APT10’s cyber attack shows anti-virus defences can’t be relied on

There is a brutal lesson in the revelation that the China-based APT10 hackers have breached the cyber defences of some of the world’s biggest commercial and governmental organisations.

As outline in a new report from PwC UK and BAE Systems, APT10’s Operation Cloud Hopper has stolen high volumes of intellectual property and sensitive data from some of the world’s major businesses in what is described as a sustained, “global operation of unprecedented size and scale”.

In the majority of cases APT10 gained entry to these organisations by targeting their managed services providers (MSPs), or in the case of Japanese organisations and companies, by staging direct assaults.

The unpalatable truth behind these revelations is that Operation Cloud Hopper could all have been prevented if these organisations had the right email security technology. By putting their faith entirely in the failed anti-virus solutions touted by the big cyber security vendors, they have left themselves wide open to the most common form of attack – malicious email attachments.

>See also: Cyber security from a hacker’s perspective

The PwC/BAE report is damning in its revelation that the standard “compromise methodology” used by APT10 was a simple spear phishing email with a malicious “executable” attachment.

Using meticulously-acquired data, these emails masquerade as messages from a public sector entity, such as the Japan International Cooperation Agency, for example, while the attachments are crafted to address a topic of direct relevance to the recipient.

For most employees, clicking open such an attachment will be virtually automatic, activating the malware code hidden in the structure or content of the file attachment. This sophisticated malware immediately rips through networks, heading for the plans, the designs and the data that these incredibly well-resourced threat-actors want to steal.

The sickening reality in all this is that traditional anti-virus protection relied on by the world’s major companies and organisations cannot protect them from these attacks. These solutions are not only incapable of detecting 100% of the viruses out there, they cannot detect the sophisticated threats that hackers such as APT10 now deploy inside the instruments essential to everyday business – email attachments.

Consider this simple point. Anti-virus technology relies on identifying the signature of each piece of malware. This means that an attack has to be mounted before the signature can be identified. Yet even though, as the report details, the activities of APT10 and its malware variants have been well-documented since 2009, these China-based hackers still got through.

>See also: The fight against cyber crime requires innovative defence

The report exposes how APT10 malware has been charted right back to when the group was first found to be targeting Western defence companies eight years ago. Since then it has been documented through its variants such as Poison Ivy, PlugX, Quasar, EvilGrab and more recently the development of the bespoke ChChes and RedLeaves.

Yet despite having all this threat-information at their fingertips, the anti-virus companies have still been hopelessly inadequate in protecting major clients. While they look for another name to give to an updated version of the malware, it has been easy for APT10 to escalate its attacks with its cleverly-crafted decoy emails.

Its selection of managed service providers (MSPs) supplying all kinds of IT services to major clients, is also cunning, if not unexpected. MSPs often have systems that overlap with their clients, offering ready access to entire supply chains and all their data.

Once its malware is inside a network, APT10 moves laterally between MSPs and other victims and uses a sophisticated pathway to exfiltrate the data is has stolen, leaving minimal traces.

Now many of the victim-businesses that relied on anti-virus defences will find that their vital intellectual property is sitting on a competitor’s desk in China.

All along the anti-virus companies have known that they can only defend against, at best, 95% of the malware that is out there. So when remarkably well-staffed hacking groups in China go to work, their malicious exploits are bound to be among that five per cent that always gets through.

>See also: Forget about antivirus – cybercrime has industrialised and we need a new approach to combat it

Operation Cloud Hopper makes it clearer than ever that organisations are leaving themselves vulnerable to attack by relying on leaky old anti-virus defences that are incapable of detecting the lethal threats hidden inside either the content or structures of common file types.

When the anti-virus companies admit that they can only protect against 95% of known malware, all businesses and organisations must adopt more innovative solutions such as file-regeneration technology that addresses today’s and tomorrow’s threats, instead of searching for what was a threat yesterday.

File-regeneration solutions act as impenetrable barriers, keeping out 100% of malicious exploits in file attachments such as Word, Excel, PDF or PowerPoint.

All of these documents have a design standard against which every attachment can be measured in milliseconds, ensuring only the authentic and known good is permitted inside an organisation according to its established risk policy, and without disrupting normal operations.

If the globe’s major organisations continue to ignore this technology and rely on anti-virus defences, the alternative is yet more disasters such as Operation Cloud Hopper.


Sourced by Greg Sim, CEO, Glasswall Solutions

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...