Phantom menace? A guide to APTs – and why most of us have little to fear from these ‘cyberweapons’

APTs - or Advanced Persistent Threats - are the most menacing cyber attack there is, some say. Built to be stealthy, they penetrate networks, steal secrets - and vanish. 'Catching' one was a little like finding Bigfoot - but the much-hyped threat wasn't quite so scary up close...

APTs – or Advanced Persistent Threats – are the most menacing cyber attack there is, some say. Built to be stealthy, they penetrate networks, steal secrets – and vanish. ‘Catching’ one was a little like finding Bigfoot – but the much-hyped threat wasn’t quite so scary up close…

“If you work for a government or large institution I’m pretty sure you are being targeted by an APT right now,” says ESET malware researcher Oliver Bilodeau. “But if you work for a restaurant, you shouldn’t worry.”

APTs – or Advanced Persistent Threats – are the most menacing cyber attack there is, some say. Orchestrated by teams of hundreds of experts, they penetrate systems so deeply that they can remain for years, stealing secrets by the terabyte.

Most people, though, have not even heard of them, admits Bilodeau. “Normal people are not a target – unless you are working for governments or big corporations you won’t be,” he says.

Naturally, APTs are so stealthy as to be almost invisible – which means that actually capturing one “in the wild”, is a little like a zoologist finding Bigfoot alive. Oliver Bilodeau’s team did – and were rather surprised by the “cyberweapon” they found, as reported here.

Their hi-tech, undetectable nature has led to extensive debate over whether APTs are an entirely different beast from ‘normal’ malware and intrustions  – or the phrase is just a sales tool. Some We Live Security articles cover the issues here.

Mandiant’s analysis of a Chinese APT – carried out by a professional group believed to employ thousands, found that their attacks had penetrated corporate networks, and remained undetected for more than four years – and at one point stole 6.5 terabytes of data from a single organization.

In 2010, America’s Computer Emergency Response Team warned that not only were APTs numerous, they were “sophisticated” and “difficult to defend against.”

RSA, who fell victim to an attack thought to be an example of an APT, likened the attack in a blog post to “stealth fighters” and suggested that a new era of cyber attacks had begun – requiring new defenses.

But when Bilodeau analyzed his find, he found that the sample – while clearly targeted at governments, wasn’t quite as futuristic as he expected.

“Our detector sent sample programs to our lab,” Bilodeau says, “When virus lab colleagues looked at them they found suspicious origin and behavior. W e noticed that the prevalence was very low and also found interesting reference to government entities in the program itself. That’s when we decided to spend more time analyzing it.”

There was just one problem – the “nuclear bomb” of cyber attacks turned out to be less explosive than one might have expected.

Much of the attack was “low cost, low complexity”, Bilodeau explains in a blog post on We Live Security, and in detail in a white paper. Bilodeau says that companies may feel tempted to use the term to cover their own failings.

“So, before issuing your press-release about getting popped by an APT group, at least make sure that you are not simply overly exposed to simplistic B-list attacks,” he wrote.

“Most of us in the industry think it’s an overblown marketing term (to be polite) but at this point I think we are pretty much stuck with the term. I would have preferred “targeted attacks” since the threats are not usually that advanced.”

Ordinary PC users also have little to fear, he says, “ End-users shouldn’t be concerned because these are highly targeted in nature.”

Goverments and large organizations – especially those dealing in hi-tech and military research – are the targets. APTs differ from ‘normal’ malware largely in their choice of target – and their use of human researchers to filter information, Bilodeau says.

“They have a specific goal. If their goal is reconnaissance and data exfiltration like the ones I’ve analyzed then they differ by the fact that they are very generic, revealing very little information about who is doing the attack and what they are after.”

“Once a machine is compromised then a human gets involved and performs the reconnaissance and document stealing. This makes our job harder because we need to get infected and simulate that our computer is an interesting target.”

“That the malware used in some targeted attacks is not sophisticated,” says Bilodeau, “ In fact, it’s much more simpler in obfuscation than the conventional malware I have analyzed so far. Also that as long as it work (ie: they compromise their targets) these actors won’t put more effort into building better malware.”

The malware targted Vietnamese and Taiwanese government systems – and used “one of the oldest tricks in the world,” Bilodeau says. It was delivered in phishing emails, disguised as a Word document.

“Very simple mitigations would have prevented infection,” Bilodeau says, “Doing security updates, not allowing executable attachments and a little bit of end-user security awareness training. That’s it.”

The threat of APTs, though, is specific to governments, large corporations and military groups, Bilodeau says. Home PC users have little to fear.

“It is malicious actors that have time and money to spend to compromise you,” says Bilodeau. “They will write custom malware, exploits and run infrastructure in the goal of compromising a particular entity. They don’t want to compromise *any* computer – they do targeted attacks.”

Sign up to receive an email update whenever a new article is published in our Ukraine Crisis – Digital Security Resource Center