McAfee has just released a whitepaper, “Revealed: Operation Shady RAT,” in which they investigated one of the secret command and control networks which have been surreptitiously installed in networks around the world. McAfee reports that the purpose of these secret networks is to steal data.
What we have witnessed over the past five to six years has been nothing short of a historically unprecedented transfer of wealth — closely guarded national secrets (including from classified government networks), source code, bug databases, email archives, negotiation plans and exploration details for new oil and gas field auctions, document stores, legal contracts, SCADA configurations, design schematics and much more has “fallen off the truck” of numerous, mostly Western companies and disappeared in the ever-growing electronic archives of dogged adversaries.
McAfee reports that this single operation compromised data from 72 targets. In some cases, data was being stolen for more than 2 years before the intrusion was stopped. How was the data stolen?
The compromises themselves were standard procedure for these types of targeted intrusions: a spear-phishing email containing an exploit is sent to an individual with the right level of access at the company, and the exploit when opened on an unpatched system will trigger a download of the implant malware. That malware will execute and initiate a backdoor communication channel to the Command & Control web server and interpret the instructions encoded in the hidden comments embedded in the webpage code. This will be quickly followed by live intruders jumping on to the infected machine and proceeding to quickly escalate privileges and move laterally within the organization to establish new persistent footholds via additional compromised machines running implant malware, as well as targeting for quick exfiltration the key data they came for.
This is nothing new. A leaked secret State Department cable describes a cyberwarfare attack against the United States Government (USG):
Since late 2002, USG organizations have been targeted with social-engineering online attacks by BC [Byzantine Condor] actors. … BC actors typically gain initial access with the use of highly targeted socially engineered e-mail messages, which fool recipients into inadvertently compromising their systems [spear-phishing]. The intruders then install malware such as customized keystroke-logging software and command-and-control (C&C) utilities onto the compromised systems and exfiltrate massive amounts of sensitive data from the networks.
It is critical that many layers of defense are used by organizations to protect their data. Operating systems and browsers must be current and patched. State of the art security software should be deployed. Systems should be monitored. Staff must be trained. But part of the solution is to realize that people respond to well-crafted spear-phishing emails.
When human factors are considered in the threat profile, human factors must be deployed in the defensive measures. A tool is now available that uses human factors to identify trusted email so that the target of the spear-phishing attack can distinguish real email from fake email. That tool is SP Guard from Iconix.
SP Guard modifies the email client’s display to provide a visual indicator of the identity of the sender of email. This is an example from Outlook, the popular business email client, in which a company called “MyCo” is marking their internal messages as well as those from trusted partners such as their law firm. Note especially the last message, though seemingly benign, is a spear-phishing message and is not marked as authentic:
SP Guard provides the email recipient with three easy to recognize confirmations that a message is really an internal email or from a trusted counterpart:
- List View. There is an integrity indicator in the list view of the email client.
- Message. The open message has a further indicator of authenticity.
- Mouseover. Mousing over the authentication indicator in the message prompts the display of a certificate that further identifies the sender.
SP Guard is available now from Iconix. For further information, contact us at 408-727-6342, ext 3 or use our online form.