Data exfiltration is the unauthorized transfer of sensitive information from a target’s network to a location which a threat actor controls. Because data routinely moves in and out of networked enterprises, data exfiltration can closely resemble normal network traffic, making detection of exfiltration attempts challenging for IT security groups.
Figure 1. Targeted Attack Campaign Diagram
Related Costs of Exfiltrated Data
The costs of cyber-espionage to a target organization is only clear after the fact. Risk calculators typically consider the up-front expenses of breach discovery: incident response activities, crisis management, and compliance-related penalties.
Losing competitive advantage in the event that proprietary information is sold to a rival company can threaten the survival of a business enterprise on a broader scale. The “loss” represents not only the research and development expenses to refine a product, but also the sales opportunities and market leadership lost.
Furthermore, as exemplified in the Shadow Network attacks, the attackers were able to lift out documents classified as Secret, Confidential and Restricted. Documents tagged as such, when exposed publicly, may endanger national security. For instance, restricted documents have to do with data involving the design, creation, and use of nuclear materials or weapons.
Varied Means of Exfiltrating Data
While the impact of targeted attacks is noticable, the effort to siphon data from inside an infiltrated network is not.
We recently released a report about a targeted attack campaign that used EvilGrab, where threat actors put in place backdoors that can capture keystrokes, as well as video and audio of the system’s environment, using attached audio microphones and video cameras. These features are part and parcel of any remote access Trojan worth its salt. As with typical data exfiltration activities, these stolen information can then be uploaded to a remote server to be accessed by the threat actor.
One way is to use the built-in file transfer capabilities of remote access Trojans, which are malware that allow a remote user to have full control of a compromised system. Remote access Trojans or other attack tools like them will probably already be in use anyway, because the earlier stage in a targeted attack would require real-time communication and control by the attacker of the compromised system.
Attackers can abuse legitimate Windows features as well. For instance, attackers can abuse WMI (Windows Management Instrumentation) to monitor and capture recently opened files. The attacker can use FTP or HTTP to send the file/s in order to trick the IT admin analyzing network traffic that the communication is legitimate. Alternatively, the attacker can use Tor to mask location and traffic.
Our researchers predict that in the future, attackers may focus on not only stealing data but on modifying data, turning the main theme of targeted attacks from espionage into sabotage. Our recently published primer on Data Exfiltration: How Threat Actors Steal Your Data goes into detail about the kinds of tools and techniques threat actors use in this component of targeted attack campaigns.
The primer is actually the 5th of the series of primers we’ve developed, all discussing the different stages of an APT. To check the others, click the corresponding thumbnail below: