Hydraq - An Attack of Mythical Proportions
Over the past couple of days, media outlets have been abuzz with news of a cyber attack on Google. A number of people have theorized political intent and the implications of these attacks.
First, a little background. The critical infrastructures of large corporations are attacked on a daily basis. Some companies are targeted more than others, but all of them are targeted by either hackers who like to put a large feather in their cap, or by hackers trying to steal information for monetary gain. As in all cases with large companies the attacks are investigated thoroughly to make certain that networks and data are not compromised.
As with all targeted attacks, this particular attack was tailored to target a small number of corporate users. The attack vector in this instance could be one of many. A hacker only requires an unpatched computer to visit a website of the hacker's choice, or open a document crafted by the hacker. This can be done by sending a malicious document attached to an email or sending a spoofed email message with a link to a malicious website. Once this is done the hacker installs a back door on the computer that allows him to gain complete control. This grants access to all information stored or passing through the compromised computer. It is vital to note that such hackers don't try to take over all computers within a corporation. All they need is one computer in order to enter an intranet and then seek the information of their choosing. The current case is no different. A very small number of people were attacked using a combination of such vectors, resulting in back door Trojans being installed. More details of the Trojan, detected by Symantec as Trojan.Hydraq and Trojan.Hydraq!gen1, can be obtained from our Threat Expert blog.
There is evidence to show that documents attached to an email message were a method of infection. There are also reports of an unpatched vulnerability in Microsoft's Internet Explorer, which allowed even fully patched computers to become infected once they were lured into visiting a website of the hacker's choosing. We've also seen multiple variants of the Trojan, which confirm that the authors of the malware were constantly improving control of compromised computers by updating the Trojan. This can mean only one thing: the hackers didn't employ one technique across the board, but used different files along with different combinations of attack vectors in order to compromise a network.
We've seen changes happening in cyber attacks for several years now. This attack just brings to light the stark difference we see today as compared to Trojans from a decade ago. In the past, malware authors wanted everyone to know their name and so were doing things such as changing the desktop backgrounds of computers to showcase their ability to compromise a computer. Today, the cyber world is a very different place. Today’s malware authors would rather stay under the radar on one computer for as long as possible, than risk their exposure by trying to infect 100 computers.
We will continue to do whatever we can to protect our customers' assets as more information comes to light about the cyber attack on Google. We advise customers to apply patches where they can, and update their security suite solutions on a regular basis. There are a number of Symantec solutions that can help, such as Data Loss Prevention Network Prevent, which is effective at detecting or blocking the exfiltration of user data via a network protocol following a successful hack into a server; Critical System Protection, which can harden servers that contain critical data and stop unauthorized applications and services from accessing information or prevent data from being moved off the server; and Control Compliance Suite (CCS), which can be used to protect against incursions by hackers or targeted malware by ensuring that patches and configurations of externally facing devices such as firewalls are up to date. Additionally, there are service programs such as Security Program Assessment, which evaluates the maturity of an information security program. We also urge customers to block traffic to known malicious sites where possible.