As you read this, hackers all over the world are trying to break into computer systems of every description. Some hackers are good at what they do, with skills that rival those of security professionals. Some work alone, while others work in groups. Most look for weaknesses they can easily exploit, and they are opportunists: They move on to the next target if their first choice is heavily secured.
Those hackers are a chronic nuisance, but, with occasional exceptions, the damage they do is limited. Sites that make security a priority are rarely the victims of the casual hacker.
Consider a different scenario, however, one in which the hackers are true experts, with ample resources and plenty of time. They have the ability to deploy a variety of methods to get what they want, from social engineering to distributing sophisticated malware. They are not randomly surfing the Web in search of vulnerabilities. They have a single-minded focus on a specific target, and they are not easily discouraged, testing and studying that target until they find a way in.
This, in a nutshell, describes the Advanced Persistent Threat (APT), a type of attack that has been increasing over the last decade. Its name clearly describes its nature. Its operators have advanced skills, resources and options. It is persistent, with continuous, long-term focus on a specific target. It is a threat because it is ready, willing and able to do meaningful damage.
Given the level of organization and resources that APTs require, the term has come to be associated with government. Large-scale organized crime may have the resources, but it lacks the persistence characteristic of an APT. That being said, targeted attacks themselves have been increasing. According to Symantec’s annual “Internet Security Threat Report,” last released in April 2012, attacks jumped 81 percent from 2010 to 2011. Perpetrators have diversified, targeting smaller companies and lower-level employees, presumable as a way to gain access to larger organizations and more senior staff.
Criminals want short-term results, however, and there is no inherent reason for them to single out one site instead of another. They go where the money is. An intelligence service has a very different agenda, and potential targets need to be aware that an APT is a different order of threat.
APT is not new, however. The first exploits attributed to ATP occurred in 1998 and continued for two years before they were accidentally discovered. The attacks, dubbed “Moonlight Maze,” targeted NASA, the U.S. Department of Energy and the Pentagon, and the attackers were reported to have accessed thousands of files, many of them containing military information.
The origin of Moonlight Maze was reportedly traced to Russia, but, unsurprisingly, the Russians denied all knowledge of the attacks.
Since then, attacks attributed to APTs have grown more frequent.
In 2006, two U.S. Congressmen discovered that their office networks had been attacked, exposing information about Chinese dissidents.
In 2007, a database in the network of Oak Ridge National Laboratory was compromised. In this case, hackers attacked via social engineering, sending fraudulent emails that staff treated as legitimate. A few days later, Los Alamos National Laboratory was targeted, and, in 2008, malicious code found its way into a U.S. military network, apparently deployed via flash drive.
The Stuxnet worm, the clearest and most famous example of an APT, seems to have been aimed at networks and industrial controls in Iran. Although no one has claimed responsibility for the attack, its sophistication and the apparent lack of a commercial motive make government involvement highly likely.
Since Stuxnet, APTs have appeared regularly, targeting governments, large corporations and the International Monetary Fund.
Identifying an attack as an APT is more a matter of deduction and of industry consensus than of hard and fast evidence, because a realistic assessment of the situation is complicated by the lack of reliable information. Perpetrators are naturally unwilling to come forward, but victims are not necessarily forthcoming. Some victims may not even know they have been compromised. Others worry about tarnished reputations or damage to their share prices.
As a result, we can’t really be sure about the current state of security. We can be quite certain, though, that APTs are there now and that they will be there for as long as we rely on networks and computers to manage our critical business.
About the Author
Megan Horner is the Marketing Coordinator for TrainACE. TrainACE is a Cyber Security Training Company and actively creates advanced security courses like the Advanced Persistent Threat class, Cyber War.