UMUC
March
30, 2013
According
to a 2011 white paper published by the computer security firm Symantec,
security analysts identified an effective and well-coordinated cyber threat
primarily directed against the American private sector (Chien & O'Gorman,
2011). Codenamed "Nitro", the
attack initially targeted human rights organizations and automotive
manufacturers as early as April 2011.
Although 48 companies across a wide range of industries were affected,
by July 2011 the focus of the cyberattack shifted solely to organizations in
the chemical sector. 29 companies from
this industry were affected with DuPont among the most heavily targeted
(Prince, 2011). As one of the world’s
largest chemical manufacturers, DuPont holds lucrative patents including Teflon
and Kevlar (DuPont, 2013). It is this
type of intellectual property that researchers believe was the intended target
for industrial spies. This incident is
representative of a growing type of cyberattack commonly known as advanced
persistent threats (APT).
By
their very nature, APTs are carried out by countries or organizations with the
resources and knowledge to launch coordinated and prolonged cyberattacks on
protected networks. Groups that employ
APTs generally target companies or government agencies seeking lucrative
intellectual property or classified government information. The motivations for the type of attack DuPont
experienced range from financial to geopolitical and the threat actors have
been known to use a variety of methods to gain entry into hardened networks. To combat this growing danger, organizations
must adopt a defense-in-depth methodology to cybersecurity that not only
protects digital infrastructure but also discourages future attacks.
Threat Category
The
first APT was seen as early as 1998, when analysts identified a series of
cyberattacks against the Pentagon, NASA and the US Department of Energy. It has only been in the last few years
however that this innovative threat has been used with increasing frequency and
effectiveness (Smiraus & Jasek, 2011).
Each part of the name “Advanced Persistent Threat” represents important
characteristics of this threat category. APTs are advanced in that they represent an
innovative and adaptive cyberattack.
Actors employing this approach are well-versed in a variety of technical
and non-technical exploitations to gain entry into a targeted network. They use publicly available hacking tools or
can utilize more sophisticated techniques depending on the level of network defenses. APTs are persistent in that targets are
carefully researched and the attack meticulously planned. Actors using this approach often require
prolonged access to their targets and have the capability to exploit a network
for months or even years to obtain intended information. Finally, APTs are carried out by a special
category of hackers. Individuals
generally lack access to the technical and personnel resources necessary to
carry out these attacks. The majority of
APTs identified are estimated to have been carried out by nation-states or
criminal organizations (Scully, 2011). Identified
by Symantec during the "Nitro" hack, these characteristics are
important pieces of information when determining likely attackers (Chien &
O'Gorman, 2011).
Likely Threat Actors
When
analyzing what types of attackers could carry out a cybercrime, it is import to
assess motivation and means. While these
factors will be discussed in later detail, it is important to note that all
that is required for an APT “…is an aggressor with a motive and a few tens of
thousands of dollars” (Scully, 2011, p. 200).
This means APTs are available options to corporate adversaries,
organized crime groups and hacktivists alike.
Historically however, APTs are forms of attack believed to be carried
out by nation-states. Since 2010, there
has been an increasing amount of evidence pointing to China as one of the most
active users of this form of cyberwarfare.
As
early as 2006, McAfee began tracking a five-year long cyber campaign called
Operation Shady. The intrusion targeted
over 70 public and private organizations throughout 14 nations (McDonald,
2011). In a more recent example, the
security encryption firm RSA was hacked in 2012. Experts believe the culprits used the
information they obtained to carry out additional attacks against the defense
contractor Lockheed Martin. Based on a
growing database of techniques and motives, experts believe the culprit behind
both attacks and the 2011 attack on the chemical sector to be hackers located
in China (McDonald, 2011).
Motivation
Historically,
APT attacks have targeted private industry trade secrets or classified
government data. Attacker’s motivations
have included political activism, economic espionage, or traditional warfare
(Chien & O'Gorman, 2011). APTs are
used in these cases, because this type of information is often stored within
well-protected networks. As a result,
hackers seeking this data must resort to a prolonged and sophisticated approach
to attack targeted networks. Over the last few years, hackers have
penetrated the networks of defense contractors, computer chip manufacturers,
and mining companies. The type of
information exfiltrated has ranged from blueprints to chemical formulas (Riley,
2012).
As
one of the world’s largest and oldest pioneers of industrial chemicals, DuPont
invests a significant amount of revenue in research and design activities. This is evident by the company’s product page
which boasts over 1,400 new products and 2,000 filed patents (DuPont,
2013). Over the last few years,
government agencies and corporate security firms alike have signaled the
warning that China has actively engaged in cyberwarfare for both industrial and
traditional espionage purposes. The 2011 attack on DuPont and the chemical
sector appears to follow this pattern with the attacker’s goal being
“…intellectual property such as design documents, formulas, and manufacturing
processes” (Chien & O'Gorman, 2011, p. 1).
Targeted Assets
Although
the "Nitro" attack initially targeted human rights organizations and
auto manufacturers, the majority of companies affected came from the chemical
sector. This included a number of
Fortune 500 companies involved in the development of advanced materials for
both corporate and military uses (Chien & O'Gorman, 2011). The perpetrator behind the intrusions
appeared to be after intellectual property from the various chemical
companies. Proprietary information from
these companies represents a significant investment in both time and financial
resources. Illicitly obtaining this type
of information provides nations or companies with the means to significantly
enhance their own research and development activities at a fraction of the
cost. Based on their findings, Symantec’s
researchers believe the purpose of the 2011 penetrations to be “industrial
espionage, collecting intellectual property for competitive advantage”
(McDonald, 2011).
Means of Attack
According
to historical analysis, the most prevalent type of APT begins with a social
engineering attack (Smiraus & Jasek, 2011).
Hackers used a similar two-pronged tactic against DuPont and other
targeted organizations in 2011. Specific
emails were sent to recipients within each company claiming to be from known
business associates while a more generalized email was sent to hundreds of
random employees appearing to be a security update. The emails were actually Trojans containing a
self-extracting executable file named Poison Ivy. Poison Ivy is a commonly available Remote
Access Tool (RAT) developed by a Chinese national. Once executed, the program provides an
attacker with complete control over a target’s computer. After installation, the Poison Ivy program
contacted a command and control (C&C) server using TCP port 80. Attackers used the program to gather
information about the compromised system including the “infected computer’s IP
address, the names of all other computers in the workgroup or domain, and dumps
of Windows cached password hashes” (Chien & O'Gorman, 2011, p. 2). With this information, hackers began
exploring the network looking for domain administrator credentials in order to
provide them access to computers storing the desired information. The last part of the attack differed
depending on the targeted system. In
most of the cases however, once the attackers gained access to the targeted
information, it was copied to internal system archives. The data was then uploaded to remote servers
to finalize the exfiltration and complete the cyberattack.
Description of Attackers
The
growing consensus throughout the cybersecurity community is that the Chinese
government is one of the most active state sponsors of cyber espionage. Conclusively proving this theory and identifying
specific attackers however has been problematic. In the DuPont hack, Symantec was actually
able to trace the attacks back to a single individual. This level of detail was obtained by tracking
the original attack back to a virtual private server in the United States. This in turn was connected to an individual
known as Covert Grove, who was later identified as a Chinese male in his 20’s
living in the Hebei region of China (Chien & O'Gorman, 2011). Security experts have become increasingly
successful at tracing attacks back to specific IP addresses; however proving
who was actually behind the attack has been more elusive. In the 2011 attack on DuPont, Symantec was
unable to determine if Covert Grove acted alone or was employed by a third
party. Symantec theorized that the level
of expertise needed to carry out the attack suggests Chinese government or
military involvement. This theory
however has been difficult to prove.
China has both the largest population of internet users in the world,
with some of the poorest security practices (McDonald, 2011). Even when a hacker’s IP address can be traced
backed to mainland China, the Chinese government has plausible deniability in
the fact that computers are easily hijacked and IP addresses spoofed (Mandiant,
2013).
How to Discourage Future Incidents
Although
the high-profile attack on various chemical companies in 2011 was newsworthy,
it was not the first cyberattack targeting DuPont. In fact, the chemical company was attacked by
Chinese hackers twice between 2009 and 2010.
This information was kept secret by DuPont until a separate cyberattack
by the hacktivist group Anonymous uncovered confidential emails about the
incident and released them to the public (Riley & Forden, 2011). Not only were these attacks kept secret from
the public, but they were also held back from the company’s investors. DuPont’s 10-K filings with the Securities and
Exchange Commission (SEC) during this period failed to even mention
cyberattacks as a significant risk to the company (Riley, 2012). DuPont’s response to this incident has been
the typical reaction from most publicly traded companies. Many organizations believe that any
disclosure of cyberattacks may equate to a damaged reputation or a drop in
stock price. Companies believe these
negative consequences outweigh any potential benefit from sharing details of
the attack and lessons learned with other organizations (Smiraus & Jasek,
2011).
Compelling
companies to be more forthcoming with details of attacks has been sporadic at
best. Federal laws such as the
Sarbanes-Oxley Act of 2002 and the Health Insurance Portability Act of 1996
require companies in certain industries to report cyberattacks (Scully, 2011). Although these regulations require companies
to report attacks, the SEC’s interpretation is that the amount of information
required to be disclosed “…will depend on whether company lawyers determine the
incidents had, or will have, a material effect on the enterprise” (Riley,
2012). This leaves room for
interpretation among companies and across industries. Many in the cybersecurity community believe
however, that disclosure and information exchange are among the most important
tools in discouraging future cyberattacks.
This principle was further emphasized by President Obama in February
2013 when he signed a presidential directive outlining information sharing
between the public and private sectors on matters of cybersecurity. The executive
order takes an innovative approach in that it directs the Department of
Homeland Security to share classified cybersecurity threat information with
private organizations (Zetter, 2013).
The theory behind this approach is that with relevant threat detail,
private companies will have the intelligence and perhaps motivation to better
safeguard their digital infrastructure from impending attacks.
How to Defend Against Similar Threats
Information sharing is an important component in
protecting against cyberattacks, but it must be used in conjunction with a
robust security plan. A common
method used to better understand what
organizational risks exist is the Operationally Critical
Threat, Asset, and Vulnerability Evaluation (OCTAVE) framework. This technique provides organizations with a
tool to develop individual threat profiles based on critical assets and
vulnerabilities (UMUC, 2013). In the
case of DuPont, security analysts using the OCTAVE technique would have been
able to determine that intellectual property was a critical asset to the
organization with foreign nations or competing companies interested in
obtaining this information. Employing
the OCTAVE framework would also have shown the company's management that a
large multinational organization with thousands of employees like DuPont has
numerous vulnerabilities. To defend
against attacks similar to the 2011 "Nitro" penetration, DuPont must
adopt a comprehensive security strategy that incorporates administrative,
personnel and technical safeguards.
A
recent assessment found that 128 Fortune 500 companies do not have policies in
place protecting their intellectual property (Matthews, 2013). This means that in over 25% of America's
largest corporations, employees have no uniform policy guiding their daily decisions
on how to handle some of their organization's most valuable assets. As cyberattacks and corporate espionage
continue to increase in frequency and sophistication, drafting comprehensive
security and acceptable use policies should be the first step in creating a
defense-in-depth cyber strategy. Once a
policy is in place, organizations should focus on a variety of human and
technical safeguards. Just as most APTs
begin with a social engineering attack against individual workers, employees
also represent the first line of defense against this threat. All individuals in a company must be provided
with up-to-date security training and awareness briefings on emerging cyber
threats. Finally, critical information
assets should be afforded an extra layer of network protection. Digital architectures should be created to
segregate "trophy information" like trade secrets from normal
activities within an organization (Scully, 2011). This includes implementing separation-of-duty
policies and safeguards as well as restricting use of unauthorized mobile
devices and portable digital media. In
addition, IT administrators should ensure that operating systems and
applications are routinely patched and regular system audits are conducted (Smiraus
& Jasek, 2011).
Conclusion
APTs,
like the one targeting DuPont in 2011, are sophisticated and carefully executed
attacks carried out by determined adversaries.
The type of information attackers seek is so financially or
strategically valuable, that nations or groups employing these tactics will
stop at nothing to obtain it. To defend
against this threat, organizations must adopt defense-in-depth approaches
incorporating hardware, software, personnel and policy safeguards. This strategy should also include information
sharing between public and private sectors.
Although APTs are a relatively new phenomenon, one of the most effective
strategies in discouraging future incidents has been alerting the public to the
tactics and techniques of successful cyberattacks.
References
Chien,
E., & O'Gorman, G. (2011). The Nitro attacks: Stealing secrets from the
chemical
industry.
Symantec. Retrieved from http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_nitro_attacks.pdf
DuPont.
(2013). Company at a glance. Retrieved from http://www2.dupont.com/Our_Company/en_CA/glance/
Mandiant.
(2013). APT1: Exposing one China’s cyber espionage units. Retrieved from
Matthews,
C. M. (2013). Many companies silent on IP protection as cyber threat emerges. The
Wall Street Journal. Retrieved from
http://blogs.wsj.com/riskandcompliance/2013/03/25/many-companies-silent-on-ip-protection-as-cyber-threatemerges/?KEYWORDS=security
McDonald, J. (2011). Cyber attacks on chemical companies traced to China. USA Today. Retrieved from http://usatoday30.usatoday.com/money/industries/technology/story/20111101/China-hackers/51024936/1
Prince,
B. (2011). Coordinated cyber attacks hit chemical and defense firms. Security Week.
Riley,
M. (2012). SEC push may yield new disclosures of company cyber attacks. Bloomberg.
Retrieved
from http://www.bloomberg.com/news/2012-01-10/sec-push-may-yield-new-disclosures-of-cyber-attacks-on-companies.html
Riley,
M., & Forden, S. (2011). Hacking of DuPont, J&J, GE were Google-type
attacks that
weren’t
disclosed. Bloomberg. Retrieved from http://www.bloomberg.com/news/2011-03-08/hacking-of-dupont-j-j-ge-were-google-type-attacks-that-weren-t-disclosed.html
Scully,
T. (2011). The cyber threat, trophy information and the fortress mentality. Journal of
Business Continuity & Emergency
Planning, 5(3),
195-207. Retrieved from http://www.henrystewartpublications.com/jbcep
Smiraus,
M., & Jasek, R. (2011). Risks of advanced persistent threats and defense
against them.
Annals of DAAAM & Proceedings, 1589-1590.
Retrieved from http://daaam.info/?page_id=895
University of Maryland University College
(UMUC). (2013). Module 7: Psychological Aspects
of Cybersecurity. CSEC 620: Human Aspects in
Cybersecurity: Ethics, Legal Issues, and Psychology. Retrieved from http://tychousa1.umuc.edu
Zetter, K. (2013). Executive order aims to
facilitate sharing of information on threats. Wired.
No comments:
Post a Comment