Then came the slow, steady exfiltration. "Most of these high profile cases are the result of spear phishing, unless the attackers have an insider in the target company," says Rahul Kashyap, Head of Security Research, Bromium. In the case of attacks by nation states you almost always see very well designed spear phishing emails that appear to come from the CEO or a similar high official within the organization. "A spear phishing email sent to employees of Alcoa appeared to come from a corporate board member," says Kashyap of one example of an email sent during these attacks. The idea here was to create a sense of urgency so that employees responded without thinking and began clicking links or opening attachments containing malware. "Attackers spray bunches of emails at employees. All they need is for one person to open one email and respond for an attack to progress," says Kashyap.
Employees ultimately requested the data via port 80 or another port used for web traffic. Enterprises expect this port to see a lot of traffic. Because the malware was designed to push / pull just a little bit of malicious traffic at a time together with expected web traffic, enterprise security did not detect the attacks. Meanwhile, the malware kit acquired increasing degrees of access on the network until it got to the databases and servers that contained the intellectual property and confidential documents the attackers sought and highly prized. "Anyone who had access to the kinds of material these hackers stole would have a huge advantage over the targeted U.S. competitors," says Kashyap.
Previous state sponsored attacks have used kernel exploits like Stuxnet, Duqu, Gapz, TDL4, Gameover, and the recent Adobe Reader Sandbox bypass; these hackers may have used kernel exploits in these attacks as well. "The Windows kernel is the core of the operating system. If you compromise the kernel, you own the machine, including the security software on it," says Kashyap.
Mitigating similar attacks
"I trained people at government agencies who had no clue that they were under attack as much as they were," says Petraglia. Given that, every day businesses outside the government are certainly not up to speed on securing against state-sponsored attacks, concludes Petraglia. Enterprises need to educate and train their people that they are definitely military and intelligence level targets of hackers.
Several layered technical measures are necessary to mitigate state-sponsored attacks that hackers levy for economic gain. Enterprises need solid definitions as to what is sensitive data. They need absolute rules about data access. "Use Data Loss Prevention tools so people can't copy sensitive data to their laptop, which then ends up unattended in the back of their car," says Petraglia.
Sign up for CIO Asia eNewsletters.