The Five Most Impactful APT Attack Vectors You Need to Know About
The Five Most Impactful APT Attack Vectors You Need to Know About
The last year has taught us that the trend of connectivity isn’t slowing down – in fact, increased digital dependency will continue in the wake of COVID-19, thrusting us into a new normal where remote connectivity is more deeply integrated into our daily lives than ever before. Post-COVID, we will not only be surrounded by more connected devices, but these devices will also feature higher levels of functionality that demand more sophisticated security precautions. Due to the pandemic and rapid technological change, we are becoming even more dependent on the IoT in critical infrastructures (e.g., smart meters, sensors, actuators, and industrial controllers). As this happens, governments and critical infrastructure operators are also adopting IoT technologies. This creates a growing arena for increasingly sophisticated cyber-attacks.
Though not a new category of attack, Advanced Persistent Threat attacks (APTs) are one of the biggest cyber threats today, especially to the IoT, as more devices become connected. An APT is when an unauthorized user gains a persistent presence in a system or device, and because the attack is permanent in the device, a simple restart will not necessarily rid the device of it. This persistency allows an attacker to cause more damage over a longer period of time.
There are several components of an APT attack and the general process it follows. After first planning for who, how, or why the attack is going to happen and then building or acquiring the attack tool, the next step is delivering it to the infiltrated device. This can be done remotely, locally, or even during the manufacturing of the device itself. Finally, there is the deployment, wherein the malicious payload is looking for the location in which to become persistent, i.e., to be saved or deployed in the Flash / Non-Volatile Memory in order to survive a restart or power loss. These attacks can be carried out through different vectors: by outsiders or hackers, by insiders, which are often deceived technicians or disgruntled employees, or through the supply chain (i.e., deceived contractor), where malware is injected directly into a device during manufacturing or delivery.
As mentioned, there are many ways in which APT attacks typically manifest themselves. This includes fraud and theft, ransomware, state-level attacks to critical infrastructure, personal data theft, and Distributed Denial of Service (DDoS). These five core APT attack outcomes categories each bring their own challenges, so it is important for security professionals to be well versed in the ways they can appear.
Fraud & Theft
Leveraging APTs for the purpose of fraud and theft is a growing issue. In some cases, an APT uses its persistency stealthily to directly influence the performance of the affected device for fraudulent activities. One example was at the Bank of Valetta in Malta, which accounts for almost half of the country’s banking transactions. Hackers planted malware on the bank’s internal servers, successfully transferring €13 million directly from bank customer accounts. The breach wasn’t detected until the next day when a daily reconcile spotted the number of unauthorized transactions. This example illustrates the scale at which malware can operate when undetected, especially against financial institutions like banks.
Ransomware has similar goals and vectors as other attack types listed here and continues to grow in popularity. CSO Online defines it most simply: “Ransomware is a form of malware that encrypts a victim’s files. The attacker then demands a ransom from the victim to restore access to the data upon payment.”
Ransomware is often thought of as only impacting personal computers or devices, but it can also be used to attack organizations like medical facilities, government agencies, or critical infrastructures, where sensitive data is housed and requires immediate access to files. The healthcare industry is especially vulnerable to attack. In September 2020, a ransomware attack hit 250 U.S. facilities of the hospital chain Universal Health Services, rendering their computer systems useless. The conditions as a result of the attack were described as “chaotic” and had an immediate impact on the chain’s operations and patient care. That same month in Dusseldorf, Germany, the first known fatality related to ransomware occurred when an IT system failure forced a critically ill patient to be routed to a hospital in another city.
State Level Attacks
State-backed attacks on critical infrastructure are on the rise. In 2018, it was announced that the U.S. electric grid, among other critical infrastructures, had been targeted and attacked by Russian government hackers going back as far as 2016. Hackers intentionally tried to gain access to power plants and other networks and set up admin accounts with permission to make changes to the system. They then intended to use these accounts to install malware in the network.
Smart meters and appliances that are serviced by electrical or water management companies are also exposed to attack. In a recent example from India, a malicious insider attack on smart meters installed by Energy Efficiency Services Limited (EESL) left 160,000 homes without power – the largest breach of its kind in India’s history. Future attacks like this are inevitable due to the value of the data contained on meters, which can contain private information about users’ habits, their activity at home, whether or not they’re on vacation, or other important information that could be exploited.
Personal Data Theft
APTs used for the purpose of obtaining personal data are among the most well-known cyberthreats. The growing IoT and newly connected categories of devices mean that this threat will only continue to rise and offer new vessels of personal information for attackers to extract from. The increase in the adoption of smart home devices is one example of our growing collective vulnerability. In 2019, a hacker demonstrated how to access a LIFX mini white smart lightbulb in under an hour, gaining the owner’s Wi-Fi login and password credentials.
Distributed Denial of Service (DDoS)
Distributed Denial of Service (DDoS) attack is an attempt to make an online service unavailable to users by flooding it with traffic from multiple services. These attacks are becoming increasingly common and complicated with the growing reliance on digital services and connected devices. According to an article from ZDNet, “One of the reasons that DDoS attacks have become cheaper and easier to carry out is because of the proliferation of IoT devices. Large numbers of IoT products come with default usernames and passwords that aren’t reset, meaning it’s easy for hackers to take control of them.”
The Mirai IoT Botnet attack is one of the most well-known examples of a DDoS attack. In 2016, the Mirai botnet was a series of attacks that scanned big blocks of the internet for open Telnet ports and then attempted to log in using a series of default passwords, amassing an “army of compromised closed-circuit TV cameras and routers, ready to do its bidding.” The attack rendered most of the U.S. East Coast internet service useless.
APT attacks will only continue to increase in number and sophistication. I believe that the most effective cyber-solutions providers will be those that work to detect and prevent APT attacks at the flash level, and prevent attack persistency, enable quick recovery, and collect forensic data for advanced analytics. This information can then be leveraged by an organization’s security operations center (SOC) to continuously enrich and improve defenses and stay ahead of new attacks.
About Author: Yanir Laubshtein
Yanir Laubshtein is VP, Cyber Solutions, at NanoLock Security, where he brings over 20 years of experience working in the cybersecurity industry in various roles both for the government and private sectors, including his most recent at PwC’s Cybersecurity & Privacy Impact Center. There he served as the OT/ICS Security Lead in the company’s ICS/OT Centre of excellence, guiding the ICS/OT service offerings of the center to enable and support governments and organizations with protecting their critical infrastructures. Prior to joining PwC, Yanir led two strategic government projects in Israel, managing the Cybersecurity Operations on behalf of the Ministry of Energy and the Water & Sewage Authority and subsequently designing and managing the development of Israel’s National C-SOC for Critical Infrastructures.
Earlier in his career, Yanir served for over 10 years in a range of Israeli Government Security positions, both in the defensive and the offensive cyber arenas.