The Russian hacking groups that stole the Democratic National Committee’s secret files on Donald Trump have plenty of experience in filching sensitive data from U.S. officials. Last year, one of the two groups, known as APT29 or COZYBEAR, broke into the Joint Chief’s non-classified email system. Here’s what last summer’s hack can teach you about what happened to the DNC, and how to keep it from happening again.
On Tuesday, officials with the information security company Crowdstrike disclosed that APT29 had injected malware onto the DNC network about a year ago, enabling the hackers to pick up opposition research on Donald Trump, among other information. The group is known for its spearphishing campaigns, which sends emails that appear to be from a trusted source. But when a recipient clicks on a link, her machine will download malicious code, in the case of the DNC hack, containing a Remote Access Tool (RAT). This code lets a hacker into the system — and takes pains to keep itself hidden. The malware can check “for the various security software that is installed on the system and their specific configurations. When specific versions are discovered that may cause issues for the RAT, it promptly exits,” Crowdstrike’s Dmitri Alperovitch wrote in a blog post.
The malware Crowdstrike discovered on the DNC network “allowed the adversary to launch malicious code automatically after a specified period of system uptime or on a specific schedule.” Basically, this means the malware can sit in the background of the network, possibly on a single machine, not drawing attention to itself, until it’s scheduled to spring into action. You might remove it from that machine, but by then it could have moved to somewhere else on the network.
Aside from the perpetrator, the DNC hack bares a number of things in common with the 2015 phishing attack on the Joint Chief’s non-classified email system.
In 2014, APT29 began using a backdoor malware dubbed HAMMERTOSS. Once an unsuspecting target opened an email from the group and downloaded the virus via a link, the malware installed itself and began using Microsoft Active Directory to move laterally among computers in the (Windows server) network. At specific times, the malware checked in with a web page (algorithmically generated Twitter pages have been used for this purpose) to receive instructions on uploading data. That allows it to remain difficult to detect and the upload harder to trace.
“While each technique in HAMMERTOSS is not new, APT29 has combined them into a single piece of malware. Individually, each technique offers some degree of obfuscation for the threat group’s activity. In combination, these techniques make it particularly hard to identify HAMMERTOSS or spot malicious network traffic,” wrote the computer security firm FireEye.
Here’s the thing, while it took the DNC almost a year to realized it had been hacked, the Pentagon detected the breach of its non-classified network within days. Last August, Defense One interviewed the head of the company that the Pentagon trusted to detect and remedy the breach. He asked that his name and the name of the company not be disclosed as they have not received clearance to discuss their role in mitigating the hack.
“We’ve been deeply involved in the remediation of the breach and so we obviously can’t talk about the scope and scale of cause of the breach because it’s classified,” the head of an information security company told Defense One last year.
The incident was a key example of a new trend, he said.
“When you typically see these large-scale attacks where you see these large amounts of lateral movement [jumping from one computer to another within the network] and especially when you have relatively tightly wound network controls, a lot of the time you don’t have the command-and-control architecture to be able to go in and see the attack,” he said. “So the advance threat characteristics change to be more automated, a kind of pervasive deployment using common vulnerabilities and exploiting them widely.”
That bears resemblance to what Crowdstrike just discovered APT29 doing to the DNC.
So how do you prevent that sort of thing? First, you need good situational awareness. No more letting scheduled-attack malware hide in the shadows until the lights go out.
“Typically, the biggest issue for our customers is assessing the state of the environment, vis-à-vis what’s running in the environment at that time and what’s accessing data. So being able to look at things like the running processes in the environment, being able to look at all of the users that are touching certain types of data and whether they’ve touched it in the past before, being able to see if there are interconnections from a network standpoint between different assets is one of the basic capabilities of the platform, just being able to see the state of every endpoint,” said the company head.
The way that you get that situational awareness is by designating a single central node to view what’s happening on every machine, sort of like peer-to-peer networking but with special safety features, and then send updates and patches to all of them at once, each one signed, allowing endpoint management from one place. If all the computers can only run updates that are signed by the central node, then the malware can’t hop from one to another, assuming that central node is not sending out signed, infected updates.
“You need to have one trust point. In our case, it’s our server,” the company head said. That trusted system generates a unique cryptographic signature for each “message,” which can be an action, a sensor recording data, a change to a setting, a command to a device, etc.“What ends up happening is that every node that receives the message, whether it receives it from its peer or it receives it from the server, or it receives it from an intermediary node like a relay, it checks that signature before it processes that message,” he said. “The protection that you have against a rogue node being taken over and then feeding its peers bad data is that you don’t have a private key to sign the message on the rogue node. Even if you could inject traffic into the stream, it would be immediately rejected because that traffic isn’t signed correctly. As a result of that, the public keys that reside on the clients would essentially alert the clients that the signature was invalid and to reject the message.”
FireEye discovered APT29 in 2014.
“We suspect the Russian government sponsors the group because of the organizations it targets and the data it steals. Additionally, APT29 appeared to cease operations on Russian holidays, and their work hours seem to align with the UTC +3 time zone, which contains cities such as Moscow and St. Petersburg,” they write.
Not surprisingly, Russia has denied any role in both hacks.