Cyber Attacks on Government

Today, federal agencies are under constant attack, by very sophisticated and well- funded criminals and nation-states. The increasing efficacy of advanced persistent threats (APT’s) continues to highlight the inadequacies of our defense mechanisms such as firewalls, IPS, AV, and gateways.

The Issue: Federal Agencies are under constant attack and existing defenses fail to defend their networks (FireEye, 2013).

While APTs use many of the same techniques as traditional attacks, they differ from common botnets and malware because they target strategic users to gain undetected access to key assets. APTs can do insidious damage long before an organization knows that it has been hit. While blocking attacks before they can infiltrate your network is always the best means of minimizing harm, organizations under APT siege can fight back with intelligently designed incident response plans geared to their unique characteristics. APTs are to intrusion detection what stealth aircraft are to radar. They are targeted attacks designed to evade conventional detection. Once “inside” and disguised as legitimate traffic, they can establish covert, long-term residency to siphon your valuable data with impunity.

While recent headlines have focused on the most sensational examples of highly organized and well-funded attacks—Google, Adobe, RSA, Lockheed Martin, SONY, and PBS—thousands of undisclosed attacks have quietly plagued government agencies and corporations large and small worldwide.

APTs represent a fundamental shift compared to the high-profile hacking events of prior years that commonly targeted networks. Focusing on the weakest links of your defense chain, APTs target specific system vulnerabilities and, more importantly, specific people. While the victimized organizations vary in size, type, and industry, the individuals they target usually fit the same profile: people with the highest-level access to the most valuable assets and resources

Advanced attacks described as advanced persistent threats’ (APT’s) involve activity largely supported, directly or indirectly by a nation-state.

• Steal Intellectual Property
• Eavesdropping on sensitive government communications
• Undermine the overall security of national security-related sites
  

The U.S Defense Secretary Leon Panetta recently remarked on the severity and scope of the threat: “ We are literally getting hundreds or thousands of attacks every day that try to exploit information in various {U.S} agencies and departments.” Recently, U.S FBI Director Robert Mueller also echoed the gravity of those concerns: “In the not too distant future, we anticipate that the cyber threat will pose the number one threat to our country. Today, terrorist have not used the Internet to launch full-scale cyber attacks, but we cannot underestimate their intent.”

Why Traditional Tools fail to detect APT’s
In a nutshell, many of the defenses employed today are ill-equipped to combat today’s APT attacks. While firewalls, IPS, AV, & gateways are important next-generation security tools; they continue to be proven ineffective at stopping ATP attacks. The reason being is they focus on approaches like signatures and blacklisting IP address. By the very definition, these approaches do not work against zero-day vulnerabilities because they themselves do not look for signatures of a new exploit and it will not stop it. When highly dynamic malicious URL’s are employed, URL blacklist won’t cut it. They are defenseless against these types of attacks.

How APT Attacks are carried out
APT attacks are often comprised of a number of distinct, yet coordinated facets. They have multiple attack vectors. They can be delivered through email or web traffic or can be blended. Here is an overview of the different stages that comprise of these attacks:

• System Exploitation – Leveraging zero-day exploits, sophisticated spear phishing tactics or sometimes both.
• Malware Downloaded – Once a system has been exploited, the attacker downloads a malicious executable, such as a keylogger, Trojan, password crackers or file grabber.
• Callbacks and Control Established – Once the malware installs, they hacker got through the first step of establishing the control point from within your defenses. The malware then calls out to the criminal’s servers for further instructions.
• Data Exfiltration – Next, data acquired from the infected servers is staged for exfiltration and processed.
• Lateral Movement – During this phase the criminal works to move beyond the system initially exploited, and begins moving laterally within the target organization, accessing additional systems and gaining, elevated access to important users, services and so on.
  

The Requirements: What is needed to combat APT’s
To address these attacks, federal agencies need to be able to:

• Detect and stowed based and email-based attacks that exploit zero-day vulnerabilities – when they first appear on the network.
• Expose the entire cyber-attack lifecycle by correlating intelligence across various threats and channels.
• Product complete cyber forensic details of attacks that exploit web, email, file or hybrid attack vectors.
  

Most Tracked Malicious Software
Lets take a deeper dive into three of the most tracked malicious software tools in 2013: LV, Dark Comet, and GhOstRAT. These are what are commonly referred to as publically available remote administration tools, or RAT’s.

The RAT’s pose a devastating combination of simplicity and power. They have been designed from the ground up, to allow attackers to accomplish anything they wish on a target computer, which might consist of anything from denial of service attacks to data theft. RAT’s also require little technical expertise to utilize and have simply GUI interfaces that allow hackers to simply click their way through the victim’s computers.

LV
McAfee Institute has tracked the use of LV in targeted cyber operations since 2012. This type of malware takes advantage of both email and web traffic as it attacks vectors. The most common vertical targets of LV in 2013 where

• Education
• High-Tech
• Government
• Financial Services
• Healthcare
• Energy and Utilities
• Services and Consulting
  

GhOstRAT
McAfee Institute has tracked the use of GhOstRAT in target cyber operations since 2012. This malware leverages both email and web traffic as the main attack vectors.

Countries most frequently identified

• U.S
• South Korea
• Canada
• Switzerland
• Germany
• Japan
  

The top 3 verticals where
• High-Tech
• Education
• Financial Services

Dark Comet
McAfee Institute has tracked the use of Dark Comet in targeted cyber operations since 2012. This malware like ghOstRAT uses bot email and web traffic as their attack vectors. The most common countries targeted by this malware are:

• U.S.
• South Korea
• Canada
• Japan
• Switzerland
• Germany
• United Kingdom
  

Top 10 Vertical Targets: World Wide
Based on the highest number of targeted operations discovered by McAfee Institute’s global persistent threat engine in 2013, the top 10 industry verticals are listed below and present a wealth of intellectual property value which often plays a crucial role in national security.

1. Education
2. Financial Services
3. High-Tech
4. Government
5. Services / Consulting
6. Energy / Utilities
7. Chemical / Manufacturing
8. Telecom (Internet/Phone/Cable)
9. Healthcare/Pharmaceuticals
10. Aerospace/Defense/Airlines
    

Top 10 Countries that where most affected targeted by APT’s
Over the course of 2017, APT actors targeted many nations around the world, seeking national security secrets, research and developmental data.

1. United States
2. South Korea
3. Canada
4. Japan
5. United Kingdom
6. Germany
7. Switzerland
8. Taiwan
9. Saudi Arabia
10. Israel
    

The highest number of unique malware families by vertical
Below is the highest number of unique malware families targeted by industry/vertical:

• Government (Federal)
• Services & Consulting
• Technology
• Financial Services
• Telecommunication
• Education
• Aerospace and defense
• Government (State & Local)
• Chemicals
• Energy
  

Top Concerns of the Federal CIO’s
What are federal CIO’s top concerns, the things that keep them up at night? We asked them and here are their responses:

1. Cyber Security
2. Controlling Cost
3. Human Capital
4. Central Agency Policy
5. Mobility
6. Others*****
   

APT Incident Response Plan
It’s vital that every IT organization has an APT incident response plan at the ready. And planning should start with identification and education of individuals and systems most likely to be targeted because of their access to important assets.

The initial response phase is critical because it requires all actions taken once an incident has been detected to prepare for the investigation phase. It can also prevent knee-­‐-­‐-­‐jerk reactions that could compromise evidence, create redundancy of work, and lead to ineffective remediation steps. Rushing to “fix” compromised systems without performing due diligence on the attack can alert hackers that they’ve been discovered, further compromising containment.

Furthermore, APTs are like cancers. Remediating only a subset of the infected systems will likely lead to recurring exposure. Before rushing headlong into response mode, notify the appropriate security administrators, gather as much data as possible, and construct a strategic response and remediation plan consistent with your business objectives.

The key is to ensure that all evidence is preserved and the process is documented. Post-­‐-­‐-­‐mortem analysis of the incident’s root cause and recommendations of changes in the process are crucial. Without them, the same mistakes are likely to be repeated the next time an incident occurs.