They break in to steal important information and property, but these intruders are not your typical burglars. With the click of a mouse, within the blink of an eye, from thousands of miles away, these saboteurs can cause havoc, ransack your systems and plunder your most valuable company secrets — without you ever knowing what happened.
At the end of 2009, a clandestine, sophisticated operation took place: A group of foreign adversaries hacked into the computer systems of dozens of America’s most-prominent government contractors, technology corporations and federal agencies. Primary objective: steal the intellectual property — the crown jewels of a corporation.
As with most cyber intrusions, the assault first went unnoticed. It was not until after the new year the hack was detected and brought to light. Google announced on its corporate blog Jan. 12 it had suffered a coordinated attack, seemingly originating from China.
The announcement Google made was an unprecedented move.
“I thought it was a watershed moment for cybersecurity when you had a company as large and as prominent as Google actually coming out and talking about [being attacked],” said McAfee Worldwide CTO George Kurtz, who early became involved with investigating the attacks. “If you look at Google’s mission, they sort of have the higher cause of yes, they make lots of money, but they are doing things to help change people’s lives. If you carry that philosophy forward, I think they wanted to shed some light on this particular example.”
It soon became evident Google was not the only target. The hackers had also targeted companies in strategic industries in which China has fallen behind, industry experts said. The attacks on defense companies were aimed at obtaining details on weapons systems, experts said, while those on technology firms targeted valuable source code. The attacks also focused on extracting information about political dissidents, and had attempted to hack the Gmail accounts of Chinese human-right activists.
To illustrate how the attack unfolded, Kurtz used the analogy of a would-be bank robber. Pretend you plan on sticking up a bank. You start by casing the bank, looking at the security cameras, the locks, trying to figure out when staff come and go. In the computer world, this sort of reconnaissance is called foot printing — the practice of understanding whom you are going to attack. In the case of the Aurora attacks, the hackers used social footprinting— the practice of examining relationships between individuals and exploring how to socially engineer them into gaining access to a company.
As with most targeted hacks, Kurtz said, the Aurora hackers gained access to an organization by sending a tailored attack in the form of an email to certain individuals. These messages contained links that when clicked, brought the user to a server that housed malware and took advantage of Internet Explorer, which exploited the user and downloaded the malware. Once, the malware was installed, it connected back out the firewall. And once it made the connection back out, the attacker had unfettered access within the internal network, Kurtz explained.
“That’s really how most of the malware works,” he said. “You don’t have to break through a firewall. You simply need a user to click on a link, not do anything, but behind the scenes there’s a cocktail of exploits that are sent to the user’s browser. It exploits a vulnerability that is either zero-day or a patch and then ultimately, once that Trojan and malware is installed, you have become a platform for the bad guys to operate and they will connect back out through the firewall to make it look like legitimate traffic.”
Once the hackers have a footprint on the internal network, they can move about the network and start hacking systems of value within the company’s internal network, Kurtz added.
James F. X. Payne, senior vice president and general manager of national security and cyber infrastructure, Advanced Technology Solutions, Telcordia, noted how hackers are aided by out-of-date security measures and unpatched flaws. Currently in place is a model where less-than-perfect technology is deployed, and users are expected to find the vulnerabilities, and then wait for the companies to sell the patch, Payne said.
“It’s an interesting model, and it’s inherently acknowledging our vulnerabilities in our critical infrastructure,” he added.
Payne said what companies need are tools to conduct diagnostics on their networks to see whether the appropriate patches have been deployed correctly. It is almost like having a corporate credit card, he said. If you do not manage it responsibly and settle it on a timely basis, you will hear from the chief financial officer.
Now, imagine a situation where the CFO does not know what you are spending on that company card — that is the kind of world cyber is in. No one can really pinpoint whether you have patched your networks or not, Payne said.
Aurora, a Game Changer
Because of their work with classified or sensitive projects for the federal government, contractors have become prime targets for foreign intelligence services. A DoD report released in March 2010 revealed that information systems are the most heavily targeted of military technologies, also evidenced by the Aurora attacks on corporations such as Symantec, Northrop Grumman and Adobe.
However, Aurora brought along a couple of “firsts.” It was the first time commercial industrial companies had come under that level of sophisticated attack, Dmitri Alperovitch, vice president of threat research for McAfee, told Wired in January, adding, “It’s totally changing the threat model.”
Aurora was also a game changer in the way it impacted government and industry alike.
“If you look at government against commercial entities, this changed the game,” Kurtz said. “Operation Aurora was a bit of a wake-up call for many of these corporations to think about. They asked themselves, ‘I’m worried about intruders, but do I have to worry about hackers perhaps getting in and getting my information and doing something with it, using it perhaps as part of a larger attempt to infiltrate the U.S. infrastructure or government’s infrastructure?’”
But does recognition of the problem help the government-contracting industry stay safer? Maybe. Raising awareness and taking it to a new level can be a powerful tool.
“These attacks made the concept of an existential cyber threat real for many companies, especially when name brands were portrayed as helpless victims in headlines around the globe,” said Vincent Mihalik, vice president of cybersecurity solutions for Wyle Information Systems.
Looking beyond the boundaries of the circumstances of Operation Aurora, Mihalik said, the concept of a preventable threat is a relevant topic of discussion because experts have long asserted that many IT groups and end-users failed to take the steps necessary to safeguard enterprise IT resources and endpoints.
John Pirc, senior product line manager at HP TippingPoint, echoed Mihalik’s sentiment of raising awareness of how Advanced Persistent Threats are not just a public-sector concern.
“Aurora proved that Advanced Persistent Threats are no longer just a government or defense problem; rather, they are industrywide,” he said.
The post-research and analysis resulting from the attack have provided much-needed insight for security engineers and researchers to begin addressing the risks, Pirc said. Subsequently, corporations have begun exploring other security technologies, which complement existing security products and watch for suspicious network or end-point activity, he added.
No Silver-Bullet Solution
But is it possible to stop these attacks from happening? In short, no.
Due to the payoff or ROI cyber criminals receive with little to no risk of being caught or punished, these threats will never be 100 percent eliminated, said Scott Miller, general manager of Microsoft’s National Security Services business.
“As information technology companies continue to develop more secure software and hardware and enterprises understand the threat and architect their infrastructure and business applications with security as a core component, it will be more costly to the attacker to go after the enterprise,” he said.
This maturing of the IT industry and enterprise cybersecurity, Miller said, will make it harder for many attackers to conduct their malicious activities successfully.
As for finding a single solution to the problem, there is none, the experts concluded. Pirc said while certain aspects of an APT are preventable, in the security industry, there is no silver-bullet technology available to protect against all aspects of these threats.
As vendors have built more secure technology and enterprises have matured their cybersecurity capabilities across people, process and technology, the attackers have had to evolve their tactics, techniques and procedures to be successful, Miller said.
“This ‘arms race’ will never stop as many threat actors are determined and highly resourced and capable,” he said. “The cyber threat will likely increase in sophistication and complexity as it has in the past.”
And the evolution of the cyber threat happens at lightning speed. Examining the short, less-than-6-month progress in threat characteristics from Aurora to Stuxnet, there are similarities and orders of magnitude of innovation in the attacker TTPs reflected in the characteristics of the malware used, Miller said.
Kurtz echoed the experts’ thoughts on having to evolve beyond the single-layered approach to security.
“I think now people are really starting to realize just how bad the problem is and it’s not just about anti-virus and firewall anymore,” he said. “It is about having a layered approach, which includes IPFs, which includes web gateways, which includes data loss prevention technology. You can’t really just do the bare minimum; it’s really a layered approach. There is no silver bullet to security.”