Which of the following is least likely to be considered an advanced persistent threat? (Select the best answer.)
- Operation Aurora
- the 2011 RSA breach
Of the available options, Heartbleed is least likely to be considered an advanced persistent threat. An advanced persistent threat is an intrusion in which the attacker has advanced knowledge of intrusion tools and techniques, is fully intent on using the intrusion to achieve a specific mission or goals, and has organizational backing, funding, and motivation. For example, an attacker who obtains access to an organization’s network and remains there for an extended period of time to collect data that can then be used to the attacker’s advantage can be considered an advanced persistent threat.
Heartbleed is a vulnerability, not an advanced persistent attack. Heartbleed is the OpenSSL vulnerability that could allow an attacker to obtain approximately 64 kilobytes (KB) of information from a web server’s memory at regular intervals. The Heartbleed bug, which was discovered in 2014, was a memoryhandling bug present in OpenSSL from version 1.0.1 through version 1.0.1f. OpenSSL 1.0.1g was the first version to fix the bug. By exploiting this vulnerability, an attacker can obtain a server’s private key, which could in turn allow the attacker to decrypt communications with the server or perform maninthemiddle attacks against the server. Although Heartbleed could be used as a component of an attack in an advanced persistent threat, it is not itself an advanced persistent threat.
Operation Aurora could be considered an advanced persistent threat. Operation Aurora was a monthslong attack in 2009 that was carried out against multiple companies, including Google and Adobe? it began with a targeted email spear phishing attack. The email delivered malware that was capable of exploiting an Internet Explorer vulnerability to obtain access to the contents of partially freed memory. After compromising company workstations, the attackers used those workstations to obtain access to other company resources and information, which eventually resulted in the loss of intellectual property. The attack was eventually traced to two Chinese education facilities that were thought to have ties to a Google competitor in China.
The 2011 RSA breach could be considered an advanced persistent threat. The RSA breach was an attack against RSA’s SecurID twofactor authentication system. Similar to Operation Aurora, the 2011 RSA breach began with a targeted phishing email that contained a Microsoft Excel attachment. The Excel attachment contained a zeroday exploit that was able to install a back door on a user’s workstation. From there, the attacker compromised other workstations in what appeared to be an effort to retrieve information related to SecurID, such as source code or customer information.
Stuxnet is more likely than Heartbleed to be considered an advanced persistent threat. Stuxnet exploited vulnerabilities in both the printer spooler service and the processing of .lnk files. Stuxnet was used in an act of cyber warfare against Iranian industrial control systems (ICSs). It was written to target specific ICSs by modifying code on programmable logic controllers (PLCs). Stuxnet initially exploited vulnerabilities in the printer spooler service? however, later variants exploited a vulnerability in the way that Windows processes shortcuts (.lnk files). Research from Symantec published in 2011 indicated that at the time, over 60% percent of the Stuxnetaffected hosts had been in Iran. Symantec analyzed Stuxnet and its variants and discovered that five organizations were the primary targets of infection and that further infections were likely collateral damage from the aggressive manner in which the worm spreads throughout the network. Given the considerable cost in resources and manhours that would have been required to craft the Stuxnet worm, it was theorized that it was likely intended to sabotage highvalue targets such as nuclear materials refinement facilities.