Now a leading computer forensic firm is providing the closest look so far at the nature of the attacks, and attackers, that struck Google and others. The report never mentions Google by name, or any other companies, but focuses on information gathered from hundreds of forensic investigations the firm has conducted that are identical to what we know about the Google hack.
What the information indicates is that the attack that hit Google is identical to publicly undisclosed attacks that have quietly plagued thousands of other U.S. companies and government agencies since 2002 and are rapidly growing. They represent a sea change from the kinds of attacks that have commonly hit networks and made headlines.
“The scope of this is much larger than anybody has every conveyed,” says Kevin Mandia, CEO and president of Virginia-based computer security and forensic firm Mandiant. “There [are] not 50 companies compromised. There are thousands of companies compromised. Actively, right now.”
Mandiant released the report last week at a closed-door cybercrime conference, sponsored by the U.S. Defense Department, in an effort to make companies aware of the threat.
The firm has been investigating the Google breach and many of the most high-profile breaches of the last few years, such as those that occurred at credit and debit card processors Heartland Payment Systems and RBS Worldpay. Unlike those latter attacks, however, the breed of attacks that struck Google and others is markedly different.
Advanced Persistent Threats
Called Advanced Persistent Threats (APT), the attacks are distinctive in the kinds of data the attackers target, and they are rarely detected by antivirus and intrusion programs. What’s more, the intrusions grab a foothold into a company’s network, sometimes for years, even after a company has discovered them and taken corrective measures.
“APT is a very unique threat,” Mandia says in a recent telephone interview.
The Heartland and RBS attackers, and other criminal hackers of their ilk, tend to use SQL injections attacks to breach front-end servers. The APT attackers, however, employ undetectable zero-day exploits and social engineering techniques against company employees to breach networks.
The non-APT hackers target only financial data or sensitive customer data for identity theft, while the APT attackers never target such data. Instead, their focus is espionage. They attempt to take every Microsoft Word, PowerPoint and Adobe PDF document from every machine they compromise, as well as all e-mail, says Mandia.
The non-APT hackers also employ smash-and-grab guerrilla tactics and are fairly easy to kick off a network once a company discovers them, Mandia says. After they grab what they want, they have little interest in hanging around. APT attackers, however, aim to establish a long-term occupying force inside a company’s perimeter.
Last year, for example, an unidentified defense contractor discovered 100 compromised systems on its network, and found that the intruders had been inside since at least 2007.
APT attackers also appear to be well-funded and well-organized. In some cases, Mandiant has found multiple groups inside a network, each pursuing their own data in a seemingly uncoordinated fashion.
No one is immune to APT attackers, who have struck defense contractors and government agencies as well as private companies and law firms. A recent story revealed that three U.S. oil companies were hacked in what appears to be an APT attack. The attacks have been little-known outside government and computer security circles until now because companies have been loathe to admit they’ve been breached — Google is the exception — or share details of how they were hacked.
Many entities don’t discover a breach until someone from law enforcement tells them. By then, it’s too late.
“By the time the government is telling you, you’ve already lost the stuff you didn’t want to lose usually,” Mandia says, noting that it’s generally not possible to ascertain everything that an attacker took.
One series of attacks last year involved a spear-phishing campaign that targeted an unnamed, high-ranking counterterrorism official, and two entities described as coordinators of local, state and federal intelligence. From Mandiant’s description, it appears these refer to a local fusion center and a federal counterterrorism center. The report doesn’t indicate how successful the attacks were other than to say the intruders stole e-mail and information that helped them map networks and locate valuable data.
Mandiant’s agreements with clients prevent it from disclosing the names of its forensic customers.
One mark of APT attacks is that they have especially hit companies with dealings in China, including more than 50 law firms.
“If you’re a law firm and you’re doing business in places like China, it’s so probable you’re compromised and it’s very probable there’s not much you can do about it,” Mandia says.
In 2008, Mandiant investigated a breach at a law firm that was representing a client in a lawsuit related to China. The attackers were in the firm’s network for a year before the firm learned from law enforcement that it been hacked. By then, the intruders harvested thousands of e-mails and attachments from mail servers. They also had access to every other server, desktop workstation and laptop on the firm’s network.
In another case, a Fortune 500 manufacturer was in discussions to acquire a Chinese corporation when it was notified by law enforcement agents that it had been hacked.
The attackers sent targeted spear-phishing e-mails to four key U.S. executives involved in the acquisition discussions that appeared to come from a colleague. When the executives clicked on a URL in the e-mail, malware loaded to their machines. Within a short time, the attackers had administrative rights on the majority of the company’s computers. They were able to read e-mail containing critical information about the company’s negotiating strategy — days before the negotiations took place. After discovering the breach, the company abandoned its plan to acquire the Chinese firm.
The vast majority of the activity the Mandiant firm has witnessed has been linked to China, according to its report.
“All we’re saying is that the majority of the data that gets exfiltrated ultimately finds its way to IP addresses in China, and that’s pretty much all anybody knows,” Mandia says.
Attack Techniques
While APT attacks are sophisticated, they use simple techniques to gain initial entry and, once inside, adhere to a pattern.
For starters, the attackers conduct reconnaissance to identify workers to target in spear-phishing attacks — such as key executives, researchers and administrative assistants who have access to sensitive information — and then send malicious e-mails or instant messages that appear to come from a trusted colleague or friend.
The e-mails have an attachment or link to a ZIP file containing zero-day malware that exploits Microsoft Office or Adobe Reader vulnerabilities. Google employees received an e-mail with malware that exploited a vulnerability in Internet Explorer 6 that Microsoft had not yet publicly disclosed.
Once the attackers have a foothold on one system, they focus on obtaining elevated access privileges to burrow further into the network. They do this by grabbing employee password hashes from network domain controllers — and either brute-force decrypt them or use a pass-the-hash tool that tricks the system into giving them access with the encrypted hash.
At this point, they move laterally through the network, compromising systems as they go and using other exploits to attack additional vulnerabilities. The systems being compromised are Windows systems.
Stolen e-mail messages and documents are collected and stored on a staging server inside the company’s network before being encrypted with custom algorithms and compressed into an .rar file. The files are then siphoned out in small random bursts generally via normal protocols with spoofed headers to disguise the activity. In the case of the Google hack, the attackers used an SSL port but a custom protocol.
Some of the more sophisticated malware the attackers use is packed, using customized packers, to make it harder for investigators to reverse engineer and determine what it’s doing. Attackers also use self-destructing malware that erases itself if it fails to reach its destination.
The attacks go undetected because most victims only monitor data coming into networks, not inside a network or going out of it. Spear-phishing attacks and zero-day exploits often circumvent protections against data coming in, and data being siphoned out is generally disguised to resemble legitimate traffic.
APT attackers have used sniffers to grab headers from a company’s authenticated proxy communications to dynamically create their own credentials to mimic the communication. They’ve also spoofed Yahoo and AOL SSL certificates and hijacked a victim’s chat program to conduct communication between malware and command servers.
Two other methods they use to disguise their activity are process injections and so-called stub malware.
In a process injection, they introduce malicious code into a trusted process already running on a system to conceal malicious activity. Stub malware is code with only minimal functionality — to keep its footprint small. The attackers then remotely add new capabilities to it, which run in the network’s virtual memory.
“[They would simply code new executable segments that could be uploaded and executed via the stub’s process in memory, without requiring a disk-write to succeed,” the report notes. “It was difficult to detect these additional capabilities unless memory was analyzed at the same time the new capability was uploaded and executed.”