Advanced Persistent Threat, a targeted threat. It is a malware created with the intent of penetrating a specific system or organization. If we compare malware to bombs, then a “regular virus” is similar to the carpet bombings often seen in old World War II movies, where thousands of bombs are released over a large area in the hopes that at least a few will hit their targets. An APT then is like a guided missile. It is so well tuned that it’s akin to a missile hitting a specific window of a specific building. The word “persistent” in the acronym APT refers to the human component in the operation of the malicious software: a human operator remotely monitors and guides the actions of the APT.

These attacks are advanced in the sense that the attack strategies and exploitation techniques they utilize are tailored, highly sophisticated, span multiple attack vectors, and are stealthy. They are persistent in the sense that they establish a strong foothold within the target infrastructure, pursue their objectives over extended periods of time, and adapt to defense mechanisms deployed to thwart them.

Carried out by nation-states, hacktivist groups, or independent parties, this threat manifests by gaining unauthorized access to a network and remaining undetected for an extended period of time

TTPs and Lifecycle of an Advanced Persistent Threat

Tactics, Techniques and Procedures (TTP) that Advanced Persistent Threat actors use we need to understand the life cycle of Advanced Persistent threats.

No alt text provided for this image

2010 Stuxnet APT – Stuxnet was discovered in 2010 after an unprecedented attack on an Iranian uranium enrichment facility. At that time, it was the most complicated and sophisticated malware ever known. Yet it wasn’t its technological sophistication that made it so prominent in the relatively short history of computer viruses. The Stuxnet attack was a terrifying display. It illustrated to us how weak and exposed the industrial infrastructures that we all depend on are to cyber attacks —including nuclear reactors and petrochemical factories. But it was more than a wake-up call.

Tactics, techniques and Procedures used by Stuxnet

Stuxnet’s infiltration process began when an infected USB was connected to a PC by one of the industrial facility’s employees. It then took over the computer and traveled inside the network, skipping from computer to computer, until it found one that belonged to the facility’s industrial control system—for example, a computer that controls an assembly line. Stuxnet checked whether software called Step7, made by Siemens, was installed on the PC. If Step7 was on the PC, Stuxnet hacked it using a secret password that was built into the software. Next, Stuxnet looked for a specific type of control equipment called a PLC. Stuxnet intercepts requests to read, write, and locate blocks on a Programmable Logic Controller (PLC). By intercepting these requests, Stuxnet is able to modify the data sent to, and returned from, the PLC, without the knowledge of the PLC operator.

Processing nuclear material for use in energy plants and weapons requires purification by industrial centrifuges. The Stuxnet malware attacked the Supervisory Control and Data Acquisition system, an industrial control system used to manage the centrifuge’s speeds and cycles. In this case, the malware made tiny pressure adjustments and speed control changes, thus ruining the work by causing vibrations, and in some cases spinning the centrifuge out of control.

Stuxnet uses four zero-day exploits, a Windows rootkit, the first known PLC rootkit, antivirus evasion techniques, peer-to-peer updates, and stolen certificates from trusted CAs.

Delivery Mechanism – A careful analysis of the Stuxnet malware revealed that the delivery mechanism was human: in particular, an Iranian nuclear scientist’s laptop and memory sticks.

Lesson Learned – We learn from Stuxnet and change our perception and attitude toward industrial network security. We should adopt a new “need to know” mentality of control system communication. If something is not explicitly defined, approved, and allowed to communicate, it is denied. This requires understanding how control system communications work, establishing that “need to know” in the form of well-defined security enclaves, establishing policies and baselines around those enclaves that can be interpreted by automated security software, and whitelisting everything. Measures include Layer 7 application session monitoring to discover zero-day threats and to detect covert malware communications, clearly defined security policies to be used in the adoption of policy-based user, application, and network whitelisting to control behaviour in and between enclaves.

Refer to ASD E8 strategy

(2012 – 2018) Slingshot APT – State-sponsored, one of the longest undetected and super highly sophisticated Advanced Persistent Threat in the history. Kaspersky had labelled Slingshot one of the most advanced attack platforms ever uncovered.

Tactics, techniques and Procedures used by Slingshot

1) Slingshot employed extremely sophisticated tactics and techniques to gain kernel-level access to the infected systems. If a process can run at the kernel level, it has the capability to execute code and otherwise manipulate the host system at will as well as hide itself from intrusion detection systems on the host machine.

2) How Slingshot Entered- ipv4.dll – has been placed by the APT with what is, in fact, a downloader for other malicious components. Winbox (a utility used for Mikrotik router configuration) Loader downloads this ipv4.dll library to the target’s computer, loads it in memory and runs it.

3) Slingshot would load a number of modules onto the victim device, including two huge and powerful ones: Cahnadr, the kernel mode module, and GollumApp, a user mode module. The two modules are connected and able to support each other in information gathering, persistence and data exfiltration.

4) Disables disk de-fragmentation module in Windows – This APT uses its own encrypted file system and this can be located among others in an unused part of a hard drive. During defragmentation, the defrag tool relocates data on disk and this tool can write something to sectors where Slingshot keeps its file systems (because the operating system thinks these sectors are free). This will damage the encrypted file system. We suspect that Slingshot tries to disable defragmentation of these specific areas of the hard drive in order to prevent this from happening.

Lesson Learned

As Slingshot APT was cyber espionage which impacted domestic and businesses. Key take away is routers should upgrade to the latest software version as soon as possible to ensure protection against known vulnerabilities. Further, Mikrotik Winbox no longer downloads anything from the router to the user’s computer.

Use a proven corporate grade security solution in combination with anti-targeted attack technologies and threat intelligence, which are capable of spotting and catching advanced targeted attacks by analyzing network anomalies and give cybersecurity teams full visibility over the network and response automation.

Provide security staff with access to the latest threat intelligence data, which will arm them with helpful tools for targeted attack research and prevention, such as indicators of compromise (IOC),

Dec 2014 – German Steel Mill Cyber APT Attack

The initial capability used to infiltrate the facility’s corporate network was a phishing email. The BSI’s report described this attack vector as “an advanced social engineering” attack which multiple attackers used to gain access to the network. The adversaries then worked their way into the production (ICS) networks. From previous analysis of spear-phishing related incidents with ICS facilities it is highly likely that the email contained a document such as a PDF that when opened executed malicious code on the computer. This malicious code would have then opened up a network connection for the attacker(s) unbeknownst to the facility’s personnel.

Impact – Loss of Control for plant operators and possible malicious control leading to physical destruction. Given that blast furnaces contain molten metal heated to thousands of degrees, it was a dangerous situation. Fortunately, there were no reported injuries, and the only result was “massive damage” to the facility.

Lesson Learned from German Steel Mills ATP

There should have been robust architecture heavily regulated through the use of a demilitarized zone (DMZ) with specially tuned firewalls, focused monitoring, Network Security Monitoring, Incident response and Security Awareness

Dec 2015 – Ukrainian Power Grid Cyber Attack by state-sponsored Hackers

6 Months undetected Advanced Persistent threat attack was carried on Ukrainian Power Grid resulted in power outage for several hours.

Opportunities for Adversaries

The VPNs into the ICS from the business network appear to lack two-factor authentication. Additionally, the firewall allowed the adversary to remote admin out of the environment by utilizing a remote access capability native to the systems. In addition, based on media reporting, there did not appear to be any resident capability to continually monitor the ICS network and search for abnormalities and threats through active defence measures; like network security monitoring. These vulnerabilities would have provided the adversary the opportunity to persist within the environment for six months or more to conduct reconnaissance on the environment and subsequently execute the attack.

No alt text provided for this image

Tactics, techniques and Procedures used

During the cyber intrusion stage of Delivery, Exploit, and Install, the malicious Office documents were delivered via email to individuals in the administrative or IT network of the electricity companies. When these documents were opened, a popup was displayed to users to encourage them to enable the macros in the document.

No alt text provided for this image

2020 – Global Health Crises and Persistent Threats

Several advanced persistent threat and nation-state actors have been targeting healthcare organizations and using COVID-19-themed lures in their phishing campaigns as can be shown below.

No alt text provided for this image

Microsoft warned Windows 10 users and businesses in health sectors because there are fears to have persistent threats.

No alt text provided for this image

 Windows 10 -How To Protect Yourself

Hackers will send malware files to users via spam, trick browser downloads and more and they often look like innocent files thanks to Windows 10 hiding their extension. Hackers do this by giving their malware an innocent name and the icon of a legitimate program, for example, malware could be called “Scan_002_01” and use the Adobe Reader icon (the Windows 10 zip file icon is popular too). But if you could see the file extension, it would reveal this is not a .pdf file but a .exe (executable) file which, when opened, will install malware on your computer which opens it up to multiple attacks, such as remote control of your system and ransomware.

To avoid being such an easy target, you need to change Windows 10 settings to enable the ability to view file extensions by default. Do the following: 

  • Windows 10 Start Menu > type ‘Folder Options’ > open ‘File Explorer Options’
  • Click ‘View tab’ > Advanced settings > Uncheck “Hide extensions for known file types”
  • Click ‘Apply’ > Click ‘Ok’

Conclusion – From all the above APT history events, we can see the insider threat in terms of weak human elements is there. To deal effectively with this problem, enterprises will need to respond to this “persistent” threat with a persistent, active and layered defense model that spans the entire attack surface of their organization. Know your attack surface (all the different points where an attacker can try to access data). Know your assets. Ensure your layered defenses are appropriately designed and up-to-date to best detect, resist and respond to Advanced Persistent Threats (APTs).


SANS Case studies –