Our first segment on APTs focused on the nature of the APT threat and the industries and data most at risk of these attacks. This section provides an in-depth overview of APT attack patterns and specific examples of APT attacks. Generally speaking, APT attack patterns overlap with popular cybersecurity attack pattern frameworks, such MITRE’s “PRE-ATT&CK and ATT&CK” and Lockheed Martin’s “Cyber Kill Chain” framework These frameworks break down network attacks into a series of stages that explain a threat actor’s conduct at each step of the attack. Although a number of threat actors and APTs share the attack patterns these frameworks describe, APT attacks approach these steps in a unique manner.
Unlike ordinary threat actors motivated by profit or opportunity, APT attacks focus on establishing a persistent foothold in their target’s network over time, extracting as much data as possible, and remaining in their target’s network after exfiltration. From a simplified perspective, APT attacks encompass four broad stages: (1) extensive preparation and reconnaissance, (2) initial compromise of the target’s network, (3) surreptitious expansion of access, and (4) exfiltration of target data.
1. Preparation and Reconnaissance
Given the value of the data sought by APTs and the sophisticated nature of their targets, APTs spend a significant amount of time preparing an attack. This extensive preparation maximizes the chances that an APT can establish persistent access to the network with minimal chances of detection and minimal waste of the considerable resources needed to coordinate and execute their attacks. Not much is known as to how an APT initially selects a target, though presumably APTs are assigned targets by their patron-state.
In the reconnaissance stage, APTs investigate their target to obtain both technical and human intelligence. Social engineering is often key for APTs to gain their initial foothold on a network, such that information on a target’s key personnel may be as critical as information on the target’s systems and infrastructure. To this end, APTs research their targets and (if they have access to such documents) review employee resumes, organizational charts, and other data to identify the key players in an organization. Social media and other publicly available information also provide APTs with insight into an organization’s employees. Lastly, APTs perform extensive network scouting operations to map and analyze their target’s network infrastructure, domains, IP address range, and critical systems.
2. Initial Compromise of the Target’s Network
With vulnerable systems and key employees identified, APTs gain their initial point of entry into the network, often through the use of social engineering tactics and exploitation of security vulnerabilities. While APTs exhibit a number of attack methods, APTs are commonly known to engage in targeted “spear-phishing” and “supply chain” attacks in order to gain their initial access to their target’s network.
According to Trend Micro, 91% of APTs engage in “spear-phishing” tactics to compromise an organization’s network. “Spear phishing” attacks use specially-crafted phishing emails to trick a specific, often high-level, user into downloading a malicious attachment or clicking a link. Using information gained through the reconnaissance phase, APTs craft spear phishing emails that refer to the intended target directly by name or title and include attachments that appear to be legitimate documents ordinarily used by the organization. These emails may even appear to originate from a targeted employee’s superior to create a sense of criticality and time-sensitivity. The verisimilitude granted by the personal nature of these message is key to luring high-level individuals (who are often trained on the dangers of phishing) to grant APTs access to the network by clicking on these malicious links and attachments.
B. Supply Chain Attacks
Another common method of attack, known as “supply chain” attacks, provide perhaps the best example of the sophistication and specificity with which APTs operate. In a supply chain attack, the APT compromises third-party software or an outside vendor in order to gain access to a specific target. By compromising software or outside vendors integrated with their targets’ networks and businesses, APTs create a series of stepping stones leading them to the valuable data held by their ultimate target.
For example, in March 2017, an APT sponsored by the People’s Republic of China, known as “APT41” is believed to have injected a malicious backdoor into a software update for the widely-popular Windows registry cleaning tool, CCcleaner. Approximately 2.27 million users downloaded the infected version of CCcleaner, yet just 40 infected machines were subject to a subsequent attack by the APT. Using just these 40 systems, the APT compromised 11 different companies.
Similarly, APT frequently aim their supply chain attacks at managed service providers (“MSPs”),due to their the level of access multiple organizations. The People’s Republic of China sponsored an APT known as “APT10,” which is believed to be responsible for an August 2018 attack on Visma, a Norwegian MSP with over a billion dollars in business each year. According to Reuters, APT10 targeted Visma to steal intellectual property from Visma’s high profile clients, including Hewlett Packard Enterprise Co. and IBM.
These attacks are particularly challenging to predict and defend against – even if an APT cannot compromise an organization directly, the APT will simply use a related organization to reach its target indirectly.
3. Expansion of Access
With access to their target’s network secured, APTs expand their control over the target through the use of backdoors and escalation of existing network access and privileges. To this end, APTs install backdoors and malware throughout the target’s network to establish redundant points of compromise. These backdoors typically take the form of “remote access trojans” or “RATs”, which are combination keylogger and remote access malware. RATs both collect a victim’s keystrokes and screen activity, and grant access to local files and connected systems. RATs provide APTs with a constant stream of intel on their target that can be used both to expand their access to the target’s network and to execute their ultimate attack.
More so than other threat actors, APTs take great pains to minimize their chances of detection at this stage. Because an APT’s access to their target’s network relies on communication between infected systems and the APT’s command and control servers, APTs employ a number of anti-forensic methods like data obfuscation, multi-hop proxy connections, and encryption to cover their tracks. These tactics conceal command and control traffic by creating junk network data, obscuring the source of a network connection, or commingling legitimate network traffic with APT communications. APTs may even use distributed denial of service (“DDoS”) attacks to distract their targets during an attack or to disguise the true extent of their activity.
With their foothold established, APTs use privilege escalation and lateral movement to further solidify their control over the target’s network. Specifically, APTs use network credentials (often gleaned through use of RATs) to gain access to critical systems and data stores, or may use password cracking and other methods to obtain administrative-level access to key systems. This expansion of control provides APTs access to the critical data they seek and ensures that the APT can return to the target’s network in the event one means of accessing the network is discovered and closed.
4. Exfiltration of Data
After gaining access to this critical data, APTs begin their final attack by collecting target data and storing it on a staging server within the target’s network. Once collected, the APT will compress the data into an archive and encrypt it. This helps the APT avoid detection by minimizing the extracted file’s size (a large file size might attract unwanted IT attention). It also helps prevent deep-packet inspection and data loss prevention software from identifying the file as one containing sensitive data. Once the file is prepared, the APT will exfiltrate the data to an off-network storage location controlled by the APT. If the APT remains undetected after exfiltration, it will often remain in the network to execute further attacks or continue to observe its target.
Unlike ordinary threat actors, APTs use sophisticated attack methods and the stealthy, slow escalation of network access to exfiltrate their target data. Given the significant time APTs spend expanding their access to a target’s network, early identification of APT activity patterns is key to preventing an APT attack. Our next article in this series explores the practical steps organizations can take to guard themselves against APT attacks.
For more information regarding this article, please contact Matthew Loffredo.
For information regarding Dykema’s Privacy and Data Security Team, please contact Cindy Motley.
To sign up for Dykema’s Privacy and Data Security Blog e-mail updates, please click here.
As part of our service to you, we regularly compile short reports on new and interesting developments and the issues the developments raise. Please recognize that these reports do not constitute legal advice and that we do not attempt to cover all such developments. Rules of certain state supreme courts may consider this advertising and require us to advise you of such designation. Your comments are always welcome. ©2020 Dykema Gossett PLLC.