The Nation State Hack-Attack

Uploaded on 2016-07-15 in NEWS-Cybersecurity News, GOVERNMENT-Defence, FREE TO VIEW

Mixed in among the spam, phishing messages and booby-trapped emails that land in your inbox might be the odd message crafted by hackers working for a government rather than a group of criminals.

Unfortunately, those messages are not odd in any other way. They look like every other net-borne threat. That is because the creators of these malicious programs usually exploit the same software vulnerabilities as mainstream malware, they can travel via the same hijacked PCs and they prey on the same human frailties that make the more typical stuff so successful.

Security companies have a hard time spotting them too, said Jordan Berry, a strategic intelligence analyst at security firm FireEye. Not least because the samples of malware cooked up by hackers backed by nation-states are small in number.

And, he said, the methods they use to infiltrate targets vary widely. Sometimes nations will dedicate a lot of time, talent and money to creating malware to work on their behalf.

That was the case with Stuxnet - a worm created to sabotage Iran's nuclear programme. Analysis of its electronic innards show it is a precision-guided weapon that probably took months to create. Stuxnet used four separate, previously unknown software vulnerabilities and only sprang into life when it found itself on a network with a very specific configuration.

Other similarly complex threats include Flame, Gauss, Regin and PlugX. But, said Mr. Berry, not every attack employs such finely crafted malware. "Sometimes they may not need to use the big guns," he said. "so they use something just to get the job done."

No matter which one hits a company or a government's network, exactly who was behind it becomes easier to understand once the malware gets to work.

"It's the context around it that's important," he said. "If it’s an attack on a Ministry of Foreign Affairs and there's not a lot of financial motivation behind it, then maybe it's a nation-state doing it."

Malware tour

In an attempt to get a better idea of just how sneaky nation-state malware can be, I asked Kevin O'Reilly from security firm Context IS to take me on a tour of the PlugX malware.

It was first discovered in mid-2012 and has been updated, altered and improved many times since then. It is believed to have been created by China and used in many campaigns against industrial targets in different nations as well as against dissident groups in Tibet and elsewhere, said Mr. O'Reilly.

China seems to operate a franchise model when it comes to nation-state attacks, he said. As far as Context and others who watch Chinese malware can tell, the state creates the software and then hands it over to a lot of other groups who actually use it on its behalf.
However, said Mr. O'Reilly, this was all conjecture as there was no direct evidence linking PlugX to China.
The modern version is pretty sneaky, he said, and uses several different techniques to infiltrate targets. 

The email is key to the attack, he said. The hacker groups that use PlugX typically do a lot of preparation before sending out booby-trapped email messages. They target a select group of people at one firm and craft the message to make it more appealing to them.

"Often," he added, "the documents are repurposed from legitimate sources, and 'weaponised' by embedding the exploit and malware dropper within them."

One of the documents that PlugX travels in was, ironically, a report about human rights abuses in Tibet.

Remote Agent

Opening the document starts the process of infection. It gets in using an exploit or vulnerability in Windows that installs three files comprising the malware. The sneaky part is the way that two of these interact. One is a perfectly legitimate Windows file and as it runs it looks for a specific system file to get going.

PlugX includes the file it needs though this one is modified so it can install the actual malware. The way Windows works ensures it will use the one attached to the message rather than the safe one buried elsewhere on an infected computer.

"Once it’s got a foothold it makes sure it will run automatically with Windows and it will then phone home and be told to do whatever its controllers want it to do," said Mr. O'Reilly. PlugX effectively gives attackers remote access to a computer on which it is installed.

"There's quite a lot of functionality built in," he said. "They might use the implant to get key logs or screen shots.

"It’s clear that it is doing different things to the run-of-the-mill malware that is looking to steal login credentials or credit card numbers.

"Ultimately," said Mr. O'Reilly, "this is controlled by a person. It does not do much by itself."

Context is one of a few firms that have investigated breaches brought about with PlugX and it has used network forensics to replay where the attackers went and what they did.

"In one attack the intrusion was caught by the anti-virus and we were able to watch them go to the logs and try to clean them," he said. "They knew exactly where to go. That's the level of sophistication you are up against. "Robert Hanssen worked at the FBI for 27 years but is believed to have passed information to the Russians for 22 years.

For veteran spy hunter Eric O'Neill, a former FBI agent who helped expose double agent Robert Hanssen, it should be no surprise that spies have gone digital. "In the old day’s spies had to sneak into buildings to steal documents," he said. "Nowadays they don't. Espionage and spies have evolved."

A successful cyber campaign run by a nation-state could liberate far more information than any double agent could dream of securing, he said. Attacks to steal data about people could well be carried out to give foreign powers a better idea of who was vulnerable and might be made to work for them.

"There are three main ways to recruit someone," he said. "Ideology, greed and blackmail."

Information in databases could give clues about medical conditions, debt or personal problems that might aid attempts to compromise an individual, he said. "You have to know who you are attacking and whether they are more likely to swayed by ideology or greed or blackmail," he said.

"These types of attacks are not easy to do," said Mr. O'Neill who now works for security firm Carbon Black. "But companies are foolish if they think that because it's hard they are not being targeted."

"These are spies, not hackers," he said. "You need to stop the spies, the people who are targeting other human beings. They are not just throwing stuff out hoping it hits."

BBC

« Infrastructure Security in the Age of Ransomware
Threat Intelligence Sharing Deals With Cybersecurity »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Cifas

Cifas

Cifas are leaders in fraud prevention, working closely with UK law enforcement partners.

NNIT

NNIT

NNIT​ is one of Denmark’s leading consultancies in IT development, implementation and operations, including cyber security.

CyberGreen Institute

CyberGreen Institute

The CyberGreen Institute is a global non-profit and collaborative organization conducting activities focused on helping to improve the health of the global Cyber Ecosystem.

Startup Wise Guys

Startup Wise Guys

Startup Wise Guys is a mentorship-driven accelerator program for early stage B2B SaaS, Fintech, Cybersecurity & Defense AI startups.

Baker Donelson

Baker Donelson

Baker Donelson is a law firm with a team of more than 700 attorneys and advisors representing more than 30 practice areas including Data Protection, Privacy and Cybersecurity.

BeyondTrust

BeyondTrust

BeyondTrust is a leader in Privileged Access Management, offering a seamless approach to preventing data breaches related to stolen credentials, misused privileges, and compromised remote access.

OWN

OWN

OWN (formerly SEKOIA) is a major French player in cybersecurity providing tailor-made, informed and adapted cyber support thanks to its DNA of passionate and committed experts.

Center for Infrastructure Assurance and Security (CIAS)

Center for Infrastructure Assurance and Security (CIAS)

CIAS is developing the world's foremost center for multidisciplinary education and development of operational capabilities in the areas of infrastructure assurance and security.

Sotero

Sotero

Sotero is the first cloud-native, zero trust data security platform that consolidates your entire security stack into one easy-to-manage environment.

Aunalytics

Aunalytics

Aunalytics is a data platform company that delivers insights as a service to answer your most important IT and business questions.

Commvault

Commvault

Commvault's data protection and information management solutions help companies protect, access and use all of their data, anywhere and anytime.

Quarkslab

Quarkslab

Quarkslab is a dedicated team of cyber-security engineers and developers. We aim at forcing the attackers, not the defender, to adapt constantly.

COPA-DATA

COPA-DATA

COPA-DATA is the only independent software manufacturer to combine in-depth experience in automation with new possibilities of digital transformation – reliable, future-proof and operating worldwide.

Cydea

Cydea

Cydea are an optimistic cyber security consultancy of experts in security, data, technology and design that want to build a safer, more secure world where more things go right.

Intracis

Intracis

Intracis is a 'Made in India' cyber incident management solution aimed at ‘Making Security Simple’ by simplifying cyber incident management for CERTS and CSIRTS.

Incode

Incode

Incode is the leading provider of world-class identity solutions that is reinventing the way humans authenticate and verify their identities online.