Advanced Persistent Threat (APT) attacks have become a hot topic in the information security community, especially since the revelation by Google in December 2009 that it had been the victim of a targeted attack originating from China. This incident was partly responsible for Google’s decision to withdraw from China and sparked a major diplomatic row between the US and Chinese governments.
Historically in information security, the most notorious instances of hacker activity tended to be computer worms and viruses that had mass infection capabilities, such as Code Red (2001), SQL Slammer (2003), and MyDoom (2004). When new worms or viruses with mass infection capabilities appear, the information security community can quickly deal with them using a variety of different monitoring and defence mechanisms.
As a result, such attacks have become rare in recent years. A new generation of malware developer has emerged, motivated not by a juvenile or anarchic desire to cause trouble, but by a desire to steal data or intellectual property for business, financial, or political reasons. These people develop malware that is very difficult for users to detect and is designed to focus on very specific targets. One of the best-known examples is the case of Michael Haephrati, who was jailed in 2006 for his part in developing malware that was used by up to 80 Israeli companies to spy on their rivals.
APT attacks take targeting to a new level. They are generally very sophisticated, often exploiting zero-day vulnerabilities in operating systems, application software, and web browsers. APT attacks focus on individual systems and generally involve a huge degree of human involvement, whereas viruses and worms target systems indiscriminately and tend to spread automatically. The APT attack on Google is believed to have exploited a zero-day vulnerability in Internet Explorer, enabling the attackers to steal intellectual property and access the Gmail accounts of human rights activists. It also targeted up to 30 other companies including Adobe, Dow Chemical, Juniper Networks, Northrop Grumman, Symantec and Yahoo.
The information security community has long been aware of the possibility of APT attacks, but recent events have shown that the likelihood of them occurring has increased. To defend against these attacks, we must increase our investment in protecting our digital assets and redouble our efforts to educate the user base about the inherent dangers of the web. We also must assume that some day our organisations will fall victim to an APT attack and ensure that we have adequate monitoring capabilities in place so that we can retrace the steps of the attacker.
Author: Mark McDonagh, NetFort