The APT Logical Fallacy: More Harm Than Good

A preferred attack vector in 2011 is the precisely targeted spear phishing email which delivers a malicious payload to the victim's computer and soon compromises the company's network for the purpose of finding and extracting valuable intellectual property (IP). This attack vector has compromised numerous high profile organizations in 2011 including EMC's RSA SecurID division (March), the International Monetary Fund (June), and Battelle Memorial Institute (July). McAfee "Night Dragon" report identified 5 energy companies that were attacked in the same way. In fact, a July 1st report by Cisco [1] announced that spam is decreasing in favor of this attack vector because it's more efficient and the return on investment is greater for the actors who engage in it.

The problem arises when the a decision is made by the company executives or government officials to label such an attack an "Advanced Persistent Threat". First, the name itself is an oxymoron if it's used to describe what happened. Once an attack occurs, you can't call it a "threat". Someone "acted" against you. They didn't "threaten" to act. And a spear phishing attack isn't "advanced".  It's rather mundane, albeit effective. Granted the payload may be advanced, but it doesn't have to be.

If you belong to the "APT is a Who" school, like my friends at Mandiant and the U.S. Air Force (who use my book in their cyber certification courses, by the way), then APT is a code word meaning "China". No such code word exists for other countries who use targeted spear phishing attacks, which is where the logical fallacy in the title of this post comes in to play. It's proponents say that's because no other country engages in this type of attack. Simply put, Eastern European hackers rob banks, Chinese hackers steal IP. End of story. So when an incident occurs that involves a non-financial organization like Battelle, the IMF, or an energy company, and if the attack vector is a targeted email with a malicious payload, the culprit must be China. Why? Because it fits the modus operandi of the APT.

When you diagram that belief as a logical syllogism, it might look like this:

Major Premise: A targeted spear phishing attack against ABC company (a non-financial target) is an APT.
Minor Premise: All APT attacks originate from China.
Conclusion: China attacked ABC company.

Unfortunately for APT advocates, the evidence presented often doesn't support this logic when it relies on IP addresses based in China. See my earlier post on the fallacy of Chinese IP addresses. It also ignores the fact that Ukrainian, Romanian, Russian, and other Eastern European hackers have moved from financial crime to IP-related attacks utilizing the spear phishing model and the Zeus (aka Zbot) trojan as far back as January 2010 and have continued to the present day. NetWitness [2] released an excellent report on the Kneber botnet which is responsible for compromising data from about 2500 corporate and government organizations world-wide. Chinese IP addresses figure prominently in these attacks, yet the responsible parties are Eastern European hacker crews who would find a receptive audience among the Russian Federation security services for at least some of the exfiltrated data.

Domains registered to Hilary Kneber
One of several times that my name has been used by this crew was in a spear phishing attacks aimed at military employees on in mid-June, 2010. It happened to be launched 24 hours before a briefing that I was scheduled to give to Maj General Abraham Turner (COS USSTRATCOM) on June 16. Fortunately, I was able to include it as a real-time example in my briefing by way of this slide:

Part of an UNCLASS briefing to COS USSTRATCOM 16 JUN 10
The APT logical fallacy does more harm than good because it overstates the threat from one nation while denying the activities of others that are equally widespread and possibly more effective operationally. This may not make much difference to the corporate executive whose defensive strategies would be the same regardless of where the attack originates from but it makes a huge amount of difference to policy makers, military leaders, and politicians who, because of bad conclusions stemming from faulty evidence assessment may influence national policy in ways that can harm the interests of the U.S. while aiding its adversaries. Is China engaging in widespread theft of IP? Yes, of course, but so are other nations. We used to call it industrial espionage or just plain spying. Unless you've got code names for every developed and developing nation on earth, blaming everything on APT/China is the equivalent of running a disinformation campaign for the Russian Federation. After all, it can't be the Russians, they only do financial crime, right?

[1] Cisco White Paper "Email Attacks: This Time Its Personal", June 2011
[2] NetWitness White Paper "The Kneber Botnet: A Zeus Discovery and Analysis", released January 2010


  1. The conclusion I draw is that the reason for executives and policymakers to use APT and blame China is that, to non-security specialists, it sounds authoritative even if they don't really understand the source and methods of a particular attack.


Post a Comment