Security Advanced Threats

Advanced Persistent Threats

When we think of malware, we think of computer viruses that make our machine run slower, or a trojan that allows hackers access to our files, or perhaps the dreaded Blue Screen of Death…

But the world today is rife with threats that have the power to topple entire organizations, whether through ransom, deletion of data, dissemination of insider knowledge, or even destruction of physical equipment.

As illustrated in our other article[1], Advanced Persistent Threats (APTs) are some of the most sinister and insidious threats to be unleashed on unwitting targets. The attacks are well-crafted orchestrations that could take months to execute, and generally fly under the radar, inflicting their silent damage slowly but surely.

…the world today is rife with threats that have the power to topple entire organizations…

Here, we mention some of the more noteworthy examples of APT attacks from around the world, and show just what kind of impact they had. We take a look at the attacks on Sony Pictures, JPMorgan Chase, Iranian Natanz Nuclear Facility, Target, QNB, and the Australian shire of Maroochy[2], in non-chronological order.

These are mostly older attacks that we’re sure you’ve heard of or analyzed before, but they remain relevant today because, while the machines are getting better, the human–the weakest link in the security chain–is still as fallible as ever. Some of the details of the cases also surfaced several years later, making a retrospective look a bit more revealing.

We hope that remembering the effects of these attacks will help businesses and employees adopt a more security-conscious mindset.

…a powerful security strategy put in place BEFORE an attack can prevent what would otherwise be a catastrophe of epic proportions.

Sony Pictures Attack, 2014

Sony Pictures Entertainment needs no introduction. They are the film studio responsible for the Spiderman movie series, the Angry Birds movies, Dan Brown’s Robert Langdon series of movies, and James Bond’s Skyfall, just to name a few. A company whose revenues averaged around $9 billion these past 3 years (ending March 2020).

A business like that builds mountains of anticipation before the release of its productions. A leak could cause that anticipation to fizzle as it gives away details that might deter people from going to the movie or buying it, which would ultimately cause a loss in revenues.

This is what happened in November 2014, where–according to Wired–100 terabytes of data were stolen from Sony’s servers and started appearing on the internet.

The released data included four complete unreleased movies and a script for an unreleased pilot by Vince Gilligan, the creator of the series Breaking Bad. The files also contained personal and business information of Sony employees like names, birth dates, social security numbers, salaries, bonuses, and login credentials, as well as other company information like a list of the company’s servers and databases around the world, info about the company’s network architecture, and the content of internal emails.

It wasn’t clear how the systems were infiltrated, but experts say it likely occurred through email phishing scams or vulnerabilities in the website that could allow access to the backend.

An office boy with a flash drive can be a back door into your system.

The group responsible claimed to have been lurking in the system for a year extracting the data, before allowing discovery by showing a threatening message on employees’ computers, then shutting them down!

What were the consequences of Sony Pictures’ data breach?

Sony Pictures had to shut down its entire infrastructure after discovering the hack. Though Sony never admitted it, analysts said that the malware conducted a wipe of the computers that made retrieving the lost data extremely expensive, if not impossible.
Sony’s salaries and bonuses were also made public, as well as severance payments made to ex-employees, which puts any company at a disadvantage when recruiting and could break the brand’s image.

…in addition to the massive losses in potential revenues Sony’s business continuity took a nosedive after the attack…

The leaked emails contained negative remarks made by Sony executives about notable persons, such as Barack Obama and Angelina Jolie, which resulted in apologies and may have been the reasons for Sony Pictures’ co-chair Amy Pascal tendering her resignation.

Sony Pictures’ computers were down for at least six days following the attack, with employees having to do their work using pen and paper, whiteboards, and they even started using fax machines.

Needless to say, in addition to the massive losses in potential revenues Sony’s business continuity took a nosedive after the attack.

…Gartner financial services cybersecurity analyst, Avivah Litan, stated that “they have probably been in there for years…

JP Morgan Chase & Co. Attack, 2014

One of the biggest breaches in history took place in the behemoth financial institution JPMorgan Chase & Co (JPM), an American multinational investment bank and financial services holding company.

The firm was founded over 220 years ago, only 20 years after the independence of the United States from Britain, and its founders included some of the founders of the country itself. Today, it stands as a consolidation of more than 1200 institutions, which have amalgamated into it over the years, and is one of the largest financial institutions in the US and the world.

The year 2014 witnessed the theft and divulgence of card data for more than 83 million customers of JPM including their names, addresses, emails, and phone numbers. Though the obtained data might seem more innocuous than other breaches, such information can be used by malicious parties in identity fraud.

The first overt activities of the attack were documented in April 2014, but Gartner financial services cybersecurity analyst Avivah Litan stated that “they have probably been in there for years, and there have probably been multiple actors, ranging from financial hackers to state-sponsored cyberspies.”

The attack wasn’t discovered until five months later, in August.

JPMorgan Chase & Co. CEO, Jamie Dimon, had stated that the firm will increase its spending on cybersecurity to $250 million per year, and that they will employ 1000 resources to handle it.

Two years after, in 2016, the attackers were identified as Russian national Andrei Tyurin, Israelis Gery Shalon and Ziv Orenstein, and US-born Russian resident Joshua Samuel Aaron. They were extradited to face the consequences of their crimes.

What were the consequences of the JPMorgan Chase & Co. Hack?

As stated above, the data extracted could have been used to commit identity fraud, where the attackers can assume the identities of the victims whose data they possessed.

Some of the victims were even contacted by the attackers, who were posing as financial analysts from the firm, and offered financial advice and stock recommendations. The perpetrators convinced victims to buy or sell certain stocks, which predictably affected their prices, allowing the attackers to buy low and sell high. Prosecutors claimed that the attackers generated $2 million from these schemes.

JPM CEO Jamie Dimon had stated that the firm will increase its spending on cybersecurity to $250 million per year, and that they will employ 1000 resources to handle it.

The Iranian Nuclear Facility Attack, 2010

In 2010, the Iranian nuclear facility at Natanz was reported to have been the target of a cyber attack, which was estimated to have infected 200,000 computers and caused damage to nearly 1000 centrifuges used in the enrichment of Uranium, about one fifth of the centrifuges at the facility.

The malware was named “Stuxnet”, which was part of a random text string found in its code.

 

The malware was reported to have entered the Natanz nuclear facility through an employee’s USB flash drive…

It wasn’t really known at first how or where Stuxnet originated but the Obama administration confirmed two years later that it was a joint attack from the US National Security Agency (NSA) and the Israeli Unit 8200 (a secretive cyber unit).

In order to remain undetected, Stuxnet disabled alerts to operators in the control center; whenever anybody looked at the monitors, they would see that all was normal. It employed another incredibly devious tactic to run under the radar: it didn’t replace the original code, but saved it somewhere. When diagnostics were run to investigate the suspiciously premature breakdown of the centrifuges, it presented the original code so that it was virtually undetectable.

The malware was reported to have entered the Natanz facility through an employee’s USB flash drive that was inserted into one of the computers at the plant.

What were the consequences of Stuxnet?

People at the facility were at a complete loss. Top management were losing centrifuges, money, and time, but the engineers were not finding any reason whatsoever for that in the control reports or diagnostics. So much so, that they even started having technicians sit in front of the centrifuges to manually control rotor speeds. This was increasingly strenuous and stressful work, whose cause had remained unfathomable. People were getting frustrated, angry, hopeless, and desperate.

One security and control expert even postulated that this psychological drain was the actual target of the attacks.

Stuxnet is reported to have set the Iranian nuclear program back several years.

Iran had to replace the deteriorating centrifuges–which aren’t cheap–meaning that the operation was running over budget and had to slow down until they could discover the cause of these failures.

Stuxnet is reported to have set the Iranian nuclear program back several years.

It was alleged that the malware was deployed in 2007, afflicting the power plant from its inception and effecting the damage over 3 years, when it was discovered in 2010.

Target Attack, 2013

It might not seem that a supermarket or a retail store is a likely target for a cyber attack, but when we consider the number of credit cards used at stores and the possibility of hacking points-of-sale, databases, or online stores, the link becomes clear.

Target is the 3rd largest retail chain in the USA based on revenue. With more than 1800 stores across the country, it ranked 37 on the Fortune 500 list in 2020.

In 2013, 40 million customer payment cards were compromised from Target stores across the country. Data included names, card numbers, expiry date, and security codes: basically everything an attacker might need to carry out transactions with the cards.

The attack took place during the 19 days of the US Holiday season, a period of immense buying activity for consumers.

The hackers hitched a ride onto the devices of an HVAC vendor that visited many of Target’s locations and hooked up with their network, thus gaining access to the more secure network through the less protected one.

…40 million customer payment cards were compromised… Data included names, card numbers, expiry date, and security codes: basically everything an attacker might need to carry out transactions with the cards.

Technically, this attack might not fall under the umbrella of APTs, because it wasn’t really “persistent”–the breach took place over 19 days. However, it made up for its lack in persistence with a lot of “advanced”: getting in and out of the system and extracting that much data in a very short time during peak operations is no small feat.

And this wasn’t the first time!
In 2007, Target had suffered another breach where attackers stole data of over 90 million cards over a period of 18 months.
That one was quite persistent.

What were the effects of the Target hack?
A surge in fraudulent transactions followed the attack, with the cards having the common factor of being previously used at Target.

Target was already suffering that year and customers were furious that their cards were compromised. More than 90 lawsuits–including class-actions–were filed against Target following the breach, with liabilities running up to $3.6 billion. Profits were almost halved that year and Target’s share prices plummeted by 11%.

QNB Attack, 2016

Qatar National Bank is the largest bank in its home country and the 2nd largest bank in the Middle East and Africa in terms of assets. It employs more than 15000 employees in over 640 locations across 27 different countries, serving upwards of 21 million customers.

Threats nowadays are actually being disguised as legitimate-looking Windows updates…

Banks–of course–are notorious for their security measures.
And for good reason: when access to money on the order of billions or trillions is at stake, banks become obvious targets, having to swat away hundreds–if not thousands–of attacks per day.

On May 1, 2016, officials of the Qatar National Bank (QNB) announced that they had been targets of a cyber attack. The breach came in the form of 1.4 GBs of data posted online to a whistleblower site 5 days prior, and contained passwords, pins, and payment card data for almost 1 million customers, including expiration dates and credit limits, as well as cardholder details such as national ID numbers, password reset questions, and social media profile links. Among the released data were banking documents containing admin-level account credentials and sensitive information on the bank’s retail business and banking application.

The breach also contained more unusual data like information on the Qatari royal family Al-Thani, the Qatari news channel Al-Jazeera, and information on several intelligence agencies, Qatari and otherwise.

The hackers hitched a ride onto the devices of an HVAC vendor that hooked up with their network, thus gaining access to the more secure network through the less protected one.

What were the effects of the QNB breach?
Bank officials claimed that there was no financial loss, neither for the bank nor for customers, and that the attack seemed to be on the bank’s reputation rather than for financial gain. The bank had one-time-passwords and phone confirmations in place, so that the data could not be used for fraud.

Whether or not bank officials were downplaying the damage, if it was true that there was no financial loss, then that just proves how a powerful security strategy put in place BEFORE an attack can prevent what would otherwise be a catastrophe of epic proportions.

Maroochy Shire Attack, 2000

How does that solve any of my problems?

Our final destination is the shire of Maroochy in Queensland, Australia. It is clearly a beautiful place for a vacation or lovely day out; but not exactly the most obvious site for a cyber attack.

This scenic rural haven maintains its allure by NOT pumping its sewage into the river, obviously. It uses 142 pumps scattered across the area to pump up to 34 million liters of sewage every day through its local sewage system. This local network is managed by a SCADA (Supervisory Control And Data Acquisition) system: a computer linked to sensors that measure parameters and affect a response to that measurement. In this case the sensors measured the level of sewage and turned those pumps on or off to prevent the sewage network from overflowing.

…Countless fish and wildlife were dead, nature reserves were ruined, the water turned black, and the locals had to endure the horrible stench for weeks. A veritable human disaster.

In the Spring of 2000, green slime could be seen floating over the water in Maroochy Shire, and vast park areas were flooded with foul-smelling filth. Countless fish and wildlife were dead, nature reserves were ruined, the water turned black, and the locals had to endure the horrible stench for weeks. A veritable human disaster.

It looked like this:

The sewage system had pumped hundreds of thousands of gallons of sewage out into the shire. One of the site’s engineers discovered it to be the result of a cyber attack.

It turned out that a disgruntled ex-employee of the site had wanted revenge on the shire’s Council for refusing to employ him. He hacked into the SCADA system’s radio communications–declaring his device’s identity as one of the pumps–and sent orders through the network that would stop some of the pumps and prevent alarms from sounding due to the rising levels of sewage, until the system overflowed.

The attack was a long time ago, it wasn’t exactly an attack on a business, and isn’t technically an APT. But it became a case-in-point for the IT security industry as it revealed–maybe for the first time–the possibility of inflicting physical damage through cyber attacks.

This type of attack laid the groundwork for attacks such as Stuxnet.

And while there was apparently no human error here, the mistake came far earlier, when the structure itself was not built with security in mind, which enabled the attack.

…even if you run a physical system, as long as there is an internal network, you could be attacked for a personal vendetta… an ex-employee, a business rival, a disgruntled supplier, an unhappy client, or even an ex-spouse!
In today’s toxic world, you never know who’s toes you might have stepped on.

What do these vicious cyber attacks have to do with my business?

Hopefully, nothing.
But these malware programs circulating in the world are of superb sophistication. And while your business might not be the direct target, you could find your IT systems in the crosshairs of the attack as collateral damage or as a stepping stone to a bigger partner. And as illustrated by the Maroochy attack, even if you run a physical system or a manufacturing plant, as long as there is an internal network, you could find yourself attacked by someone with a personal vendetta, such as an ex-employee, a business rival, a disgruntled supplier, an unhappy client, or even an ex-spouse!
In today’s toxic world, you never know who’s toes you might have stepped on.

Threats nowadays are actually being disguised as legitimate-looking Windows updates. It is of crucial importance that you have someone in your corner that is capable of identifying such threats and defending you against them. It’s important that ALL of your users–not just IT engineers–are trained on these issues so that you can keep your business, your systems, and even your private life safe and secure from all unauthorized access and malicious activity, especially those that occur due to human errors.
An office boy with a flash drive can be a back door into your system.

It’s a war zone out there. Stay safe.