Cyber espionage vs. Ransomware:
While ransomware and financial crime receive special media and regulatory attention (understandably so, as they paralyse companies and deplete their victims’ funds), cyber espionage is sometimes still perceived as a myth… even a Hollywood flick.
During the many years of incident response at Fox-IT (part of NCC Group), we have seen our fair share of cyber espionage cases. While it’s easy to jump into each incident and live by the day, it’s also important to use that experience to keep reflecting on the current state of cyber espionage. In particular, to reflect from a point of view of how we, as a Western society, can cope with espionage actors.
Spoiler: it’s not looking too good.
It’s been many years since the term 'Advanced Persistent Threat' (APT) was first used to describe an extraordinary type of attacker. Most sources attribute it to the US Air Force in 2006; others say Google popularised it in 2010. Either way, APT is a generic term for an actor with malicious intent able to compromise IT environments while having persistent access, sometimes unseen for many months or even years.
To clarify somewhat, in comparison, ransomware actors are generally not considered APT. Different ransomware actors often overlap in their tactics, and once inside an IT environment, they tend to be not too stealthy. In general, this makes them easier to detect and eradicate. Also, the last steps of a successful ransomware attack lead to impact (e.g., the start of ransomware or data-exfil), which the attacker eventually wants to be noticed.
APTs tend to do something other than this; they are considered sophisticated attackers who mainly work stealthily to reach their goals. The term APT encompasses both nation-state actors and advanced cybercriminals.
Nation-state actors mainly pursue government objectives, such as stealing intellectual property and acquiring insider knowledge, to gain an advantage in military developments, economic dominance, and other strategic areas.
Also, nation-state actors may have disruption as an objective when it is in the interest of their nation during a conflict. On the other hand, advanced criminals concentrate on activities like credit card theft and executing other sophisticated attacks to achieve financial gains.
Resilience against APTs is low.
Now that we have a better idea of what an APT is, how does society match up against this threat? Compared to the threat of ransomware, it gives us a shaky feeling about how vulnerable society is to APTs.
Although ransomware actors are considered less advanced, we have still been fighting ransomware for years. Its impact is still significant, and the frequency of attacks shows no signs of slowing down.
APTs are different:
• They are more skilled and resourceful, continuously exploring new methods to breach organisations.
• They maintain a low profile.
• If their goals are considered important enough, a near infinite amount of budget and resources can be used to reach these.
In contrast, ransomware actors are mainly opportunistic and will attack whatever seems possible and profitable enough for them. They typically don’t invest significant effort in compromising an entire IT environment if decent security measures are in effect.
A wealth of publicly available data and our own research on successful ransomware attacks highlight the significant ease with which nation-state actors could infiltrate organisations. This entails organisations owning data that would interest nation-state actors.
APT compromises and APT resiliency:
Recently, we published an incident response case in which traces of an unknown (moderately advanced) attacker were found. The findings were documented in this blog about backdoored R1Soft software. Apart from the technical findings, what story does it tell? And what does it tell us about the current resiliency?
• 100+ hosting companies (including very well-known ones) were compromised.
• Compromises were identified based on active backdoors (we are not talking about simply being vulnerable).
• These organisations are in the IT (hosting) sector and would be intrinsically and generally more informed about cyber security threats.
• These organisations engaged in the unfavourable practice of making their backup solution’s management portal accessible from the public internet.
• Our teams know of the same vulnerability being exploited, but without resulting in the same (finger-printable) backdoor. Which means more victims exist, without a good way to map how many.
The above scenario serves as a clear example of how vulnerable many organisations are to cyber attackers. These IT companies failed to avert accumulating numerous—mostly preventable—vulnerabilities in their detection and defence mechanisms.
In undisclosed APT cases handled by Fox-IT (part of NCC Group), we have encountered a range of skill levels, varying from moderate to (very) high. These skilled actors demonstrated the capability to execute much more complex compromises than those outlined in the R1Soft blog post.
The deplorable state of current cyber resiliency indicates that, in many instances, these advanced threat actors may not even need to employ exceptionally sophisticated methods to reach their objectives.
So, where are they? What can we do?
Initially, prioritising basic security hygiene is paramount. Even advanced attackers are prone to errors, and in many cases we’ve handled, discovery was often incidental on the victim’s part. The more robust the (basic) security hygiene is and the more layered this approach, the greater the likelihood of detecting an advanced attacker— potentially already present in your IT environment for some time.
Additionally, it’s crucial not to merely assume your current security posture; instead, verify it. Conduct tests using a pragmatic and practical approach, such as employing Attack Path Mapping.
Another effective approach is to assume compromise, maintaining the belief that numerous organisations today are already victims of undetected infiltration by a nation-state. Let an external team of digital investigators who know how to think like an APT do a Compromise Assessment of your IT estate.
During a Compromise Assessment, an expert will forensically scrutinise your IT environment on a technical and non-technical level to determine the presence of undetected attackers lurking around for a while.
Preventing nation-state attacks or detecting them in a timely manner is crucial for avoiding impact in the longer term.
For instance, it guards against the risk of witnessing a successful clone of your product emerging in another country five years down the line, which may be even more destructive to an organisation than taking a few weeks of pain during a ransomware incident. And even more important, it may prevent disruption in case of a geopolitical conflict.
Principal CIRT Consultant, Fox-IT
Call us before you need us.
Our Digital Forensics & Incident Response specialists are here for you.