Amazon

19.4.11

APT = inAPTitude please pass the FUD

So, the Oak Ridge National Laboratory was absolutely pwned. How do we know it's "that bad" you ask? If they had to unplug from the Internet (read Facebook) for any amount of time, you know it's not good. I feel like we should address the immediate assigning of the breach to a determined nation state. Here's why I don't think you can call this APT now. For the record APT is defined well here: http://taosecurity.blogspot.com/2010/01/what-is-apt-and-what-does-it-want.html

1. The incident analysis is ongoing. There's no way they have had time to give full attribution already. If they could, you wouldn't need to completely disengage from the entire Internet.

2. A phishing attack with and alleged IE 0-day is not that advanced. Anyone with basic skill in Metasploit or the Social Engineering Toolkit could have done this with a 10 year old payload and completely bypassed whatever A/V they think protects them.

3. That place is wide open. For the most part it's an academic research facility full of foreign nationals several of whom are from "sensitive countries", whatever that means. One walk across the lawn and you will see enough to know what I am talking about. This is not to say that anyone form a foreign country means the US harm.

4. That place gets owned all the time. I mean just use Google and you can read about it happening every few years. Despite this the same personnel and outdated protection schemes remain instantiated, welcome to the government.

5. The lab director states there was no large-scale exfiltration detected. If you had an advanced determined attacker, they could exfiltrate without you knowing. Seriously, what ports are you allowing outbound from your users. When they SSH tunnel out to avoid your proxy do you know what data is in said tunnel?

6. Even if you get some IP address in a nation we aren't cozy with, that isn't immediate attribution to said government. That could be someone in this country using one of their IP addresses as a pass through. Jumping to conclusions during an investigation is unhealthy and may give a false sense of closure.

I was saddened to learn this happened at ORNL. It was worse to have the director of the lab jump on the bandwagon of APT before the post-mortem analysis is complete.