Advanced persistent threat attacks can be traced as far back at the 1980s, with notable examples including The Cuckoo’s Egg, which documents the discovery and hunt for a hacker who had broken into Lawrence Berkeley National Laboratory. In this early example the hacker, Markus Hess, had been engaged for several years in selling the results of his hacking to the Soviet KGB. The extraordinary tactics and lengthy period of hacking mark this out as a classic early APT. However, APTs as they are understood today are a 21st century phenomena, utilising highly sophisticated tactics and often involving large groups of co-ordinated individuals using complicated technical infrastructure including extensive numbers of command and control (C2) hosts of computers.
Some of the most notable 21st century APT attacks include:
Titan Rain (2003)
In 2003 hackers based in China began a series of far-ranging cyberattacks against U.S government targets with the aim of stealing sensitive state secrets, in an operation nicknamed Titan Rain by U.S investigators. The hackers’ focus was on military data and included APT attacks on high-end systems of organisations such as NASA and the FBI. The level of sophistication used in the attacks led Adam Paller, SANS Institute research director, to state “no other organisation could do this if they were not a military”. The attacks caused some friction between the U.S and Chinese governments. Many security analysts pointed the finger at the Chinese military (People’s Liberation Army) as the source of the attacks.
Sykipot Attacks (2006)
Sykipot attacks leverage vulnerabilities in Adobe Reader and Acrobat and are part of a long-running series of cyberattack campaigns aimed primarily at U.S and U.K organisations including defence contractors, telecommunications companies and government departments. The attackers consistently used targeted emails containing either a link or malicious attachment containing zero-day exploits. This point of entry method to corporate and government systems, known as spear-phishing, is the most commonly used tactic in APT attacks.
GhostNet (2009)
GhostNet is the name that researchers gave to a large scale cyberespionage operation that was first detected in 2009. Carried out in China, the attacks were successful in compromising computers in over 100 different countries with a focus on infiltrating network devices associated with embassies and government ministries. The operations were largely viewed as China’s attempts to position itself as leaders of an emerging “information war”. These attacks were characterised by their frightening capability to control compromised devices, turning them into listening devices by remotely switching on their camera and audio-recording functions.
Stuxnet Worm (2010)
Considered at the time to be one of the most sophisticated pieces of Malware ever detected, the Stuxnet Worm was used in operations against Iran in 2010. Its complexity indicated that only nation state actors could have been involved in its development and deployment. A key differential with Stuxnet is that, unlike most viruses, the worm targets systems that are traditionally not connected to the internet for security reasons. It instead infects Windows machines via USB keys and then propagates across the network, scanning for Siemens Step7 software on computers controlling a PLC (programmable logic controllers). The operations were designed to provide the hackers with sensitive information on Iranian industrial infrastructure.
Deep Panda (2015)
A recently discovered APT attack affecting the US Government's Office of Personnel Management has been attributed to what’s being described as on-going cyberwar between China and the U.S. The latest rounds of attacks have been referred to using a variety of different codenames, with Deep Panda being among the most common attribution. The attack on OPM in May 2015 was understood to have compromised over 4million USpersonnel records with fear that information pertaining to secret service staff may also have been stolen.
Simon Heron is the CTO at https://www.redscan.com, a managed security company, where he is responsible for developing the overall business and technology strategy and growth. Heron has more than 16 years’ experience in the IT industry, including eight years’ experience in internet security. During this time he has developed and designed technologies ranging from firewalls, anti-virus, LANs and WANs. He has an MSc in Microprocessor Technology and Applications, and a BSc in Naval Architecture and Shipbuilding and is a Certified Information Systems Security Professional (CISSP) and is a PCI-DSS Implementor (PCI-IM).