In October 2016, a new client approached the threat intelligence firm Cybereason, worried that it had been compromised in some sort of breach. In fact, it had---by, Cybereason now says, one of the world’s most notorious hacking groups: APT32.
At the time the client, a large international company based in Asia, didn't know which of its devices and servers the hack had impacted, or even whether a hack had definitively occurred. "They had seen a lot of weird stuff on their network," says Assaf Dahan, the director of advanced security at Cybereason.
The company was already using security products like firewalls, network filters, and scanners, but none had detected an intrusion. When Cybereason investigated, though, it started uncovering more and more suspicious and malicious activity. Ultimately, the security firm uncovered a large-scale assault that had lasted over a year, with what it sees as clear links back to APT32.
Also called OceanLotus Group, APT32 is known for sophisticated attacks on private companies, foreign governments, journalists, and activists alike. The group's known activity goes back to 2012, when the organization started attacking Chinese entities before expanding into hacks across Asia, including in Vietnam and the Philippines. And unlike other notorious groups, which tend to align at least indirectly with major state-sponsored hacking interests, APT32 often doesn’t adhere to the interests of prominent players like Russia or China.
Newly released details of the attack Cybereason discovered contribute to a growing understanding of how APT32 operates and its possible motives. Such "advanced persistent threats" take financial resources and man-hours to set up and then see all the way through, but the groups funding them can gain invaluable data in return.
In this case, Cybereason says that APT32 was clearly targeting intellectual property and confidential business information, and tracking the victim company's work on specific projects over time.
"The scale of this [attack] was quite alarming. This is not a mom and pop operation," Dahan says. "We could have kept it in the dark, we tried to protect our customers’ anonymity so we could have not published at all. But we felt that once we go public with it more security companies and maybe government agencies will notice it and help put a stop to this group."
In the incident Cybereason remediated, the firm traced the intrusion back to spear-phishing emails that enticed victims to download a phony Flash installer or malicious Microsoft Word document, and deposited malware on the network instead. Once established, the group used numerous vulnerability exploits and manipulations to move through the network and embed a variety of malicious programs.
The attackers used the Windows PowerShell configuration management tool, a popular hacker entry point, to establish malicious scripts within the system. Then they manipulated legitimate Windows network management services, like Windows Registry Autorun and Windows Scheduled Tasks, to perpetuate their malicious code indefinitely, so it would even endure when devices restarted. The attackers also exploited attributes of Microsoft Outlook, Google's Update application, and Kaspersky Labs anti-virus tools to bore deeper into the network. As it assessed the situation over a few weeks, Cybereason identified a diverse set of tools and techniques the attackers were using to persist on the network.
"They targeted the top-level management like VPs, directors, around 40 of their management staff including the CEO’s secretary," Dahan says. "They mapped out their targets very well. They knew who to exploit and where to move laterally once they were already inside the network. They knew exactly which machines were interesting for them."
Things really got interesting, though, when Cybereason started blocking the attackers. As the company moved to limit the group's presence on the network and ultimately evict them, the intruders began pulling out more and more unique attacks to re-establish themselves. Whereas many of their early efforts took advantage of known black-market hacking techniques, the culprits increasingly turned to custom-built tools as they waged war with Cybereason on the client network.
After blocking the attackers from the network, Cybereason says that they would resurge anywhere from 48 hours to four weeks later. In all, the attackers used over 70 different pieces of malware to carry out the various phases of the long-term attack. "They knew the network very well, they could have created many backdoors or openings to come back in, and they have enough tools in their arsenal," Dahan says. "It was really a cat and mouse game."
Researchers at security firms like FireEye have been tracking APT32's movements, and have noted characteristics like the use of both mainstream and custom tools, and the resources to persist for long periods of time. And researchers have already published about some of the exploits Cybereason saw in use.
Nicholas Carr, a senior manager of incident response at FireEye, has consulted in about a dozen APT32 infections, and says that the type of attack Cybereason describes would fit the APT32 mold, though he had not examined the Cybereason report. "It’s not surprising to hear that APT32 would be so determined to maintain network access," he says. "They’re interested in that longer-term access to newly developing situations. They have an impressive scale of command and control infrastructure."
Many questions about APT32 remain unanswered. FireEye says that the group's projects thus far seem to serve Vietnamese state interests, but there isn't yet a broader research consensus. Experts also have yet to affirm Cybereason's APT32 attribution in this particular case. But given the known examples of APT32 attacks, both those that have been analyzed publicly and those that firms have assessed internally, APT32 certainly has the resources and capabilities to execute devastating large-scale network attacks like the one Cybereason worked on, particularly for surveillance and data-exfiltration.
"If this group can manage multiple campaigns simultaneously that says a lot about them," Dahan notes. "It's a testimony to their ability, strength, and resourcefulness." By publicly exposing some of their techniques, though, Cybereason hopes to take APT32 down a peg.
Update, May 24, 2017, 10 am: Kaspersky Labs says that all current versions of its "flagship products" are able to detect and block the particular attack Cybereason observed the hackers using against Kaspersky anti-virus.
