In the latest Mandiant webinar, consultants Chris Oetting and Mike Middleton explained the difficulty of restoring an organization’s network after it has suffered a serious cyber attack. About 30% of recent cyber attacks that Mandiant has responded to involve organizations that have been compromised by attackers employing backdoors. These are programs installed surreptitiously on a computer that allow a remote user to circumvent normal authentication and, thereby, gain complete control of a network.
As I noted in my last post, these attacks often begin with a spear phishing email attack that encourages a user to open a file or click on link. The email appears to come from someone the user knows, which makes them more likely to trust the contents. Even though the letters shown were replete with grammar and vocabulary problems, they were, nonetheless, effective. Some emails claimed to be testing a new network configuration. Others claimed they represented some anti-Chinese group and encouraged the user to visit a site with similar views. Strangely, the presenters never mentioned China as the source of many such attacks even though it was Mandiant that first uncovered the group of hackers known as APT1. One wonders if this was done to sidestep any possible repercussions from the Chinese, as the company has suffered attempted attacks in the past.
The sophistication of these new attacks is such that it takes great effort even to determine if the network was compromised at all. For example, the time the malware was installed cannot be found in some logs because the attackers have changed this parameter to an earlier time to make it look like nothing new was added to the system. Valid-looking user credentials were used so as not to set off any alarms. For the most part, the attackers made it look as if valid users were doing valid things at valid times. Thus, the malware can persist and continue sending information to the attacker for a long time before it is ever discovered.
However, there were other records that were not so easily compromised. Antivirus logs may be a good way to see if anything unusual was going on. Also, the registry may show signs of questionable changes. Although attackers often find ways to use the VPN so as not to be detected, VPN logs may show signs that something just isn’t right. An apparent valid user may be logging in from non-US sites at unusual times, for example.
Unfortunately, as the presenters pointed out, it is not a simple matter to correct all the changes an attacker can make in a computer or a network. Not completely removing every bit of malware may make it possible for the attacker to compromise the same computer and network again. Users and administrators must work together to make sure the system is as tight as possible, but, of course, there are no guarantees. A lot of hard work can be wiped out with the click of a mouse.
It did worry me that no mention was made about China being behind a large number of these attacks. This reminded me of Symantec choosing not to mention China being behind the Elderwood Project, even though it was widely known that they were. It worries me because China’s cyber intimidation seems to be extending beyond its own borders. In my next post, I will look further into this issue.