As hackers have become more organized, the impact of their cyber activities has magnified. Low-level cybercrime – credit card theft etc – remains an issue, but attentions are shifting towards larger prizes.

We are now witnessing a serious uptick in Advanced Persistent Threat (APT) activity. These long-term, mixed-technique breaches give organized hacker groups vast amounts of virtual power to not only steal but significantly disrupt business and the wider economy.

We are also seeing the rise of the APT group, organized gangs of highly skilled security experts and coders, capable of engineering sophisticated large-scale digital attacks. As well as carrying out their own criminal activities however, APT groups like CozyBear, Sofacy and Turla are available to hire by anyone with enough money.

The war online

Every established state now maintains a cyber army of sorts, tasked with the defence of national resources. But these units are also equipped with the necessary tools to attack where appropriate too.

The use of state forces in cyberwarfare is rarely obvious – the current conflict in the Crimea between Russia and Ukraine is one of the few examples where two countries can be seen openly at digital war.

But in the same way that armies often made use of mercenary forces to acquire new skills, knowledge and manpower, governments are looking to third parties to assist with their online offensives. Often this means forming alliances with APT groups, particularly for activities that may breach the Geneva Convention. Other times they may call upon known hackers who have been given immunity in return for future assistance. They may even hire freelancers via legitimate umbrella companies to help develop ransomware/malware.

These alliances have given rise to “state-sponsored hacking”, activities that destabilize nations, their economies and their infrastructure for the benefit of their enemies. The 2017 NotPetya ransomware outbreak is suspected of being an example of state-sponsored economic disruption.

APT groups and the MeDoc breach

NotPetya proved to be devastating to the Ukrainian economy, taking several banks and key infrastructure assets offline. At the heart of the outbreak was MeDoc, the creator of Ukraine’s most popular accounting software.

Forensic analysis suggests that an APT group gained access to the MeDoc network and spent several months analysing product code and reverse engineering the application. This knowledge was then used to infect MeDoc product updates with the NotPetya ransomware.

The process would have taken a multi-discipline team of skilled developers months to plan and coordinate, probing defensive weaknesses and insecure code. All without being detected until long after the ransomware payload had been deployed and installed on client computers via the MeDoc application update system.

Putting together an attack like NotPetya would have been very expensive. But given the effect on the Ukrainian economy, the investment would have been considered worthwhile.

Destabilizing the world’s most powerful nation

Russia is definitely the most overt player on the cyberwarfare stage. Investigations into the 2016 US Presidential Election continue to unearth evidence of state-backed interference, with the FBI and CIA openly claiming their activities may have helped sway voters towards Donald Trump and the Republican Party.

APT group Cozy Bear (apparently with the assistance of the Russian government) were known to have penetrated the Democratic National Committee’s (DNC) network, stealing information relating to Hillary Clinton supporters for instance. Hackers appear to have used a spear phishing email to trick a DNC employee into installing malware that was later used to compromise the network from the inside out - a classic APT manoeuvre.

The FBI investigation suggests that Russian hackers had been accessing the DNC network for over a year before security was finally tightened, locking them out.

Business is war

It’s not just nations engaging in activities to destabilize economies, however. APT groups are “guns for hire”, available to anyone with enough money.

The massive economic effects of a NotPetya scenario could also be harnessed to generate profit, by devaluing a specific currency for instance. Knowing that that currency will drop in price provides an opportunity to hedge against it – and to pocket a sizable return in the process.

APT attacks are not purely directed at bank accounts, however. The increasing value of information means that hackers are now targeting data stores themselves. By accessing sensitive information, criminals can assess corporate strategy and performance, using that information to buy and sell shares for profit - a modern take on insider trading scams. Alternatively, those insights can be sold to competitors and third parties, allowing them to manipulate share prices - or to steal IP and market share.

Virtually every large business is a potential target for an economy destabilizing APT attack.

Internal code review is crucial

APT attacks rely on a number of different vectors for success – which means that protecting your business against them is a multi-disciplinary effort. Many organizations focus on perimeter defense – and rightly so.

But as the MeDoc incident highlighted, internal code can also be weaponized as part of a supply chain attack. MeDoc’s software development life cycle had grown organically over time, leaving gaps in their security planning and implementation that were later exploited by hackers.

To avoid similar problems your business needs to implement a secure software development life cycle (SSDLC). By integrating security at every stage of the software development process, you can reduce the potential for an APT payload entering your supply chain for instance. Code reviews will also be an important part of your proactive security measures, helping to identify loopholes, bugs and malicious code before rolling out to your production environment - or your customers.

To learn more about APT threats and how to manage and prevent them with SSDLC, please get in touch.

 

Serhii Puzyrko

Written by Serhii Puzyrko

I am the Advantio’s Penetration Tester experienced in PTES, OWASP, NIST and OSSTMM testing methods and I also bring to the table strong computer proficiencies in Burp Suite, Metasploit Framework, vulnerability scanners, and many others.

Aside from work I am into researching and analyzing cyber attacks against different infrastructures, so expect to see related to the topic articles.