The attacker was interested in extracting large volumes of sensitive data, which he did, sending it encrypted to a compromised host in Malaysia, said Gnesa. The Swiss firm found out something was amiss after the attacker brazenly attempted to send money into a foreign bank account based on signatures and documents he had stolen. But the Swiss bank thought the requested funds transfer to be suspicious and notified the victim's firm. At that point, Ptrace was brought in to pull together a forensics analysis of what had happened.
Gnesa said he thinks the attack took about two weeks to carry out in full -- but it took a month and a half to really understand the details of it.
The main countermeasures he could recommend to try and prevent this type of stealthy attack to exploit stolen data is to use security event and information management tools -- such as HP ArcSight, Novell Sentinel, Tripwire Log Center and Splunk, among others -- to get a view on unusual traffic. It also would help to have staff training to understand the nature of targeted attacks.
"If an attacker wants to get inside your network, he will," said Gnesa. "The only thing you can do is make it harder for him."
He said after the Swiss firm completed its investigation into the attack, the company made changes, such as adding an individual responsible for security, and prohibiting use of social networks, plus changing the network topology.
This type of stealthy attack to steal important documents and information is often carried out to provide this data to industry competitors or nation-states. The attacks have come to be known as "advanced persistent threats" (APT) and other security experts speaking at the Hacker Halted conference said they see evidence of them all the time.
"I have never walked into a network that wasn't already owned," said Matt Watchinski, vice president of vulnerability research at Sourcefire, who also gave a presentation at Hacker Halted. "The real question is -- how long were you owned?"
He said a common pattern is that the IT security people fighting these APTs, which today often get blamed on Chinese attackers, go to their boss and say, "yes, we got rid of the Chinese." But you didn't, they're back."
He said one company he knows has had hundreds of Flash zero-day exploits for PDF thrown into the company's corporate email over and over again for a phishing attack, and once a week one would get into the network.
Considering that Flash zero day exploits are being sold for up to $250,000 each, Watchinski said it's easy to think about these particular zero-day PDF attacks that "this guy blew through $5 million." Eventually the attacker stopped sending his PDF Flash zero-day exploits, and "he moved on to someone else in the industry."