APT Threats Today Need a Different Kind of Response

Summary Bullets:       

• The ‘Flame’ advanced persistent threat (APT) is invisible to commercial AV defences and may lie dormant for years.
• Combating APTs may create a new role for the ITU and further international anti-malware efforts.

The latest news on the (often purported to be state-sponsored) APT front is a massive piece of spy software, dubbed ‘Flame,’ which seems to have been around for many years - at least since 2010.  The worm was discovered by accident when security vendor Kaspersky was looking for another mystery APT dubbed ‘Wiper,’ which has been deleting files on servers in the Middle East for some time.  Much like earlier APTs such as ‘Stuxnet’ and ‘Duqu,’ Flame exploits software and hardware vulnerabilities that evade any of the known AV defences and infects desktops and servers in multiple ways (USB, LAN, drive-by etc.); similar to these other APTs, it appears to harm or spy very selectively, so it may reside dormant on a large number of Windows PCs.  Flame is different in that the remote controllers can install different modules (e.g., taking control of the PC’s microphone to record conversations) on infected machines depending on what kind of information the controllers want to steal.  So, the net-net is we do not know if our desktops or data centres are infected, and consequently whether they are actively or passively spying on us and stealing our data.  We might seek some comfort in the belief that this malicious (often Middle Eastern) activity is politically rather than commercially motivated, but state-sponsored industrial espionage is an obvious use as well. Read more of this post

Tags: