APT groups’ mobile momentum finally faces resistance
The cyber defence industry is finally turning its attentions toward mobile devices as Covid-19 shines a light on remote working trends and strains. Unfortunately, they’re already 10 years behind the world’s most elite Advanced Persistent Threat (APT) contingent.
While this period of lockdown, working from home, and siloed digital infrastructures have undoubtedly caught the eye of the most sophisticated – often state-run – hacking operations, it would be a mistake to think that such a focus is only just taking off.
Following two reports conducted by Blackberry in recent months – the most recent unveiled in April 2020 – Windows and Android have joined primary target Linux as core focuses across five APT groups “operating in the interest of the Chinese Government”.
Active for almost a decade, the report titled Decade of the RATs: Cross-platform APT espionage attacks targeting linux, Windows and Android, reveals that these cyber espionage activities are targeting intellectual property which becomes more vulnerable during a dispersed enterprise structure that we have at present.
Eric Cornelius is chief product architect for Blackberry, and knows all too well how state-associated APT groups function. As a long-time employee of the US Federal Government himself in former days, he openly admits that to the US he would be deemed a patriot, but to China – in an opposing scenario – he’s considered an enemy or foreign spy.
“The cyber criminal underworld is a complex and vigilant structure, and they’ll no doubt be finding ingenious and witty ways to capitalise on how Covid-19 has altered enterprise behaviours,” he says. “However, to call it a paradigm shift would be to understate that these groups’ have been focusing on mobile devices for 10 years already. We released a report in September which called attention to the prevalence of mobile malware, and this latest report is an extension of that.”
Essentially they’ve been capitalising on humans being the weakest link of companies’ digital infrastructures. And now, that weakest member of the herd has become detached and is more vulnerable than ever.
The Linux assault
The April report follows a thread of Cornelius’ and Blackberry’s core work around campaign tracking. This is to analyse APT groups’ calling cards and hallmarks to try and monitor and prevent dangerous infiltration from overseas operators.
In this case, his team “stumbled upon” Linux malware that “smelt funny”, before initially pulling on that thread and eventually taking a deeper dive.
“This report is a result of that deep dive,” says Cornelius. “It shows that these groups not only have the foresight to attack Linux machines, but they can remain undetected within the framework of Linux devices for a long time, undetected.
“Through recognition of Linux’s makeup and the use of witty ideas like adware which admin teams become annoyed or jaded by so end up leaving, they capitalised on both the tech environment and human nature, simultaneously.”
Considering that Linux runs nearly all of the top one million websites, 75% of all web servers, 98% of the world’s supercomputers, and 75% of major cloud service providers, the impact and risk is all-too evident.
“The longevity and scale of these attacks is what is most shocking,” agrees Kunal Anand, chief technology officer of Imperva – an analyst-recognised cyber security specialist that partners with companies through their digital transformations. “All threats are dangerous, but this one in particular shows the length and time that threat actors, like APT groups, can go through to mine highly sensitive data.
“The targets of these assaults include intellectual property theft, compromised sensitive information, the sabotaging of critical organisational infrastructure, and total site takeovers. In this case, industries and governments all over the world were the target, all having one common link. The disregarded Linux servers that they thought were secure.”
A favourable climate for cyber crime
The aforementioned rundown of sheer Linux volume across the digital world is where the Covid-19 element understandably sets off alarms.
More than 20 million people have relocated to home offices since the pandemic struck, forcing businesses into new situations that their cyber defences were not geared up for.
“Sadly, hackers are taking advantage of this situation and we’ve seen an increase in fake corona sites, corona phishing messages and corona spam,” says Anand. “Our own recent research has already found that two new spam campaigns have emerged in response to the anxiety surrounding Covid-19.”
However, this isn’t just a knee-jerk reaction to an advantageous situation for advanced threat actors. It’s merely a more favourable climate to enact 10 years of evolving tools, tactics and procedures (TTPs) in the mobile space.
Intelligence-driven security operations platform, ThreatConnect has been keeping a close eye on these trends already, and the company’s vice president for EMEA, Miles Tappin acknowledges that while they may not be entirely new, APT attacks are certainly more dangerous in the current climate.
“With work from home tools being essential to our everyday work life, malicious actors are using this to benefit them,” he says. “Threats including phishing scams, malware and fake URLs are now spiking due to people using their own devices, and IT teams being less able to respond to threats in real time.
“Individuals and businesses need to ensure that they are protecting personal data and are dedicated to all aspects of security.”
To understand the methods and tools that actors are using, Tappin urges companies to better understand the cyber landscape around them. Internally, heightened collaboration, sharing, education, and the formulation of feedback loops are critical defensive tactics.
However, as Cornelius adds, when starting 10 years behind your opponent, relying on internal knowledge to fight back may already be akin to fighting a losing battle.
“One thing that I’d like to see,” he says, “is companies embracing more mobile security staff. Remote management of cyber security is 100% something I can see happening, and you’re already seeing it with MSSPs (managed security service providers).
“I’d implore companies to go down that route as they can mitigate the need to have dedicated in-house staff, they’d be resistant to unforeseen challenges such as the one being faced now, and they’d remove the need for hiring drives, training, development etc. You’d just immediately be investing in utmost defence groups who would raise the bar of your cyber security.”
It is this kind of positivity that almost seems naïve in the face of state-run (almost unstoppable) attacks such as those revealed in Blackberry’s report. But it does come with reason. “I don’t have a defeatist attitude because I can see where humans and enterprises are going wrong, and those behaviours can be fixed,” says Cornelius. “What everyone needs to remember is that cyber security is holistic.”
Traditionally, companies assign a priority level and budget to address cyber security, but not in a holistic way.
“They’re essentially only taking a slice of cake and then presenting it as a full one,” says Cornelius. “Well now, they’re hopefully realising that some very clever and advanced bad guys are around to ruin the mobile party, and enterprises can no longer fail to introspect on their strategies across the entire infrastructure.”
Calls to action
As the number of mobile devices, worldwide, extends to 8.9 billion (around 1.2 billion more than there are people), the risks attached rise in parallel.
“In this time, it’s vital for businesses and consumers alike to review their personal information, making sure they know where their data is being held, and whether it is secure,” says Anand.
“Hackers have become much bolder using the current situation for their own advantage and as enterprises continue to manage their data across multiple applications and environments, on premise or cloud, the landscape becomes more ambiguous.
“As such, it is critical for businesses to take a more comprehensive approach – to focus on protecting the data itself and to adopt a zero-trust security model.”
Tappin echoes this sentiment, with his own call to action also revolving around the idea of holisticness and breaking away with the tradition of isolated defences.
“Organisations should make use of information from their peers and contribute to a wider industry effort,” he adds. “By tapping into the collective experience and insights of an industry group, each member gets access to a constant stream of useful information, bolstering their own defences and helping others do the same.”
By coming together as both individual enterprises, and then as a wider cohesive industry, the business community can’t guarantee safety, but they can make life considerably harder for those who would want to disrupt it.
As someone with plenty of hacking experience himself, Cornelius signs off on a positive note that these sorts of measures aren’t just a defensive, barricading measure. They are genuine shots back.
“Hacking is harder than you see in the movies and bad guys are having a hard time with sophisticated technologies and tools, I can promise you,” he says. “Their one saving grace has always been human error, and with the increasing importance and disparateness of mobile device usage, that frailty will be preyed upon.
“One positive to come out of this though is that it’s shone a light on something that has been out there for 10 years. All that time, companies have been complacent to the idea that adversaries wouldn’t be looking at Linux platforms and what they’re doing in the cloud, seriously.
“Well, they are. And this period should be a call to action to everyone to meet that challenge, and to get their technologies to a place where it doesn’t matter that humans will always be the weakest link.”