APT attacks move to mobile devices

Kaspersky predicts future sale of APT software to more dubious customers.

Chinese cybercriminals buy ranking for malware Apps
Chinese cybercriminals buy ranking for malware Apps

APT attacks will increasingly target mobile phone and tablet users, and APT software will increasingly be sold by seemingly ‘legitimate' private-sector companies to yet more rogue nations and individuals.

That's the 2015 prediction of security firm Kaspersky, which also forecasts APTs will be adopted by more purely criminal cyber-gangs to target banks not their users.

In an 11 December blog post, ‘A Look into the APT Crystal Ball', Kaspersky's global research and analysis director, Costin Raiu, says: “In 2015, we anticipate more mobile-specific APT malware, with a focus on Android and jailbroken iOS.

“Although a mobile phone might not have valuable documents and schematics, or geopolitical expansion plans for the next 10 years, it can be a valuable source of contacts as well as listening points.

On the move to mobiles, Raiu said: “In 2014 we saw several new APT tools designed for infecting mobiles, for instance Hacking Team's Remote Control System mobile modules.

“Additionally, during the Hong Kong protests in October 2014, attacks were seen against Android and iOS users which appear to be connected to APT operations.”

But he said: “Although APT groups have been observed infecting mobile phones, this hasn't yet become a major trend.” This will change during next year, Kaspersky says.

Raiu also believes more private-sector companies will follow Hacking Team and Gamma International into the “legal surveillance tools market” where APT spyware is seemingly sold only to “trusted government entities”.

But he warned: “Public reports have repeatedly shown that spyware sales cannot be controlled. Eventually, these dangerous software products end up in the hands of less trustworthy individuals or nations, who can use them for cyber-espionage against other countries or their own people.

“The fact is that such activities are highly profitable for the companies developing the cyber-espionage software. These tools will be used for nation-on-nation cyber-espionage operations, domestic surveillance and maybe even sabotage.”

Kaspersky's other APT predictions for 2015 include:

* More advanced attacks will be mounted on banks in a growing merger between APTs and cyber-crime.

* APT groups will break into smaller units, meaning more victim companies will be targeted.

* APTs will increasingly use newer technologies such as 64-bit rootkits and virtual file systems, and build in stronger defence mechanisms to cover their tracks.

* Instead of simpler backdoors, they will use SSL, custom communications protocols and cloud services to exfiltrate data.

* More nations will deploy APTs and they will increasingly use ‘false flags' to hide their identity and implicate others.

* APT campaigns will make more use of botnets for mass surveillance, mass data collection and DDoS attacks, rather than targeted attacks.

Raiu also said: “We believe that more APT groups will become concerned with exposure and they will take more advanced measures to hide from discovery.”

His predictions prompted a mixed reaction from UK cyber-security experts – though all agreed that companies need to keep ‘raising the bar' to even stay close to matching the APT threat with their defence methods.

Sarb Sembhi, consulting services director at STORM Guidance and a leading light in the ISACA security professionals organisation, warned: “All the state-sponsored APT tools are advancing the arms race on behalf of the attackers. The tools to hack are in some respects far superior to the tools to protect.”

In response, he told SCMagazineUK.com: “Some of the tools that the hackers are using are going to be used against them.”

Sembhi cited the case of Sony Pictures which has reportedly used DDoS to hit back at the website leaking its data.

“I do think that this approach is going to become more of a reality, where legitimate organisations are going to start thinking about using attack tools for damage limitation.

“Going forward, perhaps two or three years down the road, we're going to have law enforcement organisations legitimately bringing these sites down on your behalf. At the moment that's not even on the radar of a legitimate service provider but there's going to be more of these services.”

David Lacey, an APT expert and security researcher, author and futurologist, agreed that companies must focus on constantly developing defence methods.

He told SCMagazineUK.com: “Detection is the big problem because these things are very stealthy. We need to keep coming up with imaginative new technologies which will detect things that are designed to bypass known technologies.

“It does need an increase in new ideas, imaginative new ways of looking at different characteristics of an attack, and it needs a lot more education of IT professionals and users to recognise the signs that something might be missing.

“The key thing is you have to keep raising the bar. The attackers are already working out methods to bypass whatever technology is being implemented by organisations. You can't stand still.”

Fraser Kyne, principal systems engineer at Bromium, had a different slant. He told SCMagazineUK.com via email: “This report provides further evidence that trying to protect from attacks by detecting them is futile. The attacker will always be several steps ahead.

“New attacks need new defence mechanisms. Innovative technology such as micro-virtualisation shows how a ‘protect first' mindset is entering into the CISO's vocabulary again. We need a jump forwards in security - ‘more of the same' is not acceptable.”

Join us for the next SC Magazine webcast 'APTs: A strategy for defence?' on 17th February 2015. Click here to register.