What State-Sponsored Attacks Can Teach Us About Conditional Access

People often think that state-sponsored attacks from groups like Lazarus (North Korea), Fancy Bear (Russia) or menuPass (China) only target public federal organizations in Western nations like the U.S. This is simply not the case. In fact, attacks on large financial and retail institutions have increasingly been state-sponsored attacks hoping to create chaos more than just theft. These attacks largely come from U.S.-sanctioned states such as Iran, Russia and North Korea, as these hacking groups have come to realize that attacking private organizations can achieve the same goals as attacking public institutions.

In order to achieve optimal chaos, these state-sponsored hackers are often the best of the best – leveraging the best reconnaissance techniques to infiltrate a network and move around to achieve administrative privileges. Commonly used techniques often include pass-the-hash, golden ticket, and Mimikatz to move around the network to find sensitive data. Once critical systems and applications containing sensitive data are compromised, organizations are held for ransom to give in to hacker demands.

Sponsorships Available

Sponsorships Available

Sponsorships Available

Let’s take a look at notorious breaches by two hacker groups in previous years, and what we can learn from them about stopping these attacks.

The Lazarus Group: Experts in Chaos

The Lazarus Group is a nebulous hacking collective, reputed to be part of a North Korean-state sponsored military apparatus. Their exploits range from the WannaCry ransomware outbreak of 2017, the 2014 breach of Sony Pictures, and numerous attacks against U.S., South Korea, and businesses globally.

In 2016, reports suggest they were able to get a foothold into the SWIFT banking network to steal $81 million from Bangladesh Bank (originally $101 million – the bank managed to cancel $20 million of the illicit transactions). The key to the crime? As with many such incidents: compromised credentials. Reports suggest they logged in via malware hidden in a document downloaded by an unsuspecting bank employee. They then hid in a back-up server for a few months, jumping between servers until they could escalate privileges to make fraudulent transfer requests. To prevent detection, they appeared to have disabled a printer that would have alerted employees to suspicious transactions.

The takeaways:

• Admins give away too many privileges that are unnecessary for users to do their jobs. Priority should be reducing the attack surface and reducing stealthy administrators. Preempt’s own research finds 72 percent of networks have stealthy admins.
• Legacy systems have serious design flaws that must be addressed with visibility and control.  Windows protocols like NTLM and Kerberos are particularly vulnerable (read more about these flaws on the Preempt blog here). Security teams must have visibility into any unprotected areas on the network, particularly when using dated protocols.

State-Sponsored Hackers in China: Silent Espionage

In 2015, the U.S. Office of Personnel Management (OPM) was hacked, causing millions of civilians’ personal data — such as social security numbers and fingerprint data — to be stolen. It was relatively quiet afterward in terms of usage of the stolen data, but malware installed in the network was linked to a Chinese hacking group that is associated with China’s Ministry of State Security.

In 2018, Marriott confirmed unauthorized access to the Starwood guest reservation database which contained guest information. The hackers had copied encrypted information from over 500 million guests from Starwood’s database since 2014. Not only was personal information such as phone numbers, passport numbers, and home addresses stolen, but Marriott also confirmed that credit card numbers were likely stolen as well.  

During Marriott’s investigation into the breach, they discovered a remote access trojan (RAT) that allows hackers to access and gain control over a computer. In addition, a penetration tool called Mimikatz was discovered being used to search a device memory for usernames and passwords. After much analysis, the trademarks of this breach pointed to a familiar culprit: the same Chinese hacking group that was behind OPM.

The takeaways:

• Always assume that your credentials are compromised. Implementing strong multi-factor authentication could have mitigated the risk for both the OPM and Marriott breaches.
• The usage of tools and protocols such as Mimikatz should have been treated with more seriousness from Marriott. If reconnaissance tools are being used in the network, it should immediately alert an administrator. Always invest in tools that can help you spot reconnaissance tools that are being used in your network.

Taking action today

From banks to power grids, to even small business, organizations today face the full spectrum of attackers – whether it is financially motivated, criminal hacking groups or a state-sponsored attack.

We know credential compromise is the number-one cause for breaches, and too many enterprises have poor control over privileged accounts, use of reconnaissance and other tools present in their networks, and network vulnerabilities. Organizations need to invest in tools that protect their privileged accounts and stop tools and protocols that could be used maliciously to stop both criminal and state-sponsored attacks. By using a conditional access approach where authentication is required when risk and threat are detected, organizations can eliminate paths for lateral movement in the network and credential compromise and thus protect against some of today’s complex plethora of cybersecurity threats. To learn more, contact us at [email protected]