Staying Persistent: Common First-Level, APT Actions

In the popular imagination, nation-state-backed attackers have unlimited resources at their disposal and can exfiltrate sensitive data through anything connected to the internet through expensive and complex malware.

In reality, these Advanced Persistent Threat (APT) groups — especially ones without abundant economic support— often start with common methods to compromise accounts and keep persistence.

The Paranoids have first-hand experience. As a result of our place of privilege protecting Yahoo users, we defend against these attacks every day.  

To date, we’ve sent nearly 500,000 notifications to users who were the targets of identified APT attacks over the course of the program, with the largest number of notifications sent last year.  

And these notifications have the potential to reach a wide array of people. In short: 

• Do you work anywhere in a university that does research and development for high-tech or government partners?  You’re a target.  
  

• Do you or someone you are related to work in a large company or for any part of the local, state, or federal government, including the military, in any part of the world?  You’re a target. 
  

• Are you a journalist, activist, or politically active in the physical world or online?  You’re a target.  
  

• Do you espouse feelings about democracy, human rights, and justice?  You are a target.
  

The better question for affected users, however, is how will they be targeted. It’s a problem that is made increasingly more difficult by the fact that the tools, tactics, and procedures of these APTs don’t often accompany specific indicators of compromise (IOCs). 

In that vein, here are the tactics we — as the Paranoids — see these actors employ in their mission to keep persistence: 

👎 They remove legitimate recovery account information and replace it with their own.

Attackers will sometimes remove your legitimate recovery account information and replace it with their own. They will also add doppelgangers, email recovery accounts that look nearly identical to your legitimate one. 

👎 They create application-specific passwords 

Attackers abuse this feature to illegitimately create special passwords for specific applications on devices. Think of the password you generated for your mail to work on a specific device or app such as an iPad or mailbox application.

👎 They change mail forwarding and reply-to settings.
Another way that APT attackers will attempt to remain hidden is to create mail forwarding rules that send copies of all your emails to their email address while leaving the original message in your inbox, unread. It is important after a security alert to check these settings and make sure nothing is amiss.

👎 They create “blocklists” or “filters” to prevent legitimate users from becoming aware of malicious activity in their accounts.

Attackers will often create a “blocklist” or use a “filter” to send messages to the trash that would otherwise make their victims aware of malicious activity in their accounts.

But, if you’re Paranoid like us, you can proactively defend against these attacks by: 

👍 Checking your account settings for unknown recovery accounts — which will give you a heads up on any suspicious logins.

👍 Checking your mail forwarding and reply-to settings, so you can, again, identify suspicious activity. 

👍 As well as seeing if you have any strange accounts in your email filter. 

Remember. Always follow-up by creating strong and unique passwords — ideally using a password manager — and adding strong second factors of authentication. 

About the Team: 

Since 2015, Yahoo’s Advanced Cyber Threats team (ACTT) has worked to counter government-backed attackers as they target our users across the Yahoo ecosystem. The ACTT researches and thwarts advanced persistent threats that target users of Yahoo’s products and services — which include Yahoo and AOL, among other mail partners.