The recent Google Advanced Persistent Threat (APT) dialogue has been hogging the press for a week now, and each day reveals new (and often conflicting) insight. As I mentioned on Thursdays blog – “Preemptive Protection” Isn’t – If You’re Battling APT’s – this particular attack doesn’t represent some new shift in tactics. It’s not the first APT in the world, in fact I’m pretty sure it’s not Google’s first exposure to APT’s, and I’m certain it isn’t going to the last. In fact I’d say its a safe bet to say that there are several other equivalent APT successes currently operating within Google’s networks waiting to be discovered. Such is the state of the threat.
So, while the Google APT hogs the limelight, I found it rather topical to note the story on the CSMonitor.com site – US oil industry hit by cyberattacks: Was China involved? – covering other successful APT campaigns going back a few years victimizing Marathon Oil, ExxonMobil, and ConocoPhillips. If you have the time, the story is worth the read and you’ll get a better understanding of the breadth of attack vectors.
Given these timely public disclosures of successful APT’s and the additional claims of Chinese involvement in the attacks, I thought it would be valuable to share my own experiences and insight in to the threats facing the major oil and petroleum organizations.
Truly big business attracts truly big crime. In fact, as I mentioned to a colleague here in the office today, it’s practically impossible to separate big business from government and separating state-sponsored (or endorsed) actions from corporate espionage can be more a definition of semantics than anything else at that level . For many countries, big business doesn’t get much bigger than that of the major oil companies. As such, the big oil and petroleum organizations are under a perpetual barrage of sophisticated attacks.
As the target of a long-term, well funded and well organized APT attack, the compromise of perimeter defenses is measured in weeks or campaigns, rather than success probability metrics.Think of an APT as a campaign of well researched attacks spread over an extended period of time, coming from a broad spectrum of perceived sources.
Sophisticated malware lies at the heart of a successful APT compromise. It’s the primary tool for navigating the victims network, targeting specific hosts and information, and extracting the critical data. Unfortunately for the good guys having to defend these networks, “sophisticated” doesn’t mean exclusive nor hard to acquire. Getting hold of the malware components necessary to carry out this kind of attack is child’s play – literally! If you’re capable of using a search engine and running a software package you’ve just downloaded, you have all the skills necessary to craft, build and distribute a custom malware agent used in the APT attacks that have made the news recently. In fact you’ve had that very same capability for at least the last 3-4 years.
In my time dealing with oil and petroleum companies in Europe, I found that ATP’s were orchestrated from a variety of country sources – from first-world through to third-world – often with a heavy regional weighting. For example, oil and gas companies installing new pipelines in and around the Mediterranean at the time seemed to attract RATs (Remote Access Trojans) developed from DIY construction kits and delivered by innovative drive-by-download vectors that had a healthy dose of Cyrillic typefaces. Meanwhile some self-propagating worms that had eventually made it to various UK offices (and were intercepted there) appeared to try to use Windows exploits that that were optimized for other regional flavors of the operating system (i.e. memory offsets and keylogging keywords were for different language editions).
While the recent CSMonitor.com posting discusses APT’s focused on the theft of oil exploration and discovery data, the targets of other attacks I’ve seen (or heard about) are just as broad again. In fact, some of the targets may not even be information – they may be to lay the groundwork for a more damaging physical interruption of business. For example, worm-based malware is a particular concern to the oil and petroleum companies. Vast swathes of their network encompass mechanical and industrial control systems – and embedded operating systems are a fundamental feature of modern processing plants (and oil delivery). Unfortunately it’s rather tricky to update 5+ year-old valve controller systems everytime there’s a new security patch (multiple that problem every 50 meters of a 1,500 km oil pipeline for example). Irrespective of all the SCADA problems you may have heard about over the last few years, unpatched embedded operating systems that can be exploited using off-the-shelf hacking kits and remotely controlled using standard botnet management tools will give even the best security consultant prolonged heartburn.
Again though, and I’ve said this several times since Google’s public announcement, APT’s aren’t a particular piece of malware or an attack vector – they are coordinated attacks by motivated and professional criminals. They will succeed in breaching their targets perimeter. They will compromise internal hosts and embedded systems. Their criminal operators are myopically focused on achieving their business objectives.
Detecting when they’ve breached your network defenses, when they’ve circumvented your preemptive protection technologies, and when they’ve compromised your computing systems is critical. And you know what? I know how to detect them. Command and Control (CnC) communications are the APT’s soft underbelly – whether you’re a search engine company, a global petroleum company with revenues that rival the GDP of many small countries, or just a company that holds the keys to secrets that someone else wants and is determined to acquire – identification of their cyber-polling or interactive digital chatter will unearth their presence.
– Gunter Ollmann, VP Research