How the CIA Twists the APT Kill Chain to Avoid Detection

Posted by Avi Kama on Apr 4, 2017 8:01:00 AM
Find me on:

A couple weeks ago, in my blog on Improving Hacking Techniques Used by the CIA, I talked about how DLL hijacking could be done easier.  In further looking at the CIA documents, I found an interesting twist that the CIA is taking on the APT kill chain. The APT kill chain is a well accepted description of the way APTs are operated. The chain contains 7 stages (as described on wikipedia): 


  1. Reconnaissance: Intruder selects target, researches it, and attempts to identify vulnerabilities in the target network.
  2. Weaponization: Intruder creates remote access malware weapon, such as a virus or worm, tailored to one or more vulnerabilities.
  3. Delivery: Intruder transmits weapon to target (e.g., via e-mail attachments, websites or USB drives)
  4. Exploitation: Malware weapon's program code triggers, which takes action on target network to exploit vulnerability.
  5. Installation: Malware weapon installs access point (e.g., "backdoor") usable by intruder.
  6. Command and Control: Malware enables intruder to have "hands on the keyboard" persistent access to target network.
  7. Actions on Objective: Intruder takes action to achieve their goals, such as data exfiltration, data destruction, or encryption for ransom.

As the CIA documents demonstrated, it is infeasible to block all vulnerabilities. An attacker with the means will find a way in. That’s why most security companies focus on identifying APTs while they are already operating in the network. APTs will most likely need to perform lateral movement, exfiltrate data to the internet, and access critical resources on the network from endpoints that are not obviously allowed to do so.

For this reason, anomaly detection is critical for network security. If a security product can identify which of the operations on the network (or endpoint) are legitimate and which are not, it will be extremely difficult for an intruder to do anything. Suppose, for example, a security solution can distinguish all file read operations performed by legitimate users, as well as mechanical software made requests, which did not originate by a user request. Any malware in this predicament would not be able to achieve its goal - as it would be impossible for it to exfiltrate data without being caught. Although it makes sense to look for APTs this way, this approach is not good when dealing with an attacker such as the CIA.

The CIA attacks do go through the kill chain, but with a twist - they do not need to perform lateral movement, they do not need to access remote files, they do not need to do anything on the network besides sending the data home (and even that has a twist to it). The CIA is not the NSA - while an NSA operation requires strong trojan backdoors (as it it appears in the CIA leak, Equation Group is NSA), remote weaknesses, covert network operations and lateral movement, the CIA needs none of this. In the Equation Group report, it is obvious that NSA needs to make sure that the correct target is reached, via the Double Fantasy module:

“DOUBLEFANTASY – A validator-style Trojan, designed to confirm the target is the intended one. If the target is confirmed, they get upgraded to a more sophisticated platform such as EQUATIONDRUG or GRAYFISH.”

The CIA does not need that. Reading the CIA documents, one can immediately see that the CIA uses operatives - the use of human intelligence makes things easier on the cyber level. Either a person sent to perform the cyber attack, or someone from the inside who was equipped with a covert cyber weapon releases the attack. This targeted type of attack is all the verification needed. That person might also be tasked with getting the data back home, either physically, or just by sending it through the web.

This way of thinking also explains why the CIA requires such a large arsenal of zero day weaknesses - while using lateral movement on the network allows an attacker to infiltrate at some endpoint and reach the target through the network, specific targeting requires specific weaknesses. No network operations means you are already at your destination at the initial point of infiltration - hence, a lot of zero day weaknesses are required.

What about some of the security products mentioned above? Since almost all of the security solutions let the initial infiltration pass, and hope to catch the intruder while it is operating, the CIA type of attack will most likely go under the radar. While we think of an APT operation as a breadth-type operation (like NSA), some attacks might be depth-type, where only the exact targets are attacked with custom made weaknesses. I believe this type of attack is much harder to detect, as it has almost no clear signature.

Preempt Research Team Blog

Topics: APT, Preempt Research Team, CIA