lolloj - Fotolia

State Department hack and APT29 prove attacker resilience

News Roundup: 'Hand-to-hand' combat in State Department hack, APT29 has a stealth backdoor, the creator of the internet backs strong encryption, and more.

Malicious actors are adaptable, skilled and persistent. That's the traditional wisdom and during the U.S. State Department hack, the NSA found that out the hard way, but new details uncover just how persistent hackers can be.

According to Richard Ledgett, deputy director of the National Security Agency (NSA), the battle between federal security professionals and attackers during the State Department hack in 2014 "was hand-to-hand combat" that could be considered "a new level of interaction between a cyberattacker and a defender."

Ledgett and other NSA officials described the State Department hack as a back-and-forth engagement where federal defenders would break the connection between the attacker malware and command and control servers only to have the attackers set up a new connection.

NSA officials warned that the level of attacker aggressiveness shown in the State Department hack could prove to be trouble for the private sector. While the NSA did not say who was responsible for the State Department hack, security researchers have attributed it to a group called APT29, aka Cozy Bear and The Dukes, which is thought to be a Russian-backed group that is also responsible for the DNC hack. 

APT29 also made news this week for its resiliency as security researchers for Mandiant, a cybersecurity firm owned by FireEye, dug into APT29 malware to find a "stealthy backdoor."

Matthew Dunwoody, incident response consultant at Mandiant, wrote in a blog post that the backdoor, which he named POSHSPY makes use of two favorite APT29 tools -- PowerShell and Windows Management Instrumentation (WMI) -- in order to avoid detection.

"POSHSPY's use of WMI to both store and persist the backdoor code makes it nearly invisible to anyone not familiar with the intricacies of WMI. Its use of a PowerShell payload means that only legitimate system processes are utilized and that the malicious code execution can only be identified through enhanced logging or in memory," Dunwoody wrote. "The backdoor's infrequent beaconing, traffic obfuscation, extensive encryption and use of geographically local, legitimate websites for command and control make identification of its network traffic difficult. Every aspect of POSHSPY is efficient and covert."

Dunwoody said Mandiant identified POSHSPY in several environments "compromised by APT29 over the past two years", but did not reveal what entities had been targeted by the group.

In other news:

  • The security bane of hardcoded passwords has struck again, this time in Cisco's Mobility Express Software. The software found in the Aironet 1830 and 1850 series access points has a hardcoded admin-level SSH password, which "could allow an unauthenticated, remote attacker to take complete control of an affected device," according to Cisco's advisory. There are no workarounds, so anyone with the affected devices are urged to apply the patch immediately.
  • The Senate Commerce, Science and Transportation Committee approved the Main Street Cybersecurity Act. According to Committee Chairman John Thune, (Rep. S.D.), "This legislation will help small businesses get the information they need to protect themselves and their customers from cyberattacks." However, rather than offering any direct help, the act will only require the National Institute of Standards and Technology to create cybersecurity guidance tailored to small business needs.
  • FBI director James Comey has been dropping hints that he may loosen requirements to allow the FBI to hire more talented cybersecurity experts. In a recent talk, Comey said a cyber-agent needs "integrity, physicality, intelligence and technical expertise," but "this collection of attributes is rare in nature. We will find people of integrity who are really smart and know cyber and can't do a push-up. Or we'll find people maybe who can do a push-up and they're smart and they can do cyber, but they want to smoke weed on the way to the interview. And so you can see the challenge we face." However, Comey said last week at a gathering of the Intelligence and National Security Alliance, "Our minds are open to all of these things because we are seeking a talent -- talent in a pool that is increasingly small. So, you're going to see us experiment with a number of different approaches to this."
  • Sir Tim Berners-Lee, the inventor of the internet, criticized efforts in both the U.S. and U.K. by lawmakers and law enforcement agencies to undermine strong encryption and net neutrality rules. In an interview with the BBC following the announcement he would receive the Turing Award, Berners-Lee said he would "fight as hard as [he] can" if the FCC moves to dismantle net neutrality, and said private communication was a "human right." On the topic of potential encryption backdoors, Berners-Lee said, "Now I know that if you're trying to catch terrorists it's really tempting to demand to be able to break all that encryption but if you break that encryption then guess what -- so could other people and guess what -- they may end up getting better at it than you are."

Next Steps

Learn more about command and control servers: the puppet masters that govern malware.

Find out why the DNC hack raises questions about cyber attribution methods.

Get info on how the new FCC chairman could shake up net neutrality.

Dig Deeper on Security operations and management

Enterprise Desktop
Cloud Computing