Note: Though this blog references Advanced Persistent Threat Actors successfully infiltrating United States Election Support Systems, it should be noted that there is currently no indication that the integrity of elections data has been compromised. This blog is absent of any political affiliations or disinformation, intended only present facts as they are reported from United States Security and Intelligence Agencies.
October 9th, 2020:
Citing recent actions of Advanced Persistent Threat Actors, the Cybersecurity and Infrastructure Security Agency (CISA) releases a joint advisory alert in coordination with the Federal Bureau of Investigation (FBI).
The report details malicious activity of Russian State sponsored Advanced Persistent Threat (APT) Actors against U.S. State, local, territorial, and tribal (SLTT) government networks. They focused their attack on aviation networks as well.
Let’s translate, shall we?
Conceptualizing APTs: Getting Medieval
Advanced Persistent Threats (APTs), what are they?
Think about it like this:
Congratulations, you are now the king/queen of a very large kingdom. You live in a nice big castle. It’s a bit drafty, but great for entertaining guests.
As ruler of this Kingdom, it is quite literally your duty to protect the wellbeing of your people and the institutions for which your kingdom relies.
Imagine an adversarial kingdom gets hold of your military plans or schedules for shipments of goods. Maybe they obtain a map of the secret passageways in your castle. This could be incredibly damaging for the wellbeing of your kingdom.
Knowing this, you devise ways in which (to the best of your ability) you can protect your people. You mitigate the probability that an adversary can infiltrate and steal your valuable information or treasure.
However, your kingdom has grown quite large. And it is very difficult to defend every single acre and village under your control. It also just so happens that while your kingdom was growing, some people from adversarial kingdoms were getting very good at stealing things from you. And some other people from adversarial kingdoms were getting very good at learning secrets about how your kingdom operates.
You learn that these people are most likely residents of your enemy’s kingdom. Furthermore, their King/Queen is giving them money and resources to work against you. You learn these people are really good (like ninja good) at stealing treasure and information. You realize these breaches occur over very long periods of time without any guards noticing. Even with all the safeguards in place to stop this kind of thing from happening.
And just to keep you up at night, these enemies are targeting the most sensitive and valuable information and treasure that your kingdom possesses.
Clarifying Advanced Persistent Threats V.S. Advanced Persistent Threat Actors
We use the terminology “Advanced Persistent threats” (APTs) to categorize a specific type of threat. A threat where advanced hacking techniques used covertly over a long period of time (months or years) target large corporations or government entities.
Furthermore, most APTs are a product of foreign governments funding advanced hacking groups.
So if you worked for the U.S. Department of Defense, you might say “Our most critical area of cyber defense is protecting against Advanced Persistent Threats.”
Threat Actors
An Advanced Persistent Threat Actor is a hacker or group of hackers organized and funded by a government. Advanced Persistent Threat Actors are utilized by a foreign government to hack into top secret government systems of other nations. These Threat Actors might also be funded by foreign governments to hack into large companies like Apple or Google. They do this to steal valuable intellectual property or trade secrets.
Regarding this recent breach reported by the CISA and FBI, we would say “The advanced persistent threat actor responsible for this attack is a Russian state sponsored hacking group (threat actor) called Energetic Bear.
Think of our Kingdom.
As the ruler of this mythical Kingdom, we know that we must do everything we can to defend against Advanced Persistent Threats. Groups of spies and thieves organize under the banner of an enemy kingdom. This enemy kingdom funds efforts to learn about our military plans or access our secret information or steal our treasure.
In particular, a successful mission could mean we are vulnerable to extortion, blackmail, theft and potential out-maneuvering if a military conflict occurs. Additionally, the longer a threat actor is inside of our kingdom, the risk for additional breaches increases exponentially.
This is a great article exploring APT attacks, including signs indicating an attack and defense strategies against APTs.
Cyber Warfare and the United States
Now, understanding the concept of Advanced Persistent Threats, and the role of Advanced Persistent Threat Actors, let’s dig into what this looks like in the real world:
Specifically, Russia (among many other nations) really wants knowledge about what we (The United States) do and how we do it. Knowledge about our infrastructure, our people, our businesses, every bit of information having value in some capacity. We could get into geopolitical motivations, but for the sake of everyone’s sanity, let’s just focus on the facts.
Consequently, in early September, 2020, a group of cyber spies, hackers and thieves (with financial and technical resources provided by the Russian government) targeted U.S. government organizations, obtaining some pretty useful stuff.
Stuff like:
- Sensitive network configurations and passwords.
- Standard operating procedures (SOP), such as enrolling in multi-factor authentication (MFA).
- IT instructions, such as requesting password resets.
- Vendors and purchasing information.
- Printing access badges.
Specifically, from what we can tell from the CISA and FBI joint statement, the threat actors began their attack by targeting unpatched legacy vulnerabilities in internet facing architecture.
Gaining initial entry through the exploitation of a vulnerability related to Fortinet FortiOS VPN (Virtual Private Network), they then likely followed the usual steps Advanced Persistent Threat Actors use in order to complete their mission. You can read more about that here.
In short, finding additional vulnerabilities in these networks and systems, these Russian state sponsored cyber spies uncover ways to access information and resources. Finding valuable intel, they copy or transfer this data to a location on their network in Russia (or wherever they set up shop.)
What can we do about Advanced Persistent Threats?
How nice is this?: The CISA and FBI communicated some ways in which defense against this APT attack and similar attacks can be achieved.
Well that’s great… but let’s remember this recent attack was successful. There is no doubt about this.
In at least “some instances” the CISA describes unauthorized access to elections support systems. As noted in the beginning of this post however, there is no indication pointing to tampering or compromising the integrity of this election data.
Nonetheless, systems were compromised. And the investigation is still ongoing. It is likely in the coming days/weeks/moths we will learn what exactly these Russian sponsored Advanced Persistent Threat Actors targeted. Additionally, will learn how much intel they were indeed able to obtain.
So, it makes you wonder… what can we even do to prevent this kind of thing from happening again?
Indeed, the answer to that question is equal parts simplistic and complex.
For instance, we keep our systems updated with security patches, we train our users to defend against social engineering. We implement the practice of least privilege access, and we monitor our environments for indicators of compromise.
However, when entire nations are targeting the United States, and their hackers are getting resources from their governments… it muddies the waters. Are we capable of completely defending against these complex threats?
Probably not.
But if we don’t at least do the best we can to avoid these kind of successful attacks against our U.S. government entities, we may as well just hand over the keys to Russia, or North Korea, Venezuela, Iran, China… if I keep going, we’ll have every major nation in the world listed here… You get the point.
Everyone plays the game, even us.