double dragon targeted gaming, healthcare, telecom, high-tech, travel, and educational sector. Its political agenda was to espionage high-tech industry and provide necessary information that China can utilize in its national strategies of developing high-tech instruments domestically.
According to FireEye, ATP41 used at least 46 different code families. They were noticed using six advanced tools namely:
- Malware-laden compiled HTML (.chm) files
- Credential stealers
- Master Boot Record (MBR) bootkits
In September 2020, the US Department of Justice recognized five Chinese and two Malaysian nationals as a part of the ATP41 group.
ATP attacks are big threats for all government institutes and corporate houses. But it is not easy to convict and put cybercriminals behind the bars because of the government support they receive from their respective countries. These hackers are fearless, vicious, and aggressive in their attacks because of the protection they receive from the political parties.
The best way for government institutes and enterprises is to make their defenses stronger, regularly conduct penetration testing and vulnerability scanning, and keep a keen eye on all their endpoints, servers, cloud platforms, and databases. But most importantly, provide anti-phishing training to all the employees, so they don't fall for spear phishing attacks, which is one of the commonly used APT techniques.