Google / Adobe Hacking Event Follow-up – APT Malware

I did not have much of an opportunity to blog about the Google and Adobe compromise when details came to light in January.  I put up a quick 10 liner on the 17th and moved on as I was too busy with the real details of protecting and detecting exploitation attempts from this and many other vulnerabilities.  So here I am with a quick summary of events and a little bit of detail provided mostly by Mandiant and Wired Magazine’s Kim Zetter.

It’s been about 3 weeks since Google announced that it had been targeted by a sophisticated and coordinated attack dubbed “Operation Aurora”.  Adobe, and roughly 30 other so far un-named US companies were also targeted.  So far we’ve been told that the attackers made use of a new vulnerability in Internet Explorer and obtained source code as well as access to Gmail accounts of 2 human rights activists whose work revolves around China.  We also know a few details about how the stolen data was extricated, flowing to IP addresses in Taiwan.

Mandiant, a leading computer forensic firm, is providing the closest look so far at the nature of these attacks and the attackers’ profiles.  Their report never mentions Google or Adobe by name, but focuses on information gathered from “hundreds of forensic investigations” the firm has conducted that appear identical to what is known about the Google attack.  These attacks are identical to attacks that have quietly plagued thousands of other companies and government agencies since 2002.  They represent a major shift from the kinds of common, disorganized, opportunistic attacks that have hit networks and made headlines, and they are rapidly growing in number.

Kevin Mandia states ”The scope of this is much larger than anybody has every conveyed.  There are thousands of companies compromised. Actively, right now.”  Mandiant released the report last week in an effort to make companies aware of the threat.

Advanced Persistent Threats

These attacks are distinct in the uniqueness and complexity of the software used, the kinds of data the attackers target, and are rarely detected by antivirus and intrusion detection programs.  These new weapons are being called Advanced Persistent Threats (APT).  APT’s goals are twofold. 

  1. They steal information to achieve economic, political and strategic advantage. 
  2. More importantly, they establish and maintain an occupying force in their target’s environment, a force they can call on at any time. 

When the APT wants additional data from a target, they don’t need to re‐establish a presence.  They simply call on their existing assets, locate, steal and exfiltrate the data they need.

Financial system attackers, like those that attacked Heartland and RBS, tend to use SQL injection attacks to breach front-end servers.  They typically target quickly gatherable low hanging fruit, financial data or sensitive customer data, for cash conversion or identity theft.  Classical hackers also employ detectable smash-and-grab guerrilla tactics, and are fairly easy to kick off a network once detected.  After they grab what they want, they have little interest in sticking around. 

The APT attackers employ much harder to detect, zero-day exploits and social engineering techniques against employees to breach their networks.  They do not currently target customer or credit card data.  Instead, their focus is on higher value espionage, establishing a long-term occupying force inside a company’s perimeter.  They attempt to take every single Microsoft Word, PowerPoint and Adobe PDF document from every machine they compromise, as well as all email that they can find.  One common characteristic shared by all known APT attack victims is that they have dealings in China, including more than 50 law firms.

In 2008, Mandiant investigated a breach at a law firm that was representing a client in a lawsuit related to China.  The attackers were in the firm’s network for a year before law enforcement advised them that they had been hacked.  The intruders harvested thousands of emails and attachments from mail servers, and had uncontrolled access to every server, desktop, and laptop on the firm’s network.

APT attackers also appear to be well funded and organized.  In some cases, multiple groups were detected inside a network, each pursuing their own data in a seemingly uncoordinated fashion.  Last year, for example, an unidentified defense contractor discovered 100 compromised systems on its network, and found that the intruders had been inside since at least 2007. 

No one is immune to APT attackers, striking defense contractors and government agencies as well as private companies.  A recent story revealed that three U.S. oil companies were hacked in what appears to be an APT attack.  These attacks have been kept fairly quiet as most organizations do not volunteer information when they’ve been breached, or share the details of how they were hacked.  Most breaches are detected and reported to the victim company by a third party, often law enforcement.  By then, the attack and the extraction of data is long over, and little trace evidence is left.


Attack Techniques

APT attacks are sophisticated, however they use simple techniques to gain entry, and once inside, demonstrate to a clear pattern. 

  1. The attackers conduct reconnaissance to identify workers to target in spear-phishing attacks.  Key executives, researchers and administrative assistants who have access to sensitive information are popular targets.
  2. Malicious emails or instant messages that appear to come from a trusted colleague or friend are sent to the targets.  The communications have an attachment or provide a link to a file containing zero-day malware that exploits Microsoft Office or Adobe Reader vulnerabilities.
  3. Once the attackers have a foothold on one system, they focus their efforts on obtaining elevated access privileges and burrow further into the network.  This is done by grabbing employee password hashes from network domain controllers and either use a “pass-the-hash” tool that tricks the system into giving them access with the encrypted hash, or using brute-force decrypting tools on them.  At this point, they own the network and move freely through it, compromising Windows systems as they go.
  4. Stolen email messages and documents are collected and stored on a staging server inside the company’s network perimeter, encrypted and compressed into .rar files.
  5. The files are then siphoned out in small random bursts using normal protocols with spoofed headers to disguise the activity.  In the case of the Google hack, the attackers used an SSL port but a custom protocol.

 Some of the more sophisticated malware the attackers use is packed using customized packers to make it harder for investigators to reverse engineer and determine what it’s doing.  Some attackers also use self-destructing malware that erases itself if it fails to reach its destination.  The attacks tend to go undetected because most victims only monitor data coming into their networks, not inside a network or what is going out of it. 

APT attackers have used sniffers to grab headers from a company’s authenticated proxy communications to dynamically create their own credentials to mimic the communication.  They’ve also spoofed SSL certificates and hijacked chat programs to conduct communication between malware and command & control servers.

They will also disguise their activities by using process injections and stub malware.  In a process injection, malicious code is introduced into a trusted process already running on a system in order to conceal malicious activity.  Stub malware is code with only minimal functionality keeping its footprint small.  The attackers then remotely add new capabilities to it, which generally live and run in virtual memory, without requiring a disk-write to succeed.  It would be difficult to detect these additional capabilities unless memory was analyzed at the same time the new capability was uploaded and executed.


Many compromised organizations remain compromised, even after they’ve instituted containment and clean-up measures.  If they do manage to eradicate the intruders, the most they can hope for is a brief reprieve before the attackers return.  Since the vulnerabilities typically used are considered zero-day, there is no patch for them.  Social engineering is also commonly applied, and there is still no patch for stupidity or gullibility.  Once in, the software used may lay dormant for months, with one report from Mandiant indicating a malware agent laying dormant for a year before awakening and sending a beacon to an external command center signaling that it was alive and ready to function, long after the company had detected and thought it had eradicated a malware infection.

Last December, Mandia was about to eradicate malware from one network when it suddenly stopped beaconing to its command & control center.  Symantec had updated its virus definitions and the security software was now detecting and stopping the malware.  Ordinarily this would be good news, but in an APT attack this means the attackers will be back to install new undetectable malware and start extracting their target data once more.

Mandiant’s Report:

Wired’s Article:


One thought on “Google / Adobe Hacking Event Follow-up – APT Malware

  1. Pingback: Google / Adobe Hacking Event Follow-up – APT Malware « MadMark’s Blog « San Diego Tech Blog

Comments are closed.