- They tend to work from 9-5, suggesting they are professionals and this is their job
- They are methodical in their work and it is not random
- They target Defense manufacturers, military and government personnel
- They make use of compromised SSL certificates
- They make use of compromised credentials to gain access to military and government email and documents
- They compromise systems in traditional manners but they fly in under the radar, are precise in the compromises
- They use customized tools
- They leverage tools available on the compromised systems
Like any attacker, they make mistakes. I won't share those here considering the public nature of a blog, but suffice it to say that the trail is evident.
Most people are intent on finding the bad guys and removing the threat from their organization. This is great and all..but this is also where counter-intelligence plays a role. Passive monitoring can pay off if you don't rush to shut them down. They do not make half-assed attempts at compromising assets and they make good use of their time on a compromised asset. Rapid detection, analysis and decision making must follow suit.
Digital Forensics and Incident Response techniques play an important role in monitoring their activities.
How can you combat them? I use what I've been calling the holy trinity of Digital Forensics.
- Memory dumps
- Disk images
- Emergency NSM
In the words of others, these guys are "top shelf". They are professional reconnaissance teams, they slip in under the radar, they do not waste time, and they have one goal in mind; To collect information. There are ways to identify them, and watch them but you must move as quickly and you and your organization need to be as committed as they are.