New APT Threats Target India, SE AsiaExperts: Situation Exacerbated by Legacy Security Mindset
This is part one of a two part feature on the state of APT defense in Indian organizations.
See Also: 2016 State of Threat Intelligence Study
As the world at large deals with targeted attacks, the Asia region may be seeing heightened advanced persistent threat activity according to one security vendor, FireEye. Asia - especially India - is fertile ground for APT attack groups, presumably nation-state backed, according to details released by FireEye. These kinds of attacks are likely taking advantage of legacy security frameworks and the prevailing perimeter-oriented mindsets, security experts say.
"Too many organizations are still relying on legacy security solutions which aren't effective against today's APT groups," says Bryce Boland, FireEye's Chief Technology Officer for the APAC region. "These groups have learned how to create unique attacks every time to slip straight through those defenses."
A CISO at a leading Indian Bank - who declined to be identified - says he isn't surprised to hear that APT activity in India is thriving and that organizations are not sufficiently equipped to counter it.
"I agree that Indian organizations may not be fully equipped for APT," he says. The primary reason for that conclusion is the level of awareness of the people. "Somehow people feel that having the product and technology is enough, whereas it is not enough for APT resilience."
Another practitioner in the telecom sector confirms that he has also witnessed regional APT activity at his organization.
APT attacks in the region are becoming commonplace and the latest group of threat-actors, believed to be based out of China, targeted over 100 organizations since 2011, of which over 70 percent were Indian organizations, according to FireEye. Another report, released in April by FireEye, chronicled the 10 year-long campaign within organizations in SEA and India by an APT group dubbed APT30.
The APT30 group was also believed to based out of China - although concrete attribution was never achieved - and had been consistently targeting information assets in government, defense and other critical sectors for a decade without being detected, and without having to change its modus operandi, tools or infrastructure. [Please See: Inside An Elite APT Attack Group]
Setting the Context
The group mentioned in the latest release by FireEye is not the same group as APT30, Boland confirms. "We aren't aware of any direct linkages with APT30," he says. However, both groups benefit from the relatively weak cyber defenses common in Asia organizations. Both groups also leverage regionally-relevant content in their spear phishing mails. "Out of the 300+ cyber threat groups tracked by FireEye, this appears to be the second active group in Asia using similar attack techniques and scripts," he says.
FireEye says that the campaign appears to target information about ongoing border disputes and other diplomatic matters. It believes that the group behind the operation sent targeted spear phishing emails containing Microsoft Word attachments to its intended victims, pertaining to regional issues, and contained a script called WATERMAIN, which creates backdoors on infected machines. The campaign's attacks have been observed since 2011, and were also detected in April 2015, about one month ahead of Indian Prime Minister Narendra Modi's first state visit to China, according to FireEye.
"Collecting intelligence on India remains a key strategic goal for China-based APT groups, and these attacks on India and its neighbouring countries reflect growing interest in its foreign affairs," Boland says.
The APT30 attackers consistently targeted Indian military, defense and other sensitive government assets, he says. Other countries targeted in the region include Malaysia, Vietnam, Thailand, Nepal, Singapore, Philippines and Indonesia. The victimology and the kind of information these groups are going after indicates state interest or backing.
APT Resiliency Challenge
"Most organizations in India are not really geared to counter APT attacks, because they continue to focus on protection technologies, which are ineffective against the sophistication of APT attacks that use Zero days, military-grade malware and elaborate social engineering campaigns" says Felix Mohan, Chief Knowledge Officer at the CISO Academy and ex-CISO at Bharti Airtel. Controls are all protection-oriented. Focusing just on protection is bound to fail because APTs are persistent to the point that they will find a way in. Mohan was also a former Director of IT for the Indian Navy.
Experts agree that an ecosystem built around detection, response and recovery frameworks is what organizations should instead be looking at.
Mohan doesn't mince words. "The idiom 'Blind as a bat' applies well to Indian organizations; they have no idea as to what is happening in the network," he says. All the VA/PT and security testing that you hear about is external. Whereas, once the attacker is in your environment - which he will eventually penetrate, given his persistent nature - there are no internal defenses, or bulwarks in place to prevent him from doing as he pleases, he says.
So it is more than likely such attack statistics have truth in them, he muses - probably even the China element, given that cyber-warfare is a declared part of Chinese state policy today. "If an organization in India feels it is 100% secure, they are living in a fool's paradise and most likely don't know that they could have already been breached," he believes.
Pragmatic Policies, Disclosure Needed
"When it comes to mid-sized companies or even large enterprises outside the banking sector, there is definitely a gap between the level of threat and the level of preparedness," says KK Mookhey, Founder at NII, a security consultancy. The challenges in the Indian perspective include that investments are being driven by factors other than real risk. Budgets are unclear, and security not still being part of the board agenda, he says.
Moreover, the regulatory climate in most countries doesn't encourage organizations to admit they have been breached. "Around Asia, too often when organizations are notified they have been breached, the question we hear is, 'Do we have to tell anyone?'" says FireEye's Boland. The ensuing silence is benefitting attack groups, since they can keep reusing the same toolset and compromised credentials elsewhere, because organizations don't know which techniques to watch out for. More effective cybersecurity policies on breach disclosure are needed in the region to improve our collective security, he says. [Also see interview with Boland: Security: The New Measure of Success]
Watch out for part two of this piece, which covers recommendations from experts such as Felix Mohan and others on what organizations can do to achieve APT resilience.