The world's biggest commercial and governmental organisations that fell victim to this remarkably well-resourced hacking organisation turned out to have been placing all their faith in anti-virus technology. They were doing this despite widespread knowledge that anti-virus solutions are ineffective against the most common and devastating method of cyber-attack – receipt of malicious email attachments.
Described in a new report from PwC UK and BAE Systems as a sustained, “global operation of unprecedented size and scale”, APT10's Operation Cloud Hopper has stolen a huge amount of intellectual property and sensitive data from some of the world's major businesses by targeting their managed services providers, or in the case of Japanese organisations and companies, by staging direct assaults.
The PwC/BAE report is damning in its revelation that the standard “compromise methodology” used by APT10 was a simple spear-phishing email with a malicious “executable” attachment. Using meticulously-acquired data, these emails appeared to be legitimate messages from a public sector entity, such as the Japan International Cooperation Agency, for example, while the attachments were crafted to address a topic of direct relevance to the recipient.
For most employees, clicking open such an attachment will have been virtually automatic, activating the malware code hidden in the structure or content of the file attachment. This sophisticated malware immediately rips through networks, heading for the plans, the designs and the data that these incredibly well-resourced threat-actors want to steal.
The traditional anti-virus protection relied on by the world's major companies and organisations was never going to protect them from these attacks. These solutions are not only incapable of detecting 100 percent of the viruses out there, they cannot detect the sophisticated threats that hackers such as APT10 now deploy inside the instruments essential to everyday business – email attachments.
It is worth considering that anti-virus technology relies on identifying the signature of each piece of malware. This means that an attack has to be mounted before the signature can be identified. Yet even though, as the report details, the activities of APT10 and its malware variants have been well-documented since 2009, these China-based hackers still got through.
The report exposes how APT10 malware has been documented ever since the group was first found to be targeting Western defence companies eight years ago, following it through its variants such as Poison Ivy, PlugX, Quasar, EvilGrab and more recently the development of the bespoke ChChes and RedLeaves.
Yet despite having all this threat-information at their fingertips, the anti-virus companies have still been hopelessly inadequate in protecting major clients. While they look for another name to give to an updated version of the malware, it has been easy for APT10 to escalate its attacks with its cleverly-crafted decoy emails.
Its selection of managed service providers (MSPs) supplying all kinds of IT services to major clients, is also cunning, if not unexpected. MSPs often have systems that overlap with their clients, offering ready access to entire supply chains and all their data. Once its malware is inside a network, APT10 moves laterally between MSPs and other victims and uses a sophisticated pathway to exfiltrate the data it has stolen, leaving minimal traces.
Now many of the victim-businesses that relied on anti-virus defences will find that their vital intellectual property is sitting on a competitor's desk in China.
All along the anti-virus companies have known that they can only defend against, at best, 95 percent of the malware that is out there. So when remarkably well-staffed hacking groups in China go to work, their malicious exploits are bound to be among that five percent that always gets through.
Operation Cloud Hopper makes it clearer than ever that organisations are leaving themselves vulnerable to attack by relying on leaky old anti-virus defences that are incapable of detecting the lethal threats hidden inside either the content or structures of common file types.
When the anti-virus companies admit that they can only protect against 95 percent of known malware, all businesses and organisations must adopt more innovative solutions such as file-regeneration technology that addresses today's and tomorrow's threats, instead of searching for what was a threat yesterday.
File-regeneration solutions are designed to act as impenetrable barriers, keeping out 100 percent of malicious exploits in file attachments such as Word, Excel, PDF or PowerPoint. All of these documents have a design standard against which every attachment can be measured in milliseconds, ensuring only the authentic and known good is permitted inside an organisation according to its established risk policy, and without disrupting normal operations.
If the globe's major organisations continue to ignore this technology and rely on anti-virus defences, the alternative is yet more disasters such as Operation Cloud Hopper.
Contributed by Greg Sim, CEO, Glasswall Solutions
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.