The U.S. Departments of State, Treasury, and Homeland Security, and the Federal Bureau of Investigation recently released a joint advisory (the “Advisory”) outlining a number of cyber theft, ransomware, and money laundering operations originating from organized hacking groups sponsored by the North Korean government. According to the Advisory, these state-sponsored hacking groups have attempted to steal as much as $2 billion through cyber-enabled thefts on financial institutions as of late 2019, and are known to use automated digital currency transactions to launder their ill-gotten gains. These cyber-theft operations are among the latest in the list of high-profile breaches these actors are believed to have been responsible for, including the WannaCry 2.0 ransomware that hit a number of hospitals and corporations in the United States and abroad in May 2017, and the Sony Pictures Entertainment breach in November 2014.
The North Korean groups mentioned in the Advisory are among a number of organized hacking groups referred to as “advanced persistent threats” or “APTs.” While we often think of a threat actor as a lone individual or small team operating for personal gain, the Advisory highlights the fact that highly organized and state-funded hacking groups are behind some of the most devastating security breaches. With this in mind, understanding APTs is increasingly important for any organization with valuable data to protect in order to prevent these attacks and the legal and regulatory exposure they may entail. This article is the first in a series of three posts exploring the security threat posed by these entities, including: (1) who APTs are and what kinds of data they seek, (2) how APTs carry out attacks, and (3) how organizations can protect themselves from APT attacks.
What is an APT?
APTs are in many ways the embodiment of the age-old cybersecurity maxim that network attacks are “not a question of if, but when.” Unlike your garden-variety “smash and grab” threat actors, APTs act with a specific goal in mind and perform hacking operations carefully over a period of months—or even years—prior to their attack. Far from opportunistic, APTs rely on careful planning and investigation of their target to execute attacks designed to exfiltrate sensitive, often highly-secured, data.
APT attacks are often surprising in their sophistication. For example, APTs are known to steal intellectual property by hacking a target’s Managed Services Provider (“MSP”) and using the MSP’s access to the target’s network to exfiltrate data. Recently, an APT created zero-day malware to intercept politically sensitive text messages handled by Linux-based SMS servers.
APT attacks are also highly targeted, sometimes attacking sophisticated entities just to reach a small number of users. For example, in June 2018, an APT injected malicious software into an ASUS software utility used to update its motherboards. Fifty thousand machines downloaded the infected software, though the APT only attacked 600 systems (all belonging to various WiFi technology vendors).
It appears that state funding enables such APT actions. Nation states, including North Korea, China, Iran, and Russia sponsor the vast majority of APTs. Typically, these states seek to advance political goals, such as sowing political discord, securing technological supremacy, or disrupting foreign government operations. Some state-sponsored APTs perform hacking services on a for-hire basis, though it is unknown whether these actions are sanctioned by their patron nations.
A small number of other APTs are independent criminal organizations acting purely for profit. Some of these APTs are of unknown origin, and are tracked simply by their preferred targets and methods of attack. Regardless of their origin and motivations, APTs tend to act with extreme patience, take great lengths to remain undetected, and use highly-specialized attacks to obtain the data they seek.
What do APTs want?
While some APTs focus purely on political gain, sensitive data such as intellectual property, personally identifiable information, and financial data are among an APT’s primary targets. This data can be incredibly valuable in the wrong hands, and as a result, companies in the healthcare, financial services, and technology industries are particularly at risk of APT activity. In some instances, such as the North Korean state-sponsored APT groups mentioned in the Advisory, APTs will even pursue financial gain to the exclusion of data. Therefore, even small businesses and enterprise organizations alike may be at risk of APT attacks focused on extortion, ransomware, or outright theft.
1. Healthcare Data and Intellectual Property
In the healthcare sector, APTs often target research and development data, such as the results of clinical trials for medical devices and pharmaceutical products. APTs may even time their attacks to take place immediately prior to the release of products with lengthy research and development cycles, so as to extract the most value from the data. Similarly, repositories of electronic medical records and patients’ personally identifiable information may be targeted by APTs either to facilitate further attacks or to exploit for financial gain.
2. Financial Services Operations and Client Data
In the financial services sector, APTs have been known to target banks, ATM operations, venture capital firms, credit reporting companies, insurance agencies, and investment firms. Unlike in the healthcare and technology sectors, APTs often seek to gain insight into the financial organization’s internal operations or high-profile clients by targeting business plans, customer records, or pricing data. Presumably, APTs seek this data to help their patron entities locate individuals of political interest or to gain a deeper understanding of financial institutions in enemy nations for further exploit. In other instances, APTs act purely for financial gain and will compromise application servers that facilitate bank transactions or attack digital currency exchanges to steal funds through fraudulent transfers and launder these funds through subsequent transactions.
3. Technical Data and Technology Intellectual Property
APTs often target the technology sector to obtain research and development data, intellectual property, and other information that can be used for provide their patron nation with a competitive edge. APTs target a range of technology companies, including consumer electronics manufacturers, security software developers, and computer networking equipment manufacturers. Technology companies may be uniquely likely to suffer collateral damage from a form of APT attack known as a “supply chain” attacks. In these attacks, APTs compromise a third party or service provider that does business with their target in order to ultimately gain access to their target’s network. As information technology products and services are integrated across a range of other critical businesses, an APT is likely to attack a technology company as a stepping stone to reach their end-goal target.
Regardless of their origin and motivation, APTs pose a significant threat to any organization dealing in highly valuable data. Medical records, financial information, intellectual property and other personally identifiable information are particularly at risk of APT compromise given the significant competitive and political advantages this information may afford. Even entities that do not handle such data may be at risk of exploitation and theft actions by APTs, such as the North Korean APT responsible for the WannaCry 2.0 ransomware attacks in 2016. Our next article in this series will explore APT attack patterns to help organizations identify and prevent these attacks.
For more information regarding this article, please contact Matthew Loffredo.
For information regarding Dykema’s Privacy and Data Security Team, please contact Cindy Motley.
To sign up for Dykema’s Privacy and Data Security Blog e-mail updates, please click here.
As part of our service to you, we regularly compile short reports on new and interesting developments and the issues the developments raise. Please recognize that these reports do not constitute legal advice and that we do not attempt to cover all such developments. Rules of certain state supreme courts may consider this advertising and require us to advise you of such designation. Your comments are always welcome. ©2020 Dykema Gossett PLLC.