Dark Seoul: On Mar 20,
2013, the hard drives of tens of thousands of computers in
South Korea were suddenly wiped clean in a massive cyber-attack. The main targets were banks and news agencies. South Korea claimed that the attacks were launched from North
Korea’s military intelligence agency. The malware was believed to have spread to the targeted computers by hackers going through 49 different places in 10 countries, including South
Korea.
SecurityWeek – South Korea
Probe Says North Behind
Cyber Attack 2
Stuxnet: In 2010, a worm called Stuxnet was found to be inflecting supervisory control and data acquisition management systems produced by Siemens.
Subsequent investigation revealed a cyber weapon designed to shut down Iran’s nuclear program by tampering with programmable logic controllers used in its nuclear fuel processing plant.
IEEE SPECTRUM – The
Real Story of Stuxnet
3
T he term APT was first used by U.S. Air Force back in
2006 to facilitate discussion about a set intrusion activities with specific characteristics. These days, APT is often accomplish missions which can last for a long period of time.
Threat - means the attackers are organized, funded and motivated. used to describe advanced or complex intrusive cyber attacks against specific targeted organizations over a long period of time.
1
Richard Bejtlich 1 explained the components of the APT terminology as:
Advanced - means the attackers possess sophisticated hacking techniques and are skillful in using various hacking tools.
Attackers are also capable of researching new vulnerabilities and developing custom exploits.
Persistent - means the attackers are not opportunistic intruders but instead tasked to
The following types of organizations are the specific targets of APT attack because of the mass volume of sensitive information such as source coding, trade secret and personal information which usually help the attacker gain a definitely advantage, identify of a weakness or to certain extend gain an upper handover victim of the attack:
1) Healthcare firms
2) Universities
3) Financial institutions
4) Government entities.
4
Organized Crime
Victim Industry Finance
Retail
Food
Region of Operation Eastern Europe
North America
Common Actions Tampering (Physical)
Brute force (Hacking)
Spyware (Malware)
Capture stored data (Malware)
Adminware (Malware)
RAM Scraper (Malware)
Targeted Assets
Desired Data
ATM
POS controller
POS terminal
Database
Desktop
Payment cards
Credentials
Bank account info
State-Affiliated
Manufacturing
Professional
Transportation
East Asia (China)
Backdoor (Malware)
Phishing (Social)
Command/Control (C2)
(Malware, Hacking)
Export data (Malware)
Password dumper (Malware)
Downloader (Malware)
Stolen creds (Hacking)
Laptop/desktop
File server
Mail server
Directory server
Credentials
Internal organization data
Trade secrets
System info
Activists
Information
Public
Other Services
Western Europe
North America
SQLi (Hacking)
Stolen creds (Hacking)
Brute force (Hacking)
RFI (Hacking)
Backdoor (Malware)
Web application
Database
Mail server
Personal Info
Credentials
Internal organization data

In February 2013, a private cyber security company, Mandiant, made a sensational revelation, claiming in a report that the
PLA’s secretive Shanghaibased Unit No. 61398 is responsible for a wide range of cyber-attacks against US networks that resulted in stealing of hundreds of terabytes of data from some
141 organizations since
2006.
The US Government has a number of intelligence agencies with multi-billion dollar budgets and global reach that might have a better knowledge of
Chinese cyber activities in the US, such as the National
Security Agency, for example. But that data the
US keeps to itself, and US media has been quoting
Mandiant’s revelation throughout 2013.
US-China cyber espionage comes under increased scrutiny
5
With these characteristics, APT attacks are different from conventional hacking. In conventional hacking, the attackers can be individuals who are picking targets randomly and are using popular hacking tools or readily available scripts. Their motives are either for fun (defacing web sites) or monetary gain (stealing credit card information). They will move on to try another target if they fail to break in after spending certain effort.
For APT, the modulus operandi of is quite different from conventional hacking. First of all, the profile of the attackers can be state or country affiliated organized syndicates.
Bejtlich elaborated that the objectives of their attacks can be political (maintaining stability), economic (stealing intellectual property), technical (gaining access to source code for further exploit development) or military (identifying weaknesses for military advantages).
After identifying a target organization, the attackers will engage in reconnaissance to study the infrastructure of the target, the employee profiles and even the business partners of the target trying to identify some potential attack points. Attackers will then try different means to penetrate into the target. A typical method is to craft a spear phishing email containing malicious payload which can bypass anti-malware detection.
To increase the chances of the target clicking the malicious link or opening the attachment, attackers spend a lot of time researching the phishing target and the target system. Information is mined from a variety of sources including corporate blogs, Google searches, social media sites, etc.
APT1’s interaction with a spear phishing recipient
An example of spear phishing email to
LegCo member, Hon CHAN Chi-chuen 6

In January 2013, a wellorganized, sophisticated computer spy operation dubbed Red October was found to (still) be targeting high profile diplomats,
Governments and nuclear and energy research companies. The Red October operation used phishing emails purporting to be from companies’ HR departments.
The attacked covered 69 countries.
In April 2013, an AP journalist clicked on a spear phishing email disguised as a Twitter email. The phisher then hacked AP's Twitter account. Stock markets plunged after a phony tweet about an explosion at the
White House, erasing $136.5 billion of value from the
S&P 500 index.
In August 2013, a few days before Iran’s national election to choose a successor to President
Mahmoud Ahmadinejad, thousands of Gmail account users in Iran were targeted in phishing attack intended to influence the election.
Top 7 Phishing Scams of
2013
7
When an innocent employee is lured to action on the phishing email, the malicious payload will be installed which has call back feature to notify the attackers. The attackers will start to control remotely and further compromise more computers. According to their missions, the attackers will search for valuable information from the compromised computers and send back surreptitiously.
Since the attackers may have funding supporting them, they can spend months and years on such operations. In order to stay stealth and undetected, the attackers employ skills to encrypt traffic between the compromised computers and command centers, launch attacks from IP addresses that bounce in from different countries, and hide their activities by erasing records from the logs, encrypting.
According to Mandiant / FireEye, the APT attack cycle typically contains the following stages
8
:
Initial Compromise - Represents the methods that attackers use to penetrate a target organization’s network using methods such as exploiting vulnerable Internet-facing web servers or spear phishing (An electronic message sent to a targeted victim with personalized message content which contains a malicious attachment, a link to a malicious file, or a link to a malicious website).
Establish Foothold – Attackers will access and control one or more computers within the victim environment. Backdoors will be installed which are used to establish an outbound connection from the victim’s network to a computer controlled by the attackers.
Escalate Privileges – Involves acquiring credential items that will allow attackers to access more resources within the victim environment. Techniques such as password harvesting and cracking methods will be used. Attackers will try to gain access to privileged and administrator accounts.
Internal Reconnaissance – This is the stage when attacks will collect information about the compromised computers in order to obtain information about the internal network, users, groups, trust relationships, files and documents. Attackers may perform directory or network share listings, or search for data by file extension, key word, or last modified date. File servers, email servers, and domain controllers are customary targets of internal reconnaissance.
Move Laterally – Attackers will move laterally within a network to compromise more computers in order to search for data that they want.
Maintain Presence – Attackers will install backdoors to continue control over the computers remotely from outside network.
These backdoors could be different from the ones during Establish Foothold stage in order to make them difficult to identify and remove all of their access points. Attackers are also skillful enough to cover their traces of compromise by deleting activity logs and encrypting communication traffic.
Complete Mission – Once the attackers are successful in finding files of interest on compromised computers, they often pack them into archive files and transfer out using
FTP, custom file transfer tools or backdoors.

In December, 2013, a man was arrested for his part in a phishing scam targeting
UK college students. The scam sent emails inviting students to update their student loan details on a malicious site that took large amounts of money from their accounts.
Using spear phishing emails, a large and complex hacker group in China was said to have hacked more than 100 companies in the
U.S. The hacker group is said to have stolen proprietary manufacturing processes, business plans, communications data, and much more.
Top 7 Phishing Scams of
2013
7
There are massive amount of computer systems in Universities, and Universities are operating IT environments quite openly.
Unlike corporate enterprises, not all systems are centrally protected based on a consistent set of tightened security policies. Different faculties and departments may house their own systems and may even ignore implementing proper security protections.
Attackers sometimes find University computer systems easer to penetrate than corporate enterprises. They will use these compromised computer systems as intermediate stepping stone to attack the real targeted organizations in order to create difficulty in tracing attack source of origin.
Some attackers may have interest in research data and hence target to compromise certain computer systems in the Universities in order to gain access to those data. There are also times when attackers will launch attack against Universities to steal personal information which can facilitate them to create more sophisticated phishing email targeting the real victims of corporate enterprises.
Since APT attacks are becoming more common, Universities should be more aware of such threat in order to better defend against APT attacks.
There is no single silver bullet to defend against APT attacks. Universities will have to consider implement multiple controls in order to reduce the likelihood and impact of
APT attacks.
1.
Increase Staff and Student Awareness
One of the far most common APT initial compromise attack vector is through phishing email. Staff and students should therefore be educated to increase their awareness of screening against phishing and spear phishing email. If received an unexpected email which contains links or attachments, staff and students should raise their alert to determine whether or not to action on the email. Relying on anti-malware programs to screen the email and attachments can be a good option. But do realize that some payloads can bypass antimalware detection, and so relying on antimalware protection is not 100% safe.
In addition, staff and student should change their password credentials often regardless of whether Universities are enforcing a periodic password change policy. Staff and student should also set different password credential across all University systems, external web applications and social media sites. This will reduce the impact if one of these systems is compromised leaking out credential. If feasible, two-factor authentication should be enabled (e.g. remembering the sign-on device, using token, etc.) to increase the difficulty of compromising a computer.

Blackshades Trojan
Malware infected over
500,000 computers across the world, through external links on websites and emails. Blackshades provides remote access control of a computer, enabling criminals to steal information or install
Ransomware. An FBI coordinated global investigatio n into the developers and purchasers of Blackshades
Malware led to the National
Crime Agency (NCA) making 17 arrests in the UK.
CIFAS is working with the
NCA to match Blackshades
UK purchaser data against
CIFAS, and provide the
NCA National Cyber Crime
Unit with information that can aid further arrests.
Problem Profile Bulletin:
Malware Threats
10
2.
Strengthen Defense-in-depth Controls
Infrastructure, Application and Security teams should work together to ensure basic security controls are implemented in a defense-in-depth manner. For instance, firewalls with effective rule sets should be configured. Logs should be reviewed using
Security Information and Event Management
(SIEM) tools to automate the event correlation and incident detection. Servers and network devices should be hardened and applied with latest security patches in a timely manner. Remote access should be controlled by centralizing with a landing server enforced with multi-factor authentication. Privilege accounts should be managed on need-to-know basis to avoid reviewing to excessive people and uncontrolled time period of possession.
Universities can also consider deploying web application firewall or even APT protection / detection systems. Rule set tuning will be required to configure these systems to work properly in order to reduce false alarms. The security architecture should be designed in such a way that firewalls, IPS / IDS, web application firewall or APT protection/detection systems work in layered defense mode.
3.
Segregate Systems
Network Zones in Different
As explained in the anatomy section, APT attackers will try to move laterally to compromise more computers. Universities can better protect their computer systems by placing the systems in different protected network zones according to their functions or sensitivity. Even if one system is compromised, attackers cannot easily compromise nearby systems if they are placed under segregated network zones.
An example of network segregation enhances the protection of system in different network zones.
9
This is not a PDF file. It looks like the filename has a PDF extension but the file name actually includes 119 spaces after “.pdf” followed by “.exe” — the real file extension. APT1 even went to the trouble of turning the executable’s icon to an Adobe symbol to complete the ruse. However, this file is actually a dropper for a custom APT1 backdoor that we call WEBC2-QBP.
8

The first spear phish from group “Admin@338” was sent to a foreign
Government in the Asian
Pacific region on March 10,
2014 – just two days after the flight disappeared. The threat actors sent a spearphishing email with an attachment titled,
“Malaysian Airlines
MH370.doc” (MD5:
9c43a26fe4538a373b7f592
1055ddeae). Although threat actors often include some sort of “decoy content” upon successful exploitation (that is, a document representing what the recipient expected to open), in this case, the user is simply shown a blank document.
FireEye Blog 11
4.
Monitor Suspicious Traffic
APT attacks involve call back traffic. Also, attackers will remotely control the compromised computers by connecting to the installed backdoors. If such network traffic can be monitored and identified, the indicator point of compromise (IOC) can be quickly reviewed. Having said that, it may not be easy to differentiate the call back and remote control traffic because attackers can encrypt the traffic and use the well-known ports for communications.
APT protection / detection systems are specialized in detecting and even blocking such kind of traffic. Some IPS / IDS are also capable of detecting unusual traffic patterns.
Universities can consider implementing these solutions at appropriate network access points.
5.
Improve Incident Response Capability
APT attacks are increasing on a global level.
More corporate enterprises have been reviewed by the media to have been APT targets and even victims. These attacks have even reached to local Universities. APT attacks are certainly no myth, and the reality is defenses are still playing catch up. This reinforces the maxim that security is a process, not a one-off event or product.
Universities should start to pay attention to the threat, and consider implementing the recommendations to strengthen the protection of their infrastructure, also the sensitive information that they owned.
No organizations are immune to cyber attacks. In fact, corporate enterprises are beginning to shift to a new mindset that they need to prepare for the worse that they can become a victim target. It is imperative for
Universities to define an incident response process. Because the attack can compromise systems, networks and applications, the process should be backed by a taskforce consisting of representatives from IT teams.
The team should be trained to respond to suspected and confirmed attacks, contain the compromised environment, collect logs and evidence, and perform forensics investigation.
Operations components of a security operations competency include a blended capability of technology, process, and people.

References
1. "Understanding the advanced persistent threat” Jul. 2010. Web. 08 Sept. 2014
2. "South Korea Probe Says North Behind Cyber Attack: Report" AFP. 09 Apr. 2013. Web. 04 Sept. 2014.
3. "The Real Story of Stuxnet" David Kushner. 26 Feb. 2013. Web. 04 Sept. 2014.
4. "Verizon 2013 Data Breach Investigations Report, 20% of external data breaches tie to state affiliated groups. " 2013. Web. 04 Sept. 2014.
5. "US-China cyber espionage comes under increased scrutiny" Ivan Fursov, RT. 07 Nov. 2013. Web. 04 Sept.
2014.
6. "Ming Pao News, phishing email to LegCo Hon CHAN Chi-chuen" 04 Sept. 2014. Web. 04 Sept. 2014.
7. "Top 7 Phishing Scams of 2013” 26 Dec. 2013. Web. 04 Sept. 2014.
8.
"Mandiant Releases Report Exposing One of China’s Cyber Espionage Groups" 19 Feb. 2013. Web. 04 Sept.
2014.
9. "IBM Tivoli Service Automation Manager – Extension for Juniper SRX Firewall, Background to the Firewall
Extension" Web. 05 Sept. 2014.
10. "Problem Profile Bulletin: Malware Threats" June. 2014. PDF. 05 Sept. 2014.
11. "Spear Phishing the News Cycle: APT Actors Leverage Interest in the Disappearance of Malaysian Flight
MH 370" 24 Mar. 2014. Web. 08 Sept. 2014
Copyright Statement
All material in this document is, unless otherwise stated, the property of the Joint Universities Computer Centre (“JUCC”).
Copyright and other intellectual property laws protect these materials. Reproduction or retransmission of the materials, in whole or in part, in any manner, without the prior written consent of the copyright holder, is a violation of copyright law.
A single copy of the materials available through this document may be made, solely for personal, non-commercial use.
Individuals must preserve any copyright or other notices contained in or associated with them. Users may not distribute such copies to others, whether or not in electronic form, whether or not for a charge or other consideration, without prior written consent of the copyright holder of the materials. Contact information for requests for permission to reproduce or distribute materials available through this document are listed below: copyright@jucc.edu.hk
Joint Universities Computer Centre Limited (JUCC) c/o Information Technology Services
The University of Hong Kong
Pokfulam Road, Hong Kong