State-sponsored “Advanced Persistent Threats” burst onto the radar during the last couple of years, but as with just about all security industry acronyms, the words that make up the acronym don’t spell out precisely what it means.
APTs have to date pursued strategies like remote network intrusions and social engineering attacks in the form of emailed documents mixed with general internet mis-routing shenanigans to capture traffic.
Security vendor TrapX has found a real doozy in the Zombie Zero malware.
Zombie Zero is an elaborate scheme, which involves a Chinese scanner manufacturer shipping devices with embedded Windows XP operating systems that were armed with advanced malware.
Once connected to a network, the malware in the devices scanned the corporate LAN, installed compromised digital certificates and exfiltrated whatever customer and financial data it could find.
For companies in the shipping and logistics industry there was a secondary payload which connected to a botnet and downloaded a command-and-control application for further penetration and remote access of networks.
The scanner manufacturer was located in the same physical area as the termination point for the botnet command-and-control connection - the Lanxiang Vocational School in Shandon. That school had been implicated in attacks on Google and the Operation Aurora campaign.
TrapX did not confirm the scanner manufacturer knowingly shipped devices with pre-loaded malware, but believes there is likely to be a connection between the school and the scanner manufacturer. On that basis, the Chinese government very possibly has a finger in this particular malware pie.
Zombie Zero has hit just eight organisations, TrapX said, suggesting a very targeted attack. The sophisticated security solutions these organisations had in place did not cover every nook and cranny of their enterprises, leaving the door open for the pre-installed malware.
Zombie Zero demonstrates how difficult it can be to deal with every single threat vector, especially if a supplier goes rogue.
Supply chain security issues are nothing new, and there have been plenty of cases of vendors shipping malware by accident.
Are you ready for your suppliers to deliberately send advanced malware to spy on your organisation, or to actively sabotage your business?
Perimeter defenses aren't going to cut it with APTs, so the key is to be as flexible as the intruders themselves. They are clearly planning complex, multi-stage attacks instead of just feeling the handles on doors to see which ones are open.
Your organisation’s attack vectors can start well outside the business, as Zombie Zero showed.
Think like a food retailer here, and only buy from trusted, reliable sources, so as not to bring any nasty bugs from the outside into your organisation.
TrapX suggests the install of honeypots to fool attackers into thinking they've found the target, for easier detection.
That's an interesting approach, but it needs to be augmented with in-depth defences covering all areas of an organisation. If there's a mission-critical system in your business, ring-fence it with firewalls and intrusion detection systems.