The cyber attacks on the networks of the National University of Singapore (NUS) and the Nanyang Technological University (NTU) last month were carefully planned and the work of Advanced Persistent Threat (APT) actors, according Singapore's Cyber Security Agency (CSA).
The CSA revealed that NTU’s networks were breached on April 19, while an unauthorized intrusion into NUS’ IT systems were detected on April 11.
The objective may be to steal government or research-related information, according to the CSA.
Affected networks at both NUS and NTU have been removed and replaced. The daily operations of both universities, including critical IT systems such as student admissions and examinations databases, were not affected.
“The attack on NUS and NTU shows that hackers are no longer just targeting the usual suspects in Singapore; such as financial institutions, Government and critical infrastructure,” said Bill Taylor-Mountford, Vice President, Asia Pacific & Japan, LogRhythm.
“Establishments such as Universities hold valuable personal data, including intellectual property that can bring about financial gain.
“Today, we can no longer prevent attackers from gaining access. We are almost fighting a losing battle if we only focus on prevention. Therefore, it is more important to be able to detect a breach and quickly neutralise it.
Reducing the mean time to detect and respond must be the key objective for any cybersecurity infrastructure today.”
How APTs differ from other attacks
Nick Savvides, Security Advocate, Symantec Asia Pacific and Japan, says that APT attacks are a type of targeted attack that are highly advanced that may employ a wide variety of techniques including malware, spyware, phishing, and spam, to name just a few.
“These attacks are specially crafted against a victim and cyber-attacks who employ such techniques often have a clear goal or type of informational that they are looking to obtain,” said Savvides.
Here are some examples on how APTs differ from other targeted attacks:
- Customised attacks: In addition to more common attack methods, APTs often use highly customized tools and intrusion techniques, developed specifically for the campaign.
- Low and slow: APT attacks occur over long periods of time during which the attackers move slowly and quietly to avoid detection. In contrast to the “smash and grab” tactics of many targeted attacks launched by more typical cybercriminals, the goal of the APT is to stay undetected by moving “low and slow” with continuous monitoring and interaction until the attackers achieve their defined objectives.
- Higher aspirations: Unlike the fast-money schemes typical of more common targeted attacks, APTs are designed to satisfy the requirements of international espionage and/or sabotage, usually involving covert state actors. The objective of an APT may include military, political, or economic intelligence gathering, confidential data or trade secret threat, disruption of operations, or even destruction of equipment. The groups behind APTs are well funded and staffed; they may operate with the support of military or state intelligence.
- Specific targets: While nearly any large organization possessing intellectual property or valuable customer information is susceptible to targeted attacks, APTs are aimed at a much smaller range of targets. Widely reported APT attacks have been launched at government agencies and facilities, defense contractors, and manufacturers of products that are highly competitive on global markets.
APT attacks are carefully planned and meticulously executed. They typically break down into four phases: incursion, discovery, capture, and exfiltration:
- Incursion: In targeted attacks, hackers typically break into the organization's network using social engineering, zero-day vulnerabilities, SQL injection, targeted malware, or other methods. These methods are also used in APTs, often in concert. The main difference is that while common targeted attacks use short-term, “smash and grab” methods, APT incursions are designed to establish a beach head from which to launch covert operations over an extended period of time.
- Discovery: Once inside, the attacker maps out the organization's systems and automatically scans for confidential data or, in the case of some APTs, operational instructions and functionality. Discovery may include unprotected data and networks as well as software and hardware vulnerabilities, exposed credentials, and pathways to additional resources or access points. Here again, where most targeted attacks are opportunistic, APT attacks are more methodical and go to extraordinary lengths to avoid detection.
- Capture: In the capture phase, exposed data stored on unprotected systems is immediately accessed. In addition, rootkits may be surreptitiously installed on targeted systems and network access points to capture data and instructions as they flow through the organization.
- Exfiltration: Once the intruders have seized control of target systems, they may proceed with the theft of intellectual property or other confidential data.
Persistent
“The critical word in advanced persistent threat (APT) is ‘persistent’ – these are sophisticated threats that are getting into your network and staying there, undetected, for a long time,” says Sanjay Aurora, Managing Director, Asia Pacific, Darktrace.
“Perpetrators often acquire legitimate user credentials or gain access through unprotected software or hardware, allowing them to easily bypass traditional security tools like firewalls.”
Aurora noted that it can take up to 230 days for a company to realize they have been breached and critical systems compromised. “At Darktrace, we once started working with a customer, only to find that there was a sophisticated threat inside their network that had been there for eight years.
“Unfortunately, there have been a lot of sophisticated attacks all over the world, many of which have made headlines recently. The holy grail is to find these things early, before they escalate into crises.”