What is this APT Thing, Anyway?

Ther term APT has been tossed about in various forums and associated with security, hacking, terrorism, state sponsored attacks, botnets, advanced malware, next generation malware, etc.  The net result is that the term means quite different things to different people.  Gunter Ollman, VP of Research at Damballa talks about the futility of defining what an Advanced Persistent Threat is, and is not. 

I subscribe to the simplified definition as:  A malicious software threat of sufficeint engineering and limited, targeted deployment so as to defeat signature based scanners.  It is advanced in that it is tactically made to target an individual, business, or organization.  It is persistent in that its strategically contained ditribution and reduced potential for noise generation allow it to remain covertly deployed.

Damballa Blog


Flooding Your Phone, Draining Your Bank

LA Fireman’s Credit Union Records Compromised

The $889 million Los Angeles Firemen’s Credit Union has notified “an extremely small percentage” of its more than 28,000 members that private information may have been compromised.   The May 10 letter from CEO Michael Maestro said that some member’s files were “not properly moved” when the CU relocated.  The data that could have been compromised included names, addresses, phone numbers, account numbers, social security numbers and other identifiers.  “While this was an isolated incident direct related to our move, we’re carefully reviewing our operational policies and procedures to ensure this type of situation never happens again,” he added.


Espionage & Information Engagement

Jart Armin posted recently regarding ‘Information Engagement’ or Espionage being a part of every nation’s security arsenal.  I wonder about the amount of trust that we afford our own operators in this field?

All governments are suffering from, experimenting with, or regularly using this form of intelligence gathering.   Information engagement experts provide the groundwork for informed military, information operations, and strategic communications decision-making and planning by creating and broadening situational awareness through the collection and analysis of cultural, social, political and economic data derived from an indigenous population and foreign media analytics.  

The process itself can involve a range of activities, like interviewing on the ground, profiling individuals through social networks, monitoring email traffic, collecting web surfing information from ISPs and DNS providers, or utilizing web-based robots, spiders, botnets, and other data gathering tools.  These intelligence gathering efforts help inform not only military planning, but the psychological operations, network defense, operational security and media development that make up the information operations/strategic communications disciplines.

Recent revelations about online spying from Ghostnet and Shadow network have led to news stories about researchers tracking operators from within China.  There are other reports recently of similar networks and even disposable botnets being observed intermittently.  There is a considerable lack of evidence to support the claims that the Chinese government or legitimate Chinese business is behind these networks. 

Espionage is considered a violation of law in most countries.  In the US, the National Clandestine Service is charged with balancing political correctness with covert espionage for the sake of national security, usually operating through seemingly legitimate, but expensive, contractors.  There is no doubt that China is a commercial empire, is knowledgeable in electronic warfare, and a skilled political opponent.  It would be foolish to assume that their clandestine operations and operators are inferior to those of North American or European forces, and that they would not also make use of contractors outside of their country to avoid finger-pointing.  When the tracks in the snow stop at a particular house, do you assume that the occupant is the person responsible for the tracks, or that the person responsible stopped making tracks in the snow at this location?

The evolution and wide adoption of social media by the masses and the corporate world as well, has enabled the building of cheap online espionage infrastructures.  These apparatus leverage sites such as Twitter, Facebook, LinkedIn, Blogspot, and Google Groups for building information collection and disinformation dissemination campaigns.  These new malicious networks often fly under the radar of most technologies, enabling elusive attacks and escaping attribution to any particular single source.  

Keystroke logging and forwarding, stored data theft, interception of transient data and voice communications, malware, and botnets are some of the tools for online espionage.  This is making the job of telling the good guys from the bad guys much more difficult when conducting reconnaissance of online crime groups and malware research.  Who are the spooks and who are the crooks?

Internet Evolution