RSA: APTitude adjustmentOpen Letter to RSA Customers.
I will admit that having been in security a long time, that letter was a little vague on the specifics of the attack, the targeting and the nature of the likely consequences. I'm certainly not in RSA's confidence, so my response was fairly non-committal. Still, I can probably claim a few brownie points for guessing that “the attack started with a social engineering attack such as a targeted trojan using some sort of 0-day, and likely embedded in a document rather than as a naked executable,” since a blog at RSA by Uri Rivner is much more informative, at an rate as regards the specifics of the attack.
According to Rivner, this was indeed a classic spear phishing attack, using email-borne social engineering convincing enough to trick one of the recipients into opening mail with the subject “2011 Recruitment Plan,” and then an attached spreadsheet. Perhaps at the height of the macro virus epidemic of the 1990s, the victim would have been more suspicious, but malware has pretty much moved on from malicious macros in Microsoft Office documents. (It had to, once Microsoft made a serious attempt to block that particular vector.) In fact, the mail was apparently convincing enough to persuade him or her to phish – sorry, fish – it out of the Junk folder.
However, this was no old-fashioned macro attack, but exploitation of a (now patched) zero-day Adobe Flash vulnerability , allowing the installation of a remote administration trojan (RAT).
So far, so traditional: Rivner's description is admirably detailed and frank, but there are no surprises here. This is a common approach in cyberespionage (often state-sponsored), and the very use of the term APT does suggest an attack focused on intelligence gathering. Given the kind of work RSA does, it is likely that the ultimate aim is an attack on other entities, perhaps even critical national infrastructure rather than a direct attack on the company and its intellectual property, but that remains pure speculation.
And you'd think – well, I would, anyway – that an enterprise of EMC/RSA's stature and experience would have a pretty good understanding of the kind of multilayered defense that its customers would hope for. So what's so “advanced” about this APT?
To understand this buzzword, you need to understand the essential fuzziness of its buzziness.
Firstly, I don't think advanced really means advanced in this context. Rather, it seems to mean “as sophisticated as it needs to be...” So it could be unremarkable social engineering or a known and mitigated/patched vulnerability, escalating to one or more advanced zero-days if needed.
Secondly, I don't think persistent necessarily means persistent, either, at least in terms of a repeated single attack (updated as necessary). I think it means pursuit of a long-term goal that might merit a highly adaptive attack strategy.
And finally, the distinction in the commonly used APT definitions between a threat and an attack using automated code could be viable and even useful, but it is by no means universal.
In fact, ESET's labs use the term “threat” routinely to describe malware without necessarily making any implicit statement about the originator(s) of the code or their motivation. And I don't particularly see why we should. But then, I don't actually find the APT term particularly useful: maybe that reflects the rather specialized nature of the industry sector in which I work.
One thing is for sure, though. Good, old lo-tech engineering can do a lot of damage all by itself. A mediocre trojan accompanied by the right sales pitch can be very successful. So it is not surprising that the combination of moderately targeted social engineering and a zero-day attack can impact even on the big guns of security. In fact, even a patched vulnerability stays active for longer than you might think. Remember the MS10-92 vulnerability in the Windows Task Scheduler that Stuxnet used for privilege escalation? Those nice people behind TDSS do: it's still there in the TDL4 dropper ...