Massive 'Lurid' APT attack targets dozens of government agencies

Using basic techniques, hackers managed to infiltrate networks of space-related agencies, diplomatic organizations, and more

Trend Micro last week identified a major APT (advanced persistent threat) campaign called Lurid through which malicious hackers successfully infiltrated the IT systems of more than 47 organizations in 61 different countries. The target organizations are primarily government-related -- including space-related government agencies -- based in Russia, Kazakhstan, and other countries in the region. Just what the hackers may have come away with isn't clear; Trend Micro researchers could only determine that in some cases, the attackers attempted to steal specific documents and spreadsheets.

The announcement provides yet another sobering reminder of cyber criminals' increasing success at easily and covertly infiltrating target organizations networks via APTs. In this type of attack, bad guys don't break in, grab data, and run away so much as entrench themselves in target organization's IT systems for extended periods of time, monitoring activity and siphoning away sensitive personal and as well as proprietary information. Recent examples of note include the successful APT attack on RSA through which hackers came away with stolen SecurID token data, then used it to hack Lockheed Martin.

Particularly noteworthy in the Lurid campaign is the ease with which the perpetrators managed to compromise their victims in the first place: They simply used known Adobe Reader exploits and malicious screensavers to infect user machines with malicious downloaders, which in turn connected to the hackers' command-and-control servers to await further instructions. As far as payload went, Trend Micro found that the downloader could install malware as a Windows service. It could also copy itself into the system folder and "ensure persistence by changing the common startup folder in Windows."

The attack demonstrates that the techniques for launching an advanced persistent threat attack need not be advanced at all, a fact that might run contrary to what casual observers believe. The attackers here didn't exploit an unpatched zero-day vulnerability or otherwise employ special techniques (such as, say, duping a user to plug in a Trojan mouse infected with malware). Rather, the term "advanced" in APT represents the strategic nature by which attackers are able to monitor activity and mine data from a target network for an extended period of time, often working in teams for a corporate-like criminal business.

It's fortunate that companies like Trend Micro and McAfee are able to provide this sort of in-depth analysis of APT attacks: It can better help us understand and defend against today's new breed of cyber adversary.

For now, there's plenty organizations can and must do to protect themselves from becoming the latest victim of an APT, including following the fundamentals of IT security. That includes keeping all your applications and platforms patched, limiting what level of admin access users have, and better educating end-users to help them avoid installing malware or disclosing credentials.

In the long run, the Internet needs to undergo significant changes to make it more secure. Otherwise, these types of APT attacks -- and worse -- will keep on happening.

This story, "Massive 'Lurid' APT attack targets dozens of government agencies," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow on Twitter.


Copyright © 2011 IDG Communications, Inc.

How to choose a low-code development platform