It's been three weeks since Google announced that a sophisticated and coordinated hack attack dubbed Operation Aurora recently targeted it and numerous other U.S. companies.

Until now we've only known that the attackers got in through a vulnerability in Internet Explorer and that they obtained intellectual property and access to the Gmail accounts of two human rights activists whose work revolves around China. We also know a few details about how the hackers siphoned the stolen data, which went to IP addresses in Taiwan. About 34 mostly undisclosed companies were breached.

Now a leading computer forensic firm is providing the closest look so far at the nature of the attacks, and attackers, that struck Google and others. The report never mentions Google by name, or any other companies, but focuses on information gathered from hundreds of forensic investigations the firm has conducted that are identical to what we know about the Google hack.

What the information indicates is that the attack that hit Google is identical to publicly undisclosed attacks that have quietly plagued thousands of other U.S. companies and government agencies since 2002 and are rapidly growing. They represent a sea change from the kinds of attacks that have commonly hit networks and made headlines.

"The scope of this is much larger than anybody has every conveyed," says Kevin Mandia, CEO and president of Virginia-based computer security and forensic firm Mandiant. "There [are] not 50 companies compromised. There are thousands of companies compromised. Actively, right now."

Mandiant released the report last week at a closed-door cybercrime conference, sponsored by the U.S. Defense Department, in an effort to make companies aware of the threat.

The firm has been investigating the Google breach and many of the most high-profile breaches of the last few years, such as those that occurred at credit and debit card processors Heartland Payment Systems and RBS Worldpay. Unlike those latter attacks, however, the breed of attacks that struck Google and others is markedly different.

Advanced Persistent Threats —————————

Called Advanced Persistent Threats (APT), the attacks are distinctive in the kinds of data the attackers target, and they are rarely detected by antivirus and intrusion programs. What's more, the intrusions grab a foothold into a company’s network, sometimes for years, even after a company has discovered them and taken corrective measures.

"APT is a very unique threat out of the Asia Pacific that . . . looks different and is much more widespread than the criminal compromises," Mandia says in a recent phone interview.

The Heartland and RBS attackers, and other criminal hackers of their ilk, tend to use SQL injections attacks to breach front-end servers. The APT attackers, however, employ undetectable zero-day exploits and social engineering techniques against company employees to breach networks.

The non-APT hackers target only financial data or sensitive customer data for identity theft, while the APT attackers never target such data. Instead, their focus is espionage. They attempt to take every Microsoft Word, PowerPoint and Adobe PDF document from every machine they compromise, as well as all e-mail, says Mandia.

The non-APT hackers also employ smash-and-grab guerrilla tactics and are fairly easy to kick off a network once a company discovers them, Mandia says. After they grab what they want, they have little interest in hanging around. APT attackers, however, aim to establish a long-term occupying force inside a company’s perimeter.

Last year, for example, an unidentified defense contractor discovered 100 compromised systems on its network, and found that the intruders had been inside since at least 2007.

APT attackers also appear to be well-funded and well-organized. In some cases, Mandiant has found multiple groups inside a network, each pursuing their own data in a seemingly uncoordinated fashion.

No one is immune to APT attackers, who have struck defense contractors and government agencies as well as private companies and law firms. A recent story revealed that three U.S. oil companies were hacked in what appears to be an APT attack. The attacks have been little-known outside government and computer security circles until now because companies have been loath to admit they've been breached – Google is the exception – or share details of how they were hacked.

Many entities don't discover a breach until someone from law enforcement tells them. By then, it's too late.

"By the time the government is telling you, you've already lost the stuff you didn't want to lose usually," Mandia says, noting that it's generally not possible to ascertain everything that an attacker took.

One series of attacks last year involved a spear-phishing campaign that targeted an unnamed, high-ranking counterterrorism official, and two entities described as coordinators of local, state and federal intelligence. From Mandiant's description, it appears these refer to a local fusion center and a federal counterterrorism center. The report doesn’t indicate how successful the attacks were other than to say the intruders stole e-mail and information that helped them map networks and locate valuable data.

Mandiant's agreements with clients prevent it from disclosing the names of its forensic customers.

One mark of APT attacks is that they have especially hit companies with dealings in China, including more than 50 law firms.

"If you're a law firm and you're doing business in places like China, it's so probable you're compromised and it's very probable there's not much you can do about it," Mandia says.

In 2008, Mandiant investigated a breach at a law firm that was representing a client in a lawsuit related to China. The attackers were in the firm's network for a year before the firm learned from law enforcement that it been hacked. By then, the intruders harvested thousands of e-mails and attachments from mail servers. They also had access to every other server, desktop workstation and laptop on the firm's network.

In another case, a Fortune 500 manufacturer was in discussions to acquire a Chinese corporation when it was notified by law enforcement agents that it had been hacked.

The attackers sent targeted spear-phishing e-mails to four key U.S. executives involved in the acquisition discussions that appeared to come from a colleague. When the executives clicked on a URL in the e-mail, malware loaded to their machines. Within a short time, the attackers had administrative rights on the majority of the company's computers. They were able to read e-mail containing critical information about the company's negotiating strategy – days before the negotiations took place. After discovering the breach, the company abandoned its plan to acquire the Chinese firm.

The vast majority of the activity the Mandiant firm has witnessed has been linked to China, according to its report.

"All we're saying is that the majority of the data that gets exfiltrated ultimately finds its way to IP addresses in China, and that's pretty much all anybody knows," Mandia says.

Attack Techniques —————–

While APT attacks are sophisticated, they use simple techniques to gain initial entry and, once inside, adhere to a pattern.

For starters, the attackers conduct reconnaissance to identify workers to target in spear-phishing attacks – such as key executives, researchers and administrative assistants who have access to sensitive information – and then send malicious e-mails or instant messages that appear to come from a trusted colleague or friend.

The e-mails have an attachment or link to a ZIP file containing zero-day malware that exploits Microsoft Office or Adobe Reader vulnerabilities. Google employees received an e-mail with malware that exploited a vulnerability in Internet Explorer 6 that Microsoft had not yet publicly disclosed.

Once the attackers have a foothold on one system, they focus on obtaining elevated access privileges to burrow further into the network. They do this by grabbing employee password hashes from network domain controllers – and either brute-force decrypt them or use a pass-the-hash tool that tricks the system into giving them access with the encrypted hash.

At this point, they move laterally through the network, compromising systems as they go and using other exploits to attack additional vulnerabilities. The systems being compromised are Windows systems.

Stolen e-mail messages and documents are collected and stored on a staging server inside the company's network before being encrypted with custom algorithms and compressed into an .rar file. The files are then siphoned out in small random bursts generally via normal protocols with spoofed headers to disguise the activity. In the case of the Google hack, the attackers used an SSL port but a custom protocol.

Some of the more sophisticated malware the attackers use is packed, using customized packers, to make it harder for investigators to reverse engineer and determine what it's doing. Attackers also use self-destructing malware that erases itself if it fails to reach its destination.

The attacks go undetected because most victims only monitor data coming into networks, not inside a network or going out of it. Spear-phishing attacks and zero-day exploits often circumvent protections against data coming in, and data being siphoned out is generally disguised to resemble legitimate traffic.

APT attackers have used sniffers to grab headers from a company's authenticated proxy communications to dynamically create their own credentials to mimic the communication. They've also spoofed Yahoo and AOL SSL certificates and hijacked a victim's chat program to conduct communication between malware and command servers.

Two other methods they use to disguise their activity are process injections and so-called stub malware.

In a process injection, they introduce malicious code into a trusted process already running on a system to conceal malicious activity. Stub malware is code with only minimal functionality – to keep its footprint small. The attackers then remotely add new capabilities to it, which run in the network's virtual memory.

"[They would simply code new executable segments that could be uploaded and executed via the stub's process in memory, without requiring a disk-write to succeed," the report notes. "It was difficult to detect these additional capabilities unless memory was analyzed at the same time the new capability was uploaded and executed."

Remediation ———–

Many entities that are compromised by APT remain so even after they've instituted measures to rid themselves of the intruders, Mandia says. If they do manage to eradicate the intruders, the most they can hope for is a three- to six-month respite before the attackers return.

The worst thing a company can do, when it discovers a breach, is to shut down an infected system or remove it from the internet before understanding the extent of the breach. Otherwise, the attackers just switch tactics and focus on other parts of the network.

"If you do a remediation effort that fails, the sophistication of the next wave you deal with is higher," Mandia says.

Mandiant has seen malware and backdoors that were programmed to lay dormant for months – more than a year in one case – before awakening and sending a beacon to an external command center signaling that it was alive – long after the company thought it had eradicated the intruders.

Last December, Mandia was about to eradicate malware from one network when it suddenly stopped beaconing to its command center. Symantec, the maker of the antivirus program on the network, had updated its virus definitions and the security software was now detecting and stopping the malware. Ordinarily this would be good news. But in an APT attack, this just means the attackers will install new malware that the antivirus program won't detect. And it generally doesn't take days to do this.

"New stuff was peppered on the network in under three hours," Mandia says.

See also: