APT Threats Today Need a Different Kind of Response

B. Ostergaard
B. Ostergaard

Summary Bullets:       

  • The ‘Flame’ advanced persistent threat (APT) is invisible to commercial AV defences and may lie dormant for years.
  • Combating APTs may create a new role for the ITU and further international anti-malware efforts.

The latest news on the (often purported to be state-sponsored) APT front is a massive piece of spy software, dubbed ‘Flame,’ which seems to have been around for many years – at least since 2010.  The worm was discovered by accident when security vendor Kaspersky was looking for another mystery APT dubbed ‘Wiper,’ which has been deleting files on servers in the Middle East for some time.  Much like earlier APTs such as ‘Stuxnet’ and ‘Duqu,’ Flame exploits software and hardware vulnerabilities that evade any of the known AV defences and infects desktops and servers in multiple ways (USB, LAN, drive-by etc.); similar to these other APTs, it appears to harm or spy very selectively, so it may reside dormant on a large number of Windows PCs.  Flame is different in that the remote controllers can install different modules (e.g., taking control of the PC’s microphone to record conversations) on infected machines depending on what kind of information the controllers want to steal.  So, the net-net is we do not know if our desktops or data centres are infected, and consequently whether they are actively or passively spying on us and stealing our data.  We might seek some comfort in the belief that this malicious (often Middle Eastern) activity is politically rather than commercially motivated, but state-sponsored industrial espionage is an obvious use as well.

What is new in this latest APT rash is the role of the United Nations International Telecommunications Union (ITU).  Those readers who were professionally active during the last century may recall that the ITU was the dusty global body for national postal, telephone and telegraph (PTT) monopolies.  Well, it seems to be resurrecting itself and turning to address current telecom issues with global business implications.  In 2008, the ITU established ‘The International Multilateral Partnership Against Cyber Threats’ (IMPACT) in Kuala Lumpur to address the ITU’s global cyber security agenda.  It comes with all the trappings of a staid, old, bureaucratic organization with 142 member countries, but it is also taking on new public/private initiatives and actively sponsoring security vendors such as Kaspersky to investigate security issues, including the unexplained deletion of sensitive files on servers in the Middle East.  It was during this process that Kaspersky stumbled upon the Flame worm complex.  Following the Kaspersky/ITU information on the newly discovered threat, the national Iranian Computer Emergency Response Team (CERT) surprisingly contacted major AV vendors and provided them with examples of the worm software as well as a removal tool.  While most countries and major telcos and IT SPs have CERT organizations that cooperate internationally, this is the first time that an Iranian CERT organization has actively contributed to the global malware combat efforts – clearly because Iran is a major target for Flame spying.

However, while nations have very conflicting political security interests, the rest of us must consider the possible devastation caused by a real cyber attack on our national power and telecom infrastructures sparked by a Stuxnet or Flame-like APT.  Such concerns may overshadow narrow national interests and create a greater global willingness to agree to a new ‘Geneva Convention’ governing the use of APTs in cyber warfare.  What is the response on the enterprise front?  How do you view CERT cooperation and the spectre of APTs conducting industrial espionage on your company’s vital IP?  Do you have any security policies looking for dormant viruses, or is this just a fact of life in the 21st century?

What do you think?

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.