When the bad guys design malware just for you

How a government agency averted disaster

Tweet

Conventional anti-malware tools may stop viruses that are already well known to cybersecurity researchers, but what happens when state-sponsored hackers tweak sophisticated malware to target your organisation with a unique attack?

This is what happened to the US Office of Personnel Management (OPM) between 2013 and 2015. The government agency finally identified and stopped the attack with help from next-generation anti-malware vendor Cylance – but not before millions of records had been taken.

The OPM lost 4.2 million personnel records, 5.6 million fingerprint records, and background investigation reports on 21.5 million government workers. Without Cylance’s help the malware that stole the records might still be lurking on government systems.

An entire section of a Congressional report on the OPM breach is dedicated to Cylance’s detection of malware on the agency’s systems. “The significance of the cutting-edge preventative technology offered by Cylance in responding to the OPM data breach cannot be overstated,” the report says.

Spotting the unknowable

Cylance does not work in the same way as traditional anti-malware programs, These maintain a large database of digital fingerprints representing individual malware strains, and many of them suffer from one devastating drawback: they can’t fingerprint previously unseen unique malware files. This leaves them vulnerable to new attacks.

Cylance instead uses artificial intelligence (AI) and machine learning, which analyses millions of files gathered from multiple sources. It teases out thousands of characteristics from each file and builds a deep model that can accurately identify malicious files. It can use this model to sniff out malware that no one has seen before.

The OPM’s director of information technology security operations, Jeff Wagner, explains: “It doesn’t use a standard signature of heuristics or indicators like normal signatures in the past. It uses a unique proprietary method.”

Rescue mission

The OPM called on Cylance in June 2014, less than three months after the government agency became aware of a significant attack on its systems in which manuals and other documents were stolen from its network. Even as it was tracking these attackers, a second set of hackers was already making its way around the agency’s infrastructure, moving laterally between computers to target government information.

OPM executives signed a product evaluation agreement to test two products from Cylance. One was CylanceV, a threat detection tool just for endpoint computers; the other was Protect, which uses Cylance’s artificial intelligence technology to analyse all machines on an enterprise network, including servers and endpoints. It finds malicious files, automatically quarantines them and prevents them from running

In September 2014, OPM security officials returned to Cylance and purchased a licence for the CylanceV product. Internal politics prevented them from purchasing Protect, although the Congressional report shows that key employees within the government organisation dearly wanted Protect installed as well.

A second attempt

It wasn’t until April 2015 that the OPM finally realised it was under attack from the second set of hackers. Now, the agency had to find out just how bad the problem was.

Almost immediately after the discovery of this new hack, OPM reached out to Cylance once more. Cylance agreed to provide Protect on an evaluation basis, but took an unusual step: because the agency was in crisis mode and fighting an active intrusion, the vendor agreed to let OPM install it on as many computers as it wished.

Key Cylance personnel arrived at OPM to help the agency with incident response. During the next two days, OPM deployed Protect to more than 2,000 devices. The results were staggering. According to one Cylance engineer, Protect “lit up like a Christmas tree”. The OPM systems were riddled with malicious software.

Within hours the system found four malicious executables it considered unsafe on Cylance’s scoring system. Subsequently the Protect software found 39 Trojan malware installations across the OPM network that scored the most negative rating possible. This indicated that they could only have been there to maliciously infiltrate the OPM’s systems and steal its data.

It found Windows Credentials Editors, fake antivirus files purporting to be products that the OPM had never used, malicious downloaders and even command shells that gave attackers unfettered access to OPM systems. It also found another smoking gun: RAR files – compressed, encrypted files used to shrink and obfuscate sensitive data before removing it from a system.

Just a few days after the software was installed, Cylance engineers found evidence of a remote desktop protocol session that had allowed attackers to reach an OPM database of background investigation documents. Cylance staff were even able to pinpoint when the session had taken place: June 2014.

Nervous about affecting digital forensic evidence, OPM staff only ran Protect in Alert mode. This requires human interaction to analyse the tool’s results and decide whether to let a file run. They were unwilling for some time to set Protect to its highest security level, Auto-Quarantine, when the product automatically prevents malicious files from running and quarantines them.

When OPM employees finally flipped that switch, the program began protecting them proactively. On May 1, 2015, Cylance employees told key OPM executives that Protect had prevented an infection by a Trojan strain called Upatre/Dyre which was completely unknown to other cybersecurity companies. The product stopped the software from running before it could do any harm.

Given OPM’s situation, Cylance extended its demonstration period, allowing the agency to run the product largely unrestricted for 74 days, often with on-site help from its experts. By the time the demonstration ended, Protect had been deployed to more than 10,250 devices at OPM, and had detected and blocked almost 2,000 pieces of malware, including the malware samples responsible for the 2015 breach.

The OPM purchased a perpetual licence for Cylance’s product in July 2015. It’s too late for the organisation to retrieve its lost records, but at least it now enjoys full malware protection.

The moral of the story? Don’t wait for an attack. Make the call and install before things get critical.