Why did Chinese cybercriminals want to breach an American health services company? Perhaps they were hoping to resell personal data or learn how to operate distributed hospital systems for profit. More likely, this was a test—a proof-of-concept attack that was vastly successful in stealing data by undermining the security controls of this Fortune 200 business. Having now proven the attack vector, APT 18 will decide when and where to use the attack on other targets.
How did they do it? This exclusive new infographic highlights the 4 attack stages used by many threats that rely on compromised keys and certificates to bypass existing enterprise security controls. Learn these stages and find out how to ensure your enterprise is not the next headline.
1. ONLY A TEST
PROOF OF CONCEPT
110100101010110101000100001000110101001001011011001111011100110110000000110000011111111110010010101000010101111101010011
010100011011101110100101010110101000100001000110101001001011011001111011100110110000000110000011111111110010010101000010
011111010100111010100011011101110100101010110101000100001000110101001001011011001111011100110110000000110000011111111110
100101010000101011111010100111010100011011101110100101010110101000100001000110101001001011011001111011100110110000000110
000111111111100100101010000101011111010100111010100011011101110100101010110101000100001000110101001001011011001111011100
101100000001100000111111111100100101010000101011111010100111010100011011101110100101010110101000100001000110101001001011
110011110111001101100000001100000111111111100100101010000101011111010100111010100011011101110100101010110101000100001000
101010010010110110011110111001101100000001100000111111111100100101010000101011111010100111010100011011101110100101010110
010001000010001101010010010110110011110111001101100000001100000111111111100100101010000101011111010100111010100011011101
101001010101101010001000010001101010010010110110011110111001101100000001100000111111111100100101010000101011111010100111
101000110111011101001010101101010001000010001101010010010110110011110111001101100000001100000111111111100100101010000101
111110101001110101000110111011101001010101101010001000010001101010010010110110011110111001101100000001100000111111111100
001010100001010111110101001110101000110111011101001010101101010001000010001101010010010110110011110111001101100000001100
001111111111001001010100001010111110101001110101000110111011101001010101101010001000010001101010010010110110011110111001
011000000011000001111111111001001010100001010111110101001110101000110111010101111101010011101010001101110111010010101011
101000100001000110101001001011011001111011100110110000000110000011111111110010010101000010101111101010011101010001101110
110100101010110101000100001000110101001001011011001111011100110110000000110000011111111110010010101000010101111101010011
010100011011101110010010101000010101111101010011101010001101110111010010101011010100010000100011010100100101101100111101
100110110000000110000011111111110010010101000010101111101010011101010001101110111010010101011010100010000100011010100100
011011001111011100110110000000110000011111111110010010101000010101111101010011101010001101110101011111010100111010100011
STOLE PRIVATE KEYS
110100101010110101000100001000110101001001011011001111011100110110000000110000011111111110010010101000010101111101010011
010100011011101110100101010110101000100001000110101001001011011001111011100110110000000110000011111111110010010101000010
011111010100111010100011011101110100101010110101000100001000110101001001011011001111011100110110000000110000011111111110
100101010000101011111010100111010100011011101110100101010110101000100001000110101001001011011001111011100110110000000110
000111111111100100101010000101011111010100111010100011011101110100101010110101000100001000110101001001011011001111011100
101100000001100000111111111100100101010000101011111010100111010100011011101110100101010110101000100001000110101001001011
110011110111001101100000001100000111111111100100101010000101011111010100111010100011011101110100101010110101000100001000
101010010010110110011110111001101100000001100000111111111100100101010000101011111010100111010100011011101110100101010110
010001000010001101010010010110110011110111001101100000001100000111111111100100101010000101011111010100111010100011011101
101001010101101010001000010001101010010010110110011110111001101100000001100000111111111100100101010000101011111010100111
101000110111011101001010101101010001000010001101010010010110110011110111001101100000001100000111111111100100101010000101
111110101001110101000110111011101001010101101010001000010001101010010010110110011110111001101100000001100000111111111100
001010100001010111110101001110101000110111011101001010101101010001000010001101010010010110110011110111001101100000001100
001111111111001001010100001010111110101001110101000110111011101001010101101010001000010001101010010010110110011110111001
011000000011000001111111111001001010100001010111110101001110101000110111010101111101010011101010001101110111010010101011
101000100001000110101001001011011001111011100110110000000110000011111111110010010101000010101111101010011101010001101110
110100101010110101000100001000110101001001011011001111011100110110000000110000011111111110010010101000010101111101010011
010100011011101110010010101000010101111101010011101010001101110111010010101011010100010000100011010100100101101100111101
100110110000000110000011111111110010010101000010101111101010011101010001101110111010010101011010100010000100011010100100
011011001111011100110110000000110000011111111110010010101000010101111101010011101010001101110101011111010100111010100011
GAINED ACCESS
ATTACK STAGE 2
EXPANDED FOOTHOLD
ATTACK STAGE 3
ATTACK STAGE 4
EXFILTRATED DATA
WARNING
APT18’s test attack was vastly successful
in stealing data by undermining the
existing security systems.
What will be their next target? Have you protected
your keys and certificates from misuse, such as a
Heartbleed compromise, malware, or other exploits?
PROTECT YOUR BUSINESS
1
Learn how to protect your business at
www.venafi.com/apt18-attack
2
3
4
Secure: Find all keys and certificates
Enforce: Apply policies and workflow requirements
Detect: Identify changes, misuse, and anomalies
Respond: Replace keys and certificates automatically
THE ATTACKERS EXFILTRATED
DATA USING SSL
Most security controls do not conduct SSL
inspection or have ALL of the keys
necessary to decrypt ALL traffic, leaving a
huge blind spot.
ATTACKERS BYPASSED
SECURITY CONTROLS
Used encrypted SSL/TLS
communications to bypass security
controls, including DLP, IDS/IPS,
threat detection, sandboxing, etc.
ONCE IN, ATTACKERS WORKED
TO ELEVATE PRIVILEGES AND
EXPAND ACCESS
Stole or created new SSH keys and certificates
for future backdoor access and exfiltration of data.
ATTACKERS BYPASSED
SECURITY CONTROLS
Including firewall, authentication,
VPN and privileged access controls
by using stolen keys and certificates
to hide their activity.
THE ATTACKERS
BREACHED THE COMPANY
Using stolen private keys and VPN
credentials. The private keys were
used to decrypt live data.
ATTACKERS BYPASSED
SECURITY CONTROLS
Circumventing firewalls, authentication,
and other security controls.
NAME
ID
SSN
ADDRESS
Attackers used
HEARTBLEED
To compromises private keys.
ATTACKERS BYPASSED
SECURITY CONTROLS
In addition to Heartbleed, they could
have used any of the millions of
malware variants that steal keys and
certificates to bypass security controls.
KEYS & CERTIFICATES
INTRODUCTION
As reported by Time, Bloomberg, and
others, known Chinese cyber-espoinage
operator, APT18, compromised a Fortune
200 American health services organization
and stole data on 4.5 million patients.
ATTACKERS BYPASSED
SECURITY CONTROLS
Using compromised keys and certificates.
ATTACK STAGE 1
APT 18
UNDERMINING
SECURITYTHE BAD GUYS HAVE TESTED A POWERFUL PROOF-OF-CONCEPT ATTACK
AND PROVEN IT WORKS. WILL YOU BE THE NEXT TARGET?