Persistent Malware Attacks

The revelation by McAfee last week has created some waves. Here are a few thoughts from an adversarial analysis perspective.

The thing that has gotten attention about this report is that it describes attacks by a single attacker and single vector that have lasted over a long period of time (more than 5 years) and have targeted governments, quasi-government organizations, and businesses in a sophisticated way. The attacks are being attributed to a particular state actor, for obvious reasons, but attribution is always murky in cyberspace so it’s (just) conceivable that someone else is responsible and covering themselves.

It was helpful to get this kind of information out into the public awareness. People on the inside (for several different values of inside) have known about these kinds of attacks, their frequency, and their huge impact for some time; but either haven’t wanted to or haven’t been allowed to reveal them.

The attacks themselves seem to have begun with a spear phishing attack on some mid-level person at each organization, so relatively unsophisticated but requiring substantial preliminary research. I’m not aware of any attempt to measure how easily spear phishing attacks work, but presumably with patience to try with enough spacing that nobody mentions it, not very much personalization is required. Once in, the attacks seem to have been quite sophisticated and long-lasting. Even after the report came out, several of the organizations were denying that they had been hacked. “Hacked and unaware” seems more likely than “not hacked” given that McAfee could see the IP logs.

Of course, since this is only one vector, it would be naive not to suppose that a number of other, broadly similar attacks are going on with other sources and vectors.

I did a fairly large number of media interviews about this report, and the obvious and common question that came up was: what did these organizations do wrong and what can be done to protect against these kinds of attacks? That’s a hard question to answer. Malware detection tools are in their infancy so, while running them is a good idea, they may not protect against sophisticated attacks very well. It doesn’t seem possible to protect completely against spear phishing, given the convenience of attachments. I received a number of emails from companies who claim that their approach/tools would have protected these organizations, but I didn’t see anything that looked like a substantial advance in the state of the art.

It may be that the time has come to do what the military and intelligence organizations do — to run separate networks that do not connect to the internet for anything that needs to be protected. This is, of course, relatively painful; and still not necessarily secure since data and software still need to be walked from one network to the other. But many organizations may need to take partial steps towards this kind of robust physical separation, since virtual separation is not working. In other words, firewalls don’t get the job done.


0 Responses to “Persistent Malware Attacks”

  1. Leave a Comment

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: