Cyber-Ark comments on details of Mandiant report
In a recent report by US based cyber security firm Mandiant, alleging that a Chinese military group, named only in the report as “APT1”, is one of the most prolific cyber espionage groups and most likely is government sponsored.
According to the report, “APT intruders (and intruders in general) prefer to leverage privileged accounts where possible, such as Domain Administrators, service accounts with Domain privileges, local Administrator accounts, and privileged user accounts.”
John Worrall, CMO, at Cyber-Ark, the leader in privileged account security and compliance, has made the following comments on the news:
“Yesterday’s Mandiant report on the Chinese military group that they believe to be responsible for more than 150 recent attacks is ground-breaking and critically important for several reasons. Not only does the report clearly outline “who” is responsible for the attacks, they’ve provided tremendous detail on “how” these attacks are carried out. It’s no surprise that a common denominator in how these attacks are perpetrated is the abuse of privileged accounts.
“While the report does not mention the specific breaches that it reviewed, our research has shown that high-profile attacks such as Saudi Aramco, Stuxnet, Red October, Subway Restaurants, Global Payments, the U.S. Department of Energy, U.S. Chamber of Commerce, Pacific Northwest Laboratory and many more have all followed this distinct pattern. Attackers are using simple means to breach the perimeter (such as spear phishing). Once inside, they immediately target privileged accounts to gain access to additional servers, databases, and other high-value systems. These accounts also allow the attackers to easily hide inside the organisation and exfiltrate data on their own timeline.
“Regardless of where the cyber-attacks are originating from – whether insider attacks or outside groups – it has become abundantly clear that privileged and administrative accounts play a critical role in executing nearly all advanced attacks. This is simply the latest warning about the leading role privileged accounts play in cyber-attacks. It’s time for the industry to act on these warnings. We need to assume that the attackers are inside our networks right now and proceed accordingly by blocking the pathways they’re travelling to access and steal our sensitive data.”