Advanced persistent threats — cyber attacks that target company secrets — can cost companies a significant amount of money and can even put them out of business. Even though these methods are nothing new, the attack combinations themselves are.
A vehicle with the tinted windows had been parked within radio signal distance of the company for days. Concealed inside, a man with a laptop. One call to the CAZ, (Cyber Allianz Zentrum, a cyber defense agency of the Bavarian Office for the Protection of the Constitution in Munich) and cyber sleuths were sent immediately to take a closer look at this suspected hacker.
However, they could not detect anything unusual. Why? Because the man in the car was not targeting the company that called, but a smaller business located in the same building. “The man was a private detective investigating a civil law case,” explained Florian Seitner from the CAZ.
This incident teaches us two things. First, this kind of method can actually be effective for gaining access to a company’s network. But second, many companies are aware of this sort of threat and have become very sensitive to such dangers. They are extremely cautious and quickly report any suspicious behavior.
Cyber Allianz Zentrum Bayern: 200 Calls in Two Years
The Cyber Allianz Zentrum Bayern has already registered 200 calls since its foundation in 2013. So far, it is the only institution of its kind in Germany, and its tasks include acting on reports of suspicious activities from companies, closely watching supposed hackers, evaluating the attacks, and investigating who is behind them. It is crucial that the whole process is kept completely anonymous.
“We guarantee all our clients that nothing about these incidents will become known to the public,” Seitner says. “That would be a great blow to the client’s reputation.” No company would call the CAZ otherwise.
The most dangerous attacks are meticulously planned and executed with great patience over an extended period of time.
Advanced persistent threat (APT)
Foreign intelligence services prepare each attack with elaborate social engineering, detailed research on a company’s product, and details on its business and leadership structure. Some examples of industrial espionage targets include detailed designs, sales strategies, and engineering information of a product.
“The attacks are meticulously planned,” says Seitner. In the end, it all boils down to planting malware in the software, which then serves as the hacker’s free ticket into the company network. “A few years ago, intelligence services used undercover agents to infiltrate companies. Today, they use viruses and trojans.” Seitner speaks from the experience he gathered through previous involvement with intelligence services.
The attackers identify systems at partner companies or institutions of the target. Like a lion crouched at a watering hole, the attacker waits patiently for all the animals to come one by one, then chooses its victim among them. They know large companies are often equipped with the best cyber defenses, and react to attacks earlier.
However, this is not necessarily the case for the many suppliers of the target. So the attacker infiltrates the supplier’s systems, leaving malware to lurk there until it can access the desired information. In this way, the communication chain can quickly become the security leak the attackers need to spread their malware through the targeted company’s system.
Hacker Strategy: A Professional Attacker Uses Many Methods
For an attack to be successful, a hacker needs to combine different methods:
- Phishing: Malware is hidden in an e-mail attachment that seems to come from a friend. However, when you open the attachment or click on the link, the malware infiltrates the computer.
- Social engineering: Intelligence services gain information to access a company’s system from phone calls to employees or personal connections.
- Zero days: This is how experts call the holes in the security systems that a company is unaware of. When the company finds them, they can be sure there was not a day hackers haven’t been taking full advantage of it. The only thing left to do is react as quickly as possible.
- USB stick: The attackers use USB sticks to infect computers with malware.
Hackers usually infiltrate a company’s system for one of two goals: cyber espionage or data sabotage. According to the an E-Crime survey by KPMG in 2015, computer fraud (the unauthorized or wrongful use of data and interventions in computer processes) accounted for 37% of IT security crime in Germany. It is followed by espionage (32%), manipulation of financial and customer data (29%), and data theft (15%).
“Small and midsize companies are most at risk,” says Seitner. “Unlike big corporations, they can’t afford the technology to protect themselves.” Experience shows that some small companies don’t even expect to be targeted, thinking “We are so small and barely use the internet, so why would intelligence services want to attack us?” That is exactly the kind of mindset that makes a “watering hole” scenario possible.