Ferenț, Darius-Antoniu (2022), Analysis of cyber attacks such as APT (Advanced Persistent Threat) and ransomware, Intelligence Info, 2:1, 173-180, DOI: 10.58679/II70307, https://www.intelligenceinfo.org/analysis-of-cyber-attacks-such-as-apt-advanced-persistent-threat-and-ransomware/
In the information society, cyber attacks launched upon the information technology infrastructure are increasingly diversified and complex. Cybercriminals or black hat hackers use a wide range of techniques, tactics and procedures to compromise computer systems. APT and ransomware attacks are two cyber security threats that many companies and government institutions face. Ransomware is a medium complexity attack, while APT is a high complexity cyber attack. The emergence of certain hybrid malicious programs (computer worm-ransomware) and the diversification of attack vectors represent new challenges for specialists and organizations.
Keywords: ransomware, Advanced Persistent Threat, hybrid malware, CryptoWorms, cyber threat, computer system
Analiza atacurilor cibernetice, precum APT (Advanced Persistent Threat) și ransomware
În societatea informațională, atacurile cibernetice lansate asupra infrastructurii de tehnologia informației sunt tot mai diversificate și complexe. Criminalii cibernetici sau hackerii cu pălărie neagră utilizează o gamă largă de tehnici, tactici și proceduri pentru a compromite sistemele informatice. Atacurile de tip APT și ransomware-ul reprezintă două amenințări de securitate cibernetică cu care se confruntă multe companii și instituții de stat. Ransomware-ul este un atac de complexitate medie, în timp ce APT este un atac cibernetic de complexitate ridicată. Apariția unor programe malițioase hibride (vierme informatic-ransomware) și diversificarea vectorilor de infectare reprezintă noi provocări pentru specialiști și organizații.
Cuvinte cheie: ransomware, Advanced Persistent Threat, malware hibrid, CryptoWorms, amenințare cibernetică, sistem informatic
INTELLIGENCE INFO, Volumul 2, Numărul 1, Martie 2023, pp. 173-180
ISSN 2821 – 8159, ISSN – L 2821 – 8159, DOI: 10.58679/II70307
© 2022 Darius-Antoniu Ferenț. Responsabilitatea conținutului, interpretărilor și opiniilor exprimate revine exclusiv autorilor.
Analysis of cyber attacks such as APT (Advanced Persistent Threat) and ransomware
Doctoral Candidate Darius-Antoniu Ferenț
This paper is meant to present two particularly dangerous cyber attacks for an organization’s IT systems (ransomware and Advanced Persistent Threat), focusing on the techniques and procedures that attackers use to launch these attacks.
The purpose of this paper is to highlight how ransomware attacks have evolved, divided into three generations (3GR) and a new era that is continuously developing, namely the CryptoWorms (a self-propagating/multiplying type of ransomware). In this study, we proved why the human factor can be a vulnerability that attackers are interested in exploiting. Moreover, this article also mentions some ways in which the IT&C structure experts within organizations can prevent the IT infrastructure from being infected with this malware. At the same time, we specified the continuous hacking tactics used by hacker groups launching APT attacks.
To achieve all this, we used reports and newsletters, papers and specialized articles in the field of cyber security.
2. Cyber attacks of the Advanced Persistent Threat type
A cyber attack is a “hostile action carried out in cyberspace which is likely to affect cyber security” (SRI [Romanian Intelligence Service] 2019).
Cyber security threats have evolved over the years. If twenty years ago, the computer virus and worm were a big issue, nowadays, the security threats giving headaches to cyber security specialists, but also to the computer devices users, are increasingly complex and diversified, having a growing impact on the IT&C systems and computer networks. The main cyber attacks are carried out by malicious programs, by stopping existing services (DoS, DDoS), by affecting electronic messaging and web applications or by carrying out APT (Advanced Persistent Threat) attacks (Mihai, Ciuchi, Petrică 2018, p.33).
Most of today’s cybercriminals or Black Hat hackers are not script kiddies who conduct cyber attacks on networks and servers out of juvenile mischief. Hackers have a lot of technical knowledge and plan a cyber attack in detail. They get information on the target organization, collect technical data about the IT&C infrastructure of the company/institution (information about servers and operating systems used, versions of these systems, IP addresses, existing ports, vulnerabilities of IT&C systems), (Ferenț 2022, p.77), analyze the economic-financial strength of the company and the amount of losses that could result from a cyber attack. Hackers study their targets for long periods of time (months or even years) and use powerful tools to successfully launch a cyber attack on the IT systems of a firm, company or institution.
In the information society, cyber attacks launched on IT&C infrastructure are increasingly diversified and complex, with cybercriminals (hackers) using a wide range of new tactics alongside the older ones that have still proven useful in the hacking process. These tactics are combined with advanced and powerful technologies, which give the attacker the upper hand. Hackers conducting Advanced Persistent Threat cyber attacks use persistent hacking procedures and tactics to ensure intrusion into an IT&C system, gaining access to the compromised cyber infrastructure for an extended period of time while being undetected. To maintain the access to the system, hackers leave a backdoor. Attackers can also scan for system and network vulnerabilities or use the watering hole technique. These cyber attacks, initiated by hacker groups supported by state actors (the Russian Federation, the People’s Republic of China) pose a threat to national security as they target IT systems and networks within sectors classified as critical infrastructures. Hacker groups launching Advanced Persistent Threat attacks aim to obtain classified information, as well as compromise infrastructures in vital sectors of society (e.g. energy distribution system, industrial facilities) (CNC 2018). Cyber attacks launched against Romania’s information networks can have serious consequences, such as the interruption of key processes, financial losses or even the loss of human lives (Vevera 2018, p.28).
Companies and state institutions can reduce their risk of being compromised by a state actor-launched attack by implementing cyber security measures: vulnerability scanning, network traffic scanning via the use of IPS (Intrusion Prevention System) and IDS (Intrusion Detection System) devices, firewall scanning (which handles application and port traffic), software updates, Penetration Testing and employee training.
In order to have a clear picture of the Advanced Persistent Threat attacks risk, it is necessary to establish a notification system for APT attacks, similar to the national terrorist alert system. I believe that a National Alert System for APT attacks should have four levels, distinctly highlighted by color:
LOW – established and maintained as long as there is a very low risk of an APT attack targeting sectors considered critical infrastructure (eg: governmental, financial-banking, military, national security, production and distribution of energy or industrial facilities of strategic importance).
PRECAUTION – is established and maintained as long as there is a risk of an APT cyber attack, but the probability of launching such an attack on a sector considered critical infrastructure is low.
HIGH – is established and maintained as long as there is a significant risk of an APT attack, and the probability that one or more sectors that fall under the critical infrastructure category will be targets of the attack is high.
CRITICAL – is established and maintained as long as there is a very high risk of an APT attack occurring, which may affect the operation of one or more sectors considered critical infrastructures. This alert level can be set up during an attack launched by a state entity that may cause a major impact, as well as following such an attack, when a second wave with an equally high impact is expected.
3. Ransomware cyber attacks
Ransomware is a threat to computer systems and networks. This malicious software “encrypts the hard disk or SSD, information and data on a computer or an entire network, demanding a certain amount of money for decryption.” (Ferenț 2022, p.40). Until the appearance of the ransomware known as Petya, cyber security specialists were faced with two categories of ransomware, or generations, if we may say so.
The first generation of ransomware refers to malicious software that can block a computer or smartphone screen and thus the user can no longer access their computing device. Screen lockers fall into this category (Bitdefender 2019). They are considered a mild and less dangerous form of ransomware.
The second generation refers to crypto-ransomware, malicious software that encrypts files. This crypto-ransomware can also encrypt cloud backups (Bitdefender 2019) and demand the victim to pay a sum of money (in dollars, Bitcoin or other virtual currency) to be able to recover their data. After file encryption has been completed, a message appears on the device’s screen informing the victim that, unless a monetary reward is paid, the data cannot be decrypted. Unfortunately, this second-generation ransomware annually brings attackers (over a billion dollars), (Bitdefender 2019) sums of money paid by users with affected devices in the hope that the hacker will give them the decryption key and thus they will be able to recover their data and files. In reality, it is highly unlikely that the victim will receive the decryption key. Even if it receives the decryption key, the computer device still remains vulnerable to various types of attacks.
The third generation of ransomware appeared in 2017, when many computer systems were globally affected by the NotPetya/GoldenEye ransomware campaign. This category includes ransomware that can encrypt disk drives. In addition, these attacks block the user from merely starting the operating system (Bitdefender 2019). NotPetya affected numerous public and private entities worldwide, causing damage to extremely important sectors, some of them being considered critical infrastructures: the energy, transport and financial sectors (National Cyberint Center [CNC] 2018). In the same year, WannaCry would wreak havoc worldwide, with numerous companies and institutions being affected by this ransomware. WannaCry affected hundreds of thousands of computers in about a hundred countries (National Cyber Security Directorate [DNSC] 2017a). Even the healthcare system in Great Britain was the target of this ransomware campaign (DNSC 2017b).
Ransomware attacks aimed at the healthcare sector also took place in Romania, mainly in 2019. The specialists of the Cyberint National Center mentioned that “attacks on the medical sector in Romania are part of a trend observed at an international level” (CNC 2019). The fact that healthcare will continue to be a preferred target for attackers should be of concern to cyber security specialists within the national security structures, as the healthcare sector is part of the critical infrastructure category.
In 2021, ransomware cyber attacks remained at a high level nationally, affecting the IT&C infrastructures of some institutions in the healthcare sector. Clinical Hospital no. 1 CF Witting from Bucharest was the target of a ransomware attack from the Phobos family (CNC 2022). After the data and information on the computing device is encrypted by the Phobos malware, the victim is asked to “send a message to an anonymous email address to establish the decryption price, which varies depending on the company’s profile and the turnover.” (DNSC, 2019). In the biannual newsletters published by the National Cyberint Center, attention was drawn upon the danger of these attacks which, sometimes, target sectors belonging to the critical infrastructure category of some states. In 2021, the IT&C infrastructure of Colonial Pipeline, the largest operator of oil pipelines in the United States of America, was the target of a ransomware attack that led to the interruption of oil transportation through the company’s pipelines for five days (CNC 2022).
The emergence of the third-generation ransomware does not mean that the second generation is history, and this type of ransomware attacks can no longer be carried out. On the contrary, hackers will show interest in carrying out attacks both with 2GR (Second-generation Ransomware) ransomware and with malicious software whose characteristics can be classified as 3GR (Third-generation Ransomware). Neither is screen locker ransomware left behind, as ransomware can be purchased on the Dark Web and various forums frequented by hackers and cybercriminals, which will later be used in the launch of these attacks. The marketing of ransomware led to an increase in the number of attacks, which was also felt at the national level. The three generations (1GR, 2GR, 3GR) should be seen as part of the evolution and increasing complexity of ransomware families.
The emergence of hybrid malware (for example: computer worm-ransomware, computer worm-rootkit) is a challenge for cyber security specialists as this type of malware can fool network security systems (Imam, 2020). Some malicious programs like ransomware manage to infect files in an IT&C system and will then spread to other hosts within the IT infrastructure. This multiplication is specific to computer worms, the attackers creating a hybrid malicious program (ransomware based on self-propagation – CryptoWorms).
Given that a ransomware cyber attack affects the integrity and availability of data and information, an organization’s IT structure and leadership should understand how the IT&C (Cyber Kill Chain) compromise process occurs in the event of a ransomware attack. Being aware of this operation will help organizations understand what security measures and policies are required to ensure effective security management of IT&C systems. Taking into account that this malware can spread through spam emails, institutions, companies and firms should train their employees in IT&C security and thus develop their cyber security culture. In this sense, the implementation of a guide for the safe use of the institutional (work) e-mail service would be a useful step.
Hackers look for a vulnerability, a malfunction, to infiltrate an organization’s computer network. In addition to software flaws/vulnerabilities, the human factor can also be a weak point that attackers are interested in exploiting. Malicious people turn their attention to employees holding privileges in the information system or to other users who, due to indifference or poor training, can fall into the trap of social engineering. One of the social engineering techniques that attackers can resort to is USB Key drop (the lost USB flash drive technique), through which the employee enters the malicious code sequence into the institution or company ‘s IT equipment. The hacker leaves the code on a USB flash drive, which will be automatically installed when plugged into the computer (Bucharest Polytechnic University, p.78). Ransomware attacks are also successful when an end user within the organization clicks on a suspicious file received by email.
Ransomware malware can be divided into three generations (3GR), depending on the complexity of the cyber attack and the impact on compromised computer systems. While the first two generations are characterized by the launch of low-complexity attacks, the third generation of ransomware, with the emergence of the NotPetya/GoldenEye malware campaign, are of medium complexity. The hybrid malware is a new stage in the process of creating much more sophisticated malicious programs, thus, ransomware campaigns will become much more effective over time, taking, of course, advantage of the existence of vulnerabilities within organizations, as well as of the lack of cyber security measures implementation (training of end users within companies and institutions, vulnerability scanning and software updating, use of devices that actively and passively scan network traffic based on signatures).
The human factor continues to be a vulnerability for organizations. Hackers carrying out ransomware cyber attacks can resort to social engineering to manipulate an employee of the firm, company or institution, so they would click on an infected file received by email. As a result, the development of a guide for the safe use of the work email by the IT&C structure is a necessary step. In the case of APT cyber threats, attackers use hacking tactics that allow them to break into the computer network without being identified during the initial attack phase. They manage to keep access to compromised systems. Advanced Persistent Threat cyber attacks and ransomware attacks can target critical infrastructure institutions.
- Romanian Intelligence Service (SRI) 2019. Glossary of cyber security terms.
- Bitdefender 2019. Malwareev’s Table: The Ransomware Element. https://www.bitdefender.ro/blog/consumer/tabelul-lui-malwareev-elementul-ransomware/.
- National Cyberint Center (CNC) 2018. Cyberint Bulletin, 1st semester – 2018. https://www.sri.ro/assets/files/publicatii/BULETIN-CYBERINT-20x20cm.pdf.
- National Cyber Security Directorate (DNSC) 2017a. Update: The threat with the WannaCry ransomware campaign remains. https://cert.ro/citeste/update-ransomware-wannacry.
- National Cyber Security Directorate 2017b. WannaCry: A ransomware threat with global victims. https://cert.ro/citeste/wannacry-ransomware-alerta.
- National Directorate of Cyber Security 2019. Alert: A new wave of ransomware affects healthcare institutions. https://dnsc.ro/citeste/alert-un-nou-val-de-ransomware-affects-the-institutions-in-the-field-of-health.
- National Cyberint Center (CNC) 2019. Cyberint Bulletin, 2nd semester – 2019. https://www.sri.ro/assets/files/publicatii/buletin-cyber-sem-2-2019-modif-10-09-2019. pdf.
- Cyberint National Center (CNC) 2022. Cyberint Bulletin, 1st semester – 2022. https://www.sri.ro/assets/files/publicatii/buletin-cyber-sem-1-2022-RO.pdf.
- Ferenț, Darius-Antoniu 2022. Ghid de securitate cibernetică. [Guide to cyber security]. Cluj-Napoca: Science Book House.
- Imam, Fakhar 2020. Malware spotlight: Hybrid malware. https://resources.infosecinstitute.com/topic/malware-spotlight-hybrid-malware/.
- Mihai, Ioan-Cosmin, Ciuchi, Costel, Petrică, Gabriel-Marius 2018. Current challenges in the field of cyber security – impact and Romania’s contribution in the field. Bucharest.
- Bucharest Polytechnic University 2017. Computer networks – course. Bucharest.
- Vevera, Adrian Victor 2018. From cyber threat to hostile action in cyber space. Romanian Journal of Informatics and Automation, vol.28, no.3. https://rria.ici.ro/wp-content/uploads/2018/10/art.2_RRIA_Victor-Vevera.pdf.