Greg Sim, CEO, Glasswall Solutions, discusses how the massive cyber breach by China based APT10 hackers has exposed the failure of anti-virus defences.
It was a sustained, ‘global operation of unprecedented size and scale’ that stole huge amounts of intellectual property and sensitive data from some of the world’s major businesses.
APT10’s Operation Cloud Hopper has proved just how vulnerable large companies and governmental organisations are when they put all their faith in anti-virus technologies. The remarkably well resourced hackers of China based APT10 succeeded by targeting managed services providers (MSPs) around the globe, along with direct assaults on Japanese organisations and companies.
A new report from PwC UK and BAE Systems reveals the grisly details. By relying entirely on the failed anti-virus solutions touted by the big cyber security vendors, companies around the world left themselves wide open to the new breed of attack delivered in email attachments.
The PwC/BAE report is damning in its revelation that the standard ‘compromise methodology’ used by APT10 was a simple spear phishing email with a malicious ‘executable’ attachment. Using meticulously acquired data, these emails appeared to be legitimate messages from a public sector entity such as the Japan International Cooperation Agency. The attachments, meanwhile, were crafted to address a topic of direct relevance to the recipient.
For most employees, clicking open such an attachment will have been virtually automatic, activating the malware code hidden in the structure or content of the file attachment. This sophisticated malware immediately flew out of the MSPs’ systems and into the networks of their clients, heading for the plans, the designs and the data that APT10 wanted to steal.
The sickening reality in all this is that traditional anti-virus protection relied upon by the world’s major companies and organisations cannot protect them from these attacks. These solutions are not only incapable of detecting 100% of the viruses out there, they cannot detect the sophisticated threats that hackers such as APT10 now deploy inside the instruments essential to everyday business – email attachments such as Word, PDF, Excel or PowerPoint files.
Consider this simple point. Anti-virus technology relies on identifying the signature of each piece of malware. This means that an attack has to be mounted before the signature can be identified. Yet even though, as the report details, the activities of APT10 and its malware variants have been well documented since 2009, these China based hackers still got through.
The report exposes how the development of APT10 malware has been charted since the group was first found to be targeting Western defence companies eight years ago and then on through its variants, such as Poison Ivy, PlugX, Quasar, EvilGrab and more recently the bespoke ChChes and RedLeaves.
Yet despite having all this threat information at their fingertips, the anti-virus companies have still been hopelessly inadequate in protecting major clients. While they look for another name to give to an updated version of the malware, it has been easy for APT10 to escalate its attacks with its cleverly crafted decoy emails.
Its selection of managed service providers (MSPs) supplying all kinds of IT services to major clients, is also cunning, if not unexpected. MSPs often have systems that overlap with their clients, offering ready access to entire supply chains and all their data. Once its malware is inside a network, APT10 moves laterally between MSPs and other victims and uses a sophisticated pathway to exfiltrate the data is has stolen, leaving minimal traces.
Now many of the victim businesses that relied on anti-virus defences will find that their vital intellectual property is sitting on a competitor’s desk in China.
All along the anti-virus companies have known that they can only defend against, at best, 95% of the malware that is out there. So when remarkably well staffed hacking groups in China go to work, their malicious exploits are bound to be among that 5% that always gets through.
Operation Cloud Hopper makes it clearer than ever that organisations are leaving themselves vulnerable to attack by relying on leaky old anti-virus defences that are incapable of detecting the lethal threats hidden inside either the content or structures of common file types.
When the anti-virus companies admit that they can only protect against 95% of known malware, all businesses and organisations must adopt more innovative solutions such as file regeneration technology. This addresses today’s and tomorrow’s threats, instead of searching for what was a threat yesterday.
File regeneration solutions act as impenetrable barriers, keeping out 100% of malicious exploits in file attachments, such as Word, Excel, PDF or PowerPoint. All of these documents have a design standard against which every attachment can be measured in milliseconds, ensuring only the authentic and known good is permitted inside an organisation according to its established risk policy, and without disrupting normal operations.
If the globe’s major organisations continue to ignore this technology and rely on anti-virus defences, the alternative is yet more disasters such as Operation Cloud Hopper.