Read Time: 4 Minutes
Advance Persistent Threats (APT) hit the mainstream in 2015, mostly thanks to discussion of the hack of Sony Pictures disclosed in late 2014.
“The entertainment company has reportedly lost control of more than 100 terabytes of data without the company, or its security measures, detecting the breach,” Ars Technica reported.
APT attacks — as the name implies — are quite advanced and have required access to exploits and malware capable of penetrating organizations that should be protected by some of the best security in the world. And for years they’ve been employed for the dark art of cyber espionage.
A group known as the Dukes has penetrated “governments and related organizations, such as government ministries and agencies, political think tanks and governmental subcontractors” over the course of 7 years, F-Secure Labs researcher Artturi Lehtiö explained in 2015 report that made international news.
F-Secure Labs identified the Russian government as a key backer of the group based on evidence, including a Russian error message and a tendency to keep hours similar to Moscow’s normal workday.
“Duke’s growth suggested a steady flow of resources aimed at a string of government-related targets: embassies, parliaments, and ministries of defense,” Artturi wrote. “Notably, the group never targeted the Russian government.”
APT groups have generally needed backing of nation-states or other powerful groups due to the complexity and investment required to pull off these sort of sustained attacks. But that appears to be changing.
We spoke to Artturi about APT trends for 2016 and he’s seeing a landscape where threats are far more common, dynamic and even more deceptive.
- More attacks.
“For one, I think non-nation-state affiliated but equally targeted and advanced attacks will grow exponentially,” he told us.Artturi sees this as the inevitable result of the rapid growth of the “targeted attack market,” which combines criminals selling their services to the highest bidder and targeted attack tools becoming commoditized.
- More obfuscation.
“At the same time, nation states will start moving to repurposing malware written and initially used by others, for their own purposes,” Artturi said. “We’ve already seen nation state affiliated groups evolving on the infrastructure side to make it harder to find, track and research them.”By renting or hacking someone else’s infrastructure, attackers put a “layer of obfuscation” or deniability between themselves and their crimes.”Next, they’ll start employing similar tricks on the toolset side. I’m expecting to see APT groups using malware developed by others — whether bought, rented or stolen/’commandeered’ — in an attempt to make it harder to tie attacks back to them simply based on choice of toolset.”He notes we’ve already seen some examples of this including Black Energy toolkit, which was used by various criminal outfits before being employed in politically-oriented attacks against the Ukraine, and the Sofacy group, which “recycles” malware from the Carberp family and Metasploit framework.
- False flags!
Beyond commoditized toolsets providing plausible deniability, Artturi expects even more industrious forms of obfuscation that regularly lead the authorities to suspect an attack was committed by the wrong person — or possibly even the wrong nation.”Again, there have been some examples of this in the past, but I expect it to start becoming increasingly common for APT groups to try to mislead investigators by attempting to plant false leads in their tools.”
- More attackers.
“Also, hacktivists will start preferring more and more targeted attacks versus the highly opportunistic activity that we have seen so far,” he said.With the ready available of APT tools, he expects politically motivated groups to advance beyond denial of service attacks that take a site or a network down temporarily into attacks that do more lasting damage to targets.
- More damage.
“Finally, both nation states, criminals and hacktivists will start performing highly targeted destructive attacks,” he said.”These will likely include both attacks that just undermine the integrity of the targeted data by modifying it or corrupting it but also fully destructive attacks where data is wiped or encrypted making it totally unusable.”
Being predictable can get an online criminal sent to jail — or at least shut down. So expecting new, surprising threats always makes sense.
But the maturing APT marketplace has helped to create an environment where it’s not a question if most companies have been hacked — only how badly they’ve been hacked.