Threat Research

M-Trends #6 – It Pays To Be Persistent: Financially Motivated Attackers Are Shifting Toward Long-Term Presence

Our sixth and final M-Trend from Mandiant's M-Trends report deals with the increase in persistence mechanisms we've seen in financially motivated intrusions. As we describe it in the report, financially motivated attackers are shifting toward longer-term presence on victim networks.

Taking you back to the old days of commercial computer intrusions (like the not-so-distant 1990s), attackers were often opportunistic and got in and out quickly. While they would occasionally repeat attacks against the same target with the same method, we did not see persistence as a primary M.O. until the early 2000s with the emergence of the advanced persistent threat (APT). So the "P" in "APT" is there for a reason.

Recently, we have seen the similar adoption of persistence mechanisms by financially motivated attackers. For an example of this, check-out the graphic on the left side of page 7 in M-Trends. It highlights a particular financial institution that we responded to last year. In that investigation, 453 systems were compromised (some trace of malicious activity) and 241 of those had some kind of malware on them. A whopping 96 of those had the Poison Ivy Remote Access Trojan (RAT), which allowed remote control of these devices through the company's proxy server. The key thing to note is out of the 45 systems that had proprietary malware on them, we found 18 different backdoors that the attacker could use for persistence. In other words, if the organization had found all 96 systems with Poison Ivy, the attacker could have chosen from multiple backdoors to get back into the organization's system. While this devotion to persistence is completely normal in cases of state-sponsored economic espionage, it was unusual to see it in financially-motivated theft during 2011.

It has been fun writing this series of posts on our M-Trends report. This is my final entry in that series, however, I plan to write future posts on issues that affect our customers. If you missed my earlier posts in the series, just click here to read about trends 1, 2, 3, 4 and 5.