Patrick Lambert highlights an example of a targeted cyber attack and points out what should be learned about analysis and disclosure in the event your organization has to deal with something similar.
If you follow security news, you may have seen the report from Bloomberg this week about how Coca-Cola was hacked in 2009, in the middle of an acquisition deal, and never told anyone. The deal was fairly important, involving an attempted $2.4 billion acquisition of China Huiyuan Juice Group, which eventually fell through for unknown reasons. Now, thanks to the report, we learn that sensitive information about the deal was likely leaked through those attacks. While it's unclear whether the hack itself played a part in the deal's failure, even the possibility of having some hackers decide the fate of such a critical process can be scary. Yet, back then, when the FBI approached Coke about the hack, no real disclosure happened.
In fact, that's not a rare occurrence. When hackers went after BG Group Plc last year, through several online attacks, the company also kept it a secret. Increasingly, these types of attacks target not only personal information, but financial data as well. Business deals and mergers can be disrupted by a group of hackers, either of their own accord or paid by an interested third party. So it's not surprising that many companies feel that they shouldn't disclose the attacks, either to investors or even executives inside the corporation, and should instead bury the information, clean infected systems, and move on. These types of omissions is why the SEC introduced a guidance document back in 2011 telling corporations the types of actions they should take should they be the victims of similar events.
In contrast, just last month the nation of Georgia's CERT institute released a perfect example of how such an online event should be handled, describing in detail what happened in the 2011 attacks against newspapers, blogs, and government sites inside the country. Reading this 27-page document, we learn everything that their security team found, and how the events that led to the defacing and compromise of 390 systems occurred. Once again, this wasn't the case of random juveniles looking for a thrill. This time it was motivated political activists targeting specific sites in order to infect people who were interested in a particular political view. For example, they would hack into a newspaper's site, then deface news reports about specific subjects.
The attack began in March 2011, when the first instances of malware were found to steal documents and certificates from sites in Georgia. The virus was modified several times during the year in order to bypass firewalls and IDS, and became harder to detect. By December, infected systems could be remotely controlled, with the malware having video recording capabilities along with the usual keylogging and the ability to take screenshots. All of this was initiated by a simple script injected into the hacked news sites, containing various zero-day exploits going after ActiveX, PDF files, and Java.
Once infected, the malware actually checked that the computer was located inside of the UTC+3 or UTC+4 time zones, demonstrating once again that this was a targeted attack. It would then mask itself as calc.exe and inject some code inside of Internet Explorer in order to communicate with command and control servers. The code was even sophisticated enough to update itself regularly from several addresses at once. At the end of the report, the team behind the investigation reveals some of the steps taken to stop the attack, including blocking the command and control servers, cooperating with security companies to add proper detection mechanics in IDS devices, cooperating with various law enforcement agencies, contacting abuse teams at hosting providers to get those servers offline, and obtaining log files for analysis.
This is a very good example of the process that any corporation should go through should they get hacked. It demonstrates that cyber attacks are not only much more sophisticated than before, but they are also very targeted. While there are still many non-targeted malware threats out there, our current security solutions can cope with them pretty well. Most organizations have spent a minimum of effort to secure their networks, and as a result, executives feel safe that their systems won't be breached. But when it comes to this type of event, targeted attacks going after specific data, it's far more difficult to prepare, and that's also why it's so important that proper forensics be done, and then disclosed. The worse thing an IT admin can do when he or she detects a breach is to assume it's a non-targeted attack, and simply dismiss it after cleaning up the infection. If anything looks suspicious, then you never know how far the actual attack goes.
If you're responsible for maintaining a network, whether it's for a large corporation or a small organization, going through these types of reports can provide invaluable information, not only on what a targeted attack can look like, but some of the things that can be done to investigate such a breach, and the type of disclosure that should be made at the end of it. Unfortunately, it's still the case that very little is known about the vast majority of attacks going on right now. Jacob Olcott, a former Congressional adviser on cyber security, tells Bloomberg that "companies currently provide little information about material events that occur on their networks," and as a result, "investors have no idea what is happening today."