Malicious Code Trends | Top Malicious Code Families | Analysis of Malicious Code Activity by Geography, Industry Sector and Company Size | Propagation Mechanisms | Industrial Espionage: Targeted Attacks and Advanced Persistent Threats (APTs) | TRIAGE Analysis of Targeted Attacks
Industrial Espionage: Targeted Attacks and Advanced Persistent Threats (APTs)
BackgroundWith targeted attacks and advanced persistent threats being very much in the news in 2011, in this section we review targeted attacks and look more closely at what has been described as “advanced persistent threats” or APTs for short. Terms such as APT have been overused and sometimes misused by the media, but APTs are a real threat to some companies and industries.
As noted earlier in this section, overall in 2011, 1 in 238.8 emails were identified as malicious, but approximately one in 8,300 of those were highly targeted. This means that highly targeted attacks, which may be the precursor to an APT, account for approximately one in every two million emails, still a rare incident rate. However, targeted malware in general has grown in volume and complexity in recent years, but as it is designed to steal company secrets, it can be very difficult for recipients to recognize, especially when the attacker employs compelling social engineering techniques, as we highlight in this report.
Targeted attacks have been around for a number of years now, and when they first surfaced back in 2005, Symantec.cloud identified and blocked approximately one such attack in a week. Over the course of the following year, this number rose to one or two per day and over the following years it rose still further to approximately 60 per day in 2010 and 154 per day by the end of 2011.
A highly targeted attack is typically the precursor to an APT, and the typical profile of a highly targeted attack will commonly exploit a maliciously crafted document or executable, which is emailed to a specific individual, or small group of individuals. These emails will be dressed-up with a social engineering element to make it more interesting and relevant.
The term “APT” has evolved to describe a unique category of targeted attacks that are specifically designed to target a particular individual or organization. APTs are designed to stay below the radar, and remain undetected for as long as possible, a characteristic that makes them especially effective, moving quietly and slowly in order to evade detection. Unlike the fast-money schemes typical of more common targeted attacks, APTs may have international espionage and/or sabotage objectives.
The objective of an APT may include military, political or economic intelligence gathering, confidential or trade secret threat, disruption of operations, or even the destruction of equipment. Stuxnet was a good, albeit extreme example of the latter: the malware enabled an attacker to disrupt the industrial control systems within the Uranium enrichment process of a particular target.
Another characteristic of an APT is that it will also be part of a longer-term campaign, and not follow the opportunistic “smash-and-grab” approach typical of most malware in circulation today. Its purpose will be to remain undetected for as long as possible, perhaps using a variety of attacks over that period; if one attack fails then a process of continual monitoring will ensure that a follow-up attack may be more likely to succeed a few weeks later with a different approach. If successful, an attacker can use the compromised systems as a beachhead for subsequent attacks.
All of which illustrate how these attacks can be both advanced and persistent threats: A threat because its purpose is to steal data or interfere with the operations of the targeted company, and potentially exploit the compromised network now under the attacker’s control to target users in other organizations. They are advanced because of the methods employed to avoid detection, such as the use of zero-day exploits, and the means used to communicate with the command and control network; command and control instructions often involve encrypted traffic, typically sent in small bursts and disguised as normal network traffic. The key to ensuring that any stolen information can be exfiltrated without detection requires the attacker to avoid using easily detectable encryption, and to use common protocol channels that would not look out of place, but whilst making sure the data remains hidden.
Furthermore, they can be described as persistent because the aim is to maintain a foothold within the compromised company’s infrastructure, and in order to achieve this, the attacker will use numerous methods to achieve this. The attackers have a very clear and specific objective, they are well-funded and well-organized and without the right protection in place, these threats have both the capability and the intent to achieve their desired goals.
MethodologyDefining what is meant by targeted attacks and APT is important in order to better understand the nature of this mounting threat and to make sure that you have invested in the right kinds of defenses for your organization.
The types of organizations being targeted tended to be large, well-known multi-national organizations, and were often within particular industries, including the public sector, defense, energy and pharmaceutical. In more recent years the scope has widened to include almost any organization, including smaller and medium-sized businesses. But what do we really mean by targeted attacks and advanced persistent threats?
An attack can be considered as targeted if it is intended for a specific person or organization, typically created to evade traditional security defenses and frequently makes use of advanced social engineering techniques. However, not all targeted attacks lead to an APT; for example, the Zeus banking Trojan can be targeted and will use social engineering in order to trick the recipient into activating the malware, but Zeus is not an APT. The attacker doesn’t necessarily care about who the individual recipient is; they may have been selected simply because the attacker is able to exploit information gathered about that individual, typically harvested through social networking Web sites.
Social engineering has always been at the forefront of many of these more sophisticated types of attack, specially designed to penetrate a company’s defenses and gain access to intellectual property or in the case of Stuxnet, to interfere with the physical control systems of an operation. Without strong social engineering, or “head-hacking,” even the most technically sophisticated attacks are unlikely to succeed. Many socially engineered attacks are based on information harvested through social networking and social media Web sites. Once the attackers are able to understand their targets’ interests, hobbies, with whom they socialize, and who else may be in their networks; they are often able to construct more believable and convincing attacks.
The data in this section is based on analysis of targeted email malware identified and blocked by Symantec.cloud on behalf of its customers in 2011.
Data and CommentaryIn 2010 Stuxnet and Hydraq grabbed headlines and gave clear demonstration to warnings the security community had raised for years; that malware could be used for cyber-terrorism, real world destruction and industrial espionage.
In 2011 Stuxnet became a teachable moment for many trying to explain the need for better cyber-defenses, and as an inspiration for security researchers searching for new types of systems that could be hacked. Duqu, discovered in October 2011, brought the news back to the actual threat of Stuxnet. Based in part on actual Stuxnet code, Duqu was discovered performing reconnaissance within a handful of organization, its future target not yet clear. Reports from Iran of a Star virus, may have been an early report of Duqu (exfiltration of data by Duqu was hidden appended to the end of a JPG file containing a picture of the solar system), but Duqu contained no payload and we have yet to see any version of Duqu built to cause cyber-sabotage. This offspring of Stuxnet, to this point, remains only interested in gather information.
Various long term attacks against the petroleum industry, NGOs and the chemical industry (as reported by Symantec as the Nitro attacks) also came to light in 2011. And of course “hactivism” driven attacks by Anonymous, LulzSec and others dominated security news in 2011. The ongoing arrests of some of the people behind these attacks will clearly dominate coverage in 2012; at least for a while. The hactivism on 2011 brought on much needed discussion on fixing poor security practices. And clearly protecting customer’s information should be a top priority for all companies in 2012 and beyond. But hacktivim and high profile attacks tended to obscure how common targeted attacks had become. And fruitless arguments about the appropriate use of the term Advanced Persistent Threat (APT) drove debate but shed no real light on targeted attacks.
To understand the nature of targeted attacks Symantec collected data on over 26,000 attacks that could clearly be identified as targeted. These attacks were email based and contained a malicious payload.
Using our advanced data analytics framework, named TRIAGE6, we were able to identify distinct targeted attack campaigns as well as define characteristics and dynamics of these attack campaigns. From this study we have drawn conclusions about targeted attacks, which contradict some popular, but admittedly not universally held, assumptions about targeted attacks.
Assumption: Only large corporations, governments and defense industries are being targeted for attack.
The total number of attacks aimed at organizations with less than 2500 employees is roughly equal to attacks aimed at organization with greater than 2500 employees.
Assumption: Only Senior Managers and subject matter experts get targeted
Attackers want to capture the knowledge workers who have access to intellectual property (IP), but they don’t have to attack them directly to get the information they want.
Assumption: A targeted attack is a single attack
Too often organizations think that if they are not the target of a high profile attack, or if one attack has been blocked, that their troubles are over. However, our research shows that a targeted attack can go on for months. The attack will change over time, with new social engineering, new malware, and often leveraging multiple zero day vulnerabilities. What our research does not show is attackers giving up after one attempt to breach an organization.
6Developed by Symantec in the context of the European funded WOMBAT research project (http://www.wombat-project.eu/), TRIAGE is a novel attack attribution method based on a multi-criteria decision algorithm. This technique has been implemented and used to analyze various types of threats. In 2009, it has been used to provide input to the Symantec Report on Rogue Security Software. TRIAGE is currently improved and enriched with Visual Analytics technologies in the context of another European funded research project named VIS-SENSE (http://www.vis-sense.eu/), in which Symantec collaborates with five other partners.
The Characteristics of a Targeted AttackDefining a larger versus medium versus small company can be somewhat arbitrary. For the purposes of our research we have defined large companies as those having over 2,500 employees. Medium companies are between 250 and 500; and small as those companies with less than 250 employees. When comparing the number of targeted attacks directed at companies with 2,500 or more employees and companies with less than 2,500 we see an equal split.
28.3% of all targeted attacks are targeted at small to medium-sized companies as illustrated in figure B.13. And despite the commonly held believe of small businesses that they would never be the victims of a targeted attack, 17.8% of all targeted attacks are directed at small businesses with up to 250 employees.
Each of these targeted attacks is a single attack against a single individual. However, this does not mean that each individual is only attacked once. In the targeted attack campaigns analyzed by Symantec a clear picture emerges on the restlessness of attackers once they find a targeted. The data below shows attacks against an individual we’ve given the alias Mr. X. Mr. X was attacked repeatedly over a nine-month period. In the month of June of 2011 alone Mr. X was attacked 24 times - almost daily.
On average a target will see quite a few less attacks than Mr. X, but this may reflect the quick success of such attacks, rather than the attackers giving up quickly. Additionally, the ability of Mr. X to avoid infection may well be countered by the attackers infecting co-workers.
The strategy of using co-workers to move towards the ultimate targeted is quite common and may be the go-to-method against targets as resilient as Mr. X. Additionally, a large number of attacks against one organization may be used as the opening gambit in an attack where valuable individual targets have not yet been identified by the attacker.
This “spray and pray” method allows attackers to get a foothold into an organization and use that foothold to gather intelligence and to leap to their ultimate target. Think of these as massive attacks, and yet targeted organizationally; in other words a Massive Organizational Targeted Attack (MOTA). Based on our research, the average targeted attack campaign will comprise 78 attacks targeting 61 email addresses within a 4 day period. And yet some attack campaigns were observed lasting up to 9 months and targeting as many as 1,800 mailboxes. Who are these targets?
While 42% of the mailboxes targeted for attack are high-level executives, senior managers and people in R&D, the majority of targets are people that are unlikely to have such information. Why then are they targeted?
As we’ve said, they provide a stepping-stone to the ultimate target. And in the case of Personal Assistants, Sales and Media (Public Relations) they work closely with people who are the ultimate target. But just as important, these people are also easy to find and research online: email addresses for public relations people, shared mailboxes and recruiters are commonly found on a company’s web site.
Additionally, these people are used to being contacted by people they do not know. And in many cases part of the job requires them to open unsolicited files from strangers. Think of how many resumes a recruiter receives each day in a document or PDF file attachment. Finally, under the illusion that targeted attacks are only aimed at high level executives or those working with the company’s intellectual property (IP), they are less likely to have their guard up against social engineering.
In Figure B.16, we can see that malicious PDFs continue to be largely used in targeted attacks (over one third of attacks). However, malicious Zip and RAR archives start to be commonly used by attackers (27% of the attacks). It is worth noting that PE32 executable files attached to emails are very infrequent in targeted attacks.
Looking at the break out of targeted attacks by industry it is not surprising that the most frequently targeted organizations are Governments. These organizations see the most attacks and this data will come as no surprise to them. However, other industries clearly are experiencing targeted attacks.
Symantec research shows that “niche” sectors are usually more targeted by highly focused attacks. While Government and Defensive industries are more likely to see a MOTA type of attack, industries like Agriculture, Construction, Oil and Energy mainly see attacks that are highly targeted at a small number of companies and individuals within them.
This is not to say that Government and Defense Industries do not see highly targeted attacks. Two-thirds of attack campaigns involved either a one-off or a very limited number of attacks against organizations active in the same sector.
Over 50% of those single-sector campaigns target the Government and Defense industry sectors. This type of highly targeted attack campaign can be illustrated with the Sykipot attacks. These attacks were part of a long-running series of attacks using the Sykipot family of malware. Sykipot has been used in targeted attacks for at least the past couple of years, and unconfirmed traces date back to as early as 2006. The latest wave spiked on December 1, 2011 with a huge increase of targeted individuals being sent a PDF containing a zero-day exploit against Adobe Reader and Acrobat (CVE-2011-2462). The attackers involved in Sykipot have a history of attacking various industries; however, a majority of these attacks belong to the defense industry. More details on Sykipot attacks can be found later in this section and also in Appendix D – Vulnerability Trends.
One in three targeted attack campaigns are instead organized on a large-scale and fit the profile of a Massive Organizationally Targeted Attack; they target multiple people in multiple organizations, in different sectors, over multiple days. Most of these large-scale campaigns are very well resourced, with up to 4 different exploits used during the same campaign. Some are even multilingual: the language used in the email attack is tuned to the targeted recipients (such as the use of Chinese for .cn recipient domains, Japanese for .jp, Russian for .ru, etc.).
Examples of this type of attack campaign include the long-running series of Taidoor attacks, or more recently the Nitro attack waves. The bulk of the Nitro attacks were launched in late July 2011 and continued into mid-September and late October 2011. The purpose of the attacks appears to be industrial espionage, mainly targeting the chemical and petroleum industries, collecting intellectual property for competitive advantage. However, our research shows that the Nitro attackers could also have targeted senior executives working in the Defense industry and the Aerospace domain in another series of attacks that took place in October 2011. More details on the Taidoor and Nitro attack campaigns can be found later in this section.
Case Study – MOTA campaignNR4 is one mass-scale attack campaign out of 130 that the Symantec’s TRIAGE technology analyzed. (There is no significance to the name NR4). We do not know the ultimate goal of the attackers behind this campaign, but we do know that they targeted diplomatic and government organizations.
month period. The attacks all originated from accounts on a popular free Web-based email service. All attacks came from one of three different sender aliases. Multiple email subject lines were used in the targeted attacks, all of potential interest to the recipients, with the majority being about current political issues. Almost all targeted recipients were put in BCC field of the email.
The first wave of attacks began 28 April 2011, from a single email alias. Four organizations were targeted in this first series of attacks. One of these organizations saw the CEO as well as media and sales people targeted. Over the course of the attack campaign the CEO was targeted 34 times.
On 13 May 2011, a new email account began sending email to targets. It was from this account that the majority of the attacks occurred. This aliases continued attacks on the four previous organizations but added dozens of additional organizations. One organization first targeted in this attack wave was targeted 450 times. A total of 23 people in the organization were targeted, with the main focus being on researchers within the organization.
The final attack wave started 30 June 2011, and ended 19 days later. While attacking a number of organizations already part of the campaign, it also targeted 5 new organizations.
By 19 July 2011, the NR4 targeted campaign came to an end. During the 3 months of this campaign hundreds of emails, in English and in Chinese (used against Chinese speaking targets) arrived in targeted users mailboxes. While the content of the email was constantly being changed, each email contained an attached PDF or RAR file with the same exploit that would infect users once the attachment was opened. Interestingly, our research also showed that the three attackers involved in this NR4 campaign have been using the same command and control (C&C) servers for controlling compromised machines and exfiltrating data.