> Enterprise > Security Response > Internet Security Threat Report > View the Report > Malicious Code Trends

Malicious Code Trends

Malicious Code Trends | Top Malicious Code Families | Analysis of Malicious Code Activity by Geography, Industry Sector and Company Size | Propagation Mechanisms | Industrial Espionage: Targeted Attacks and Advanced Persistent Threats (APTs) | TRIAGE Analysis of Targeted Attacks

TRIAGE Analysis of Targeted Attacks


Symantec’s advanced TRIAGE data analytics technology aims at answering some fundamental questions about targeted attacks, such as:
  • Attribution: Can we link series of similar attacks, perhaps targeting different organizations - on the same or different dates - to larger-scale campaigns likely organized by the same group of individuals?
  • How many different groups of attackers can we identify based on their modus operandi?
  • What are the characteristics and dynamics of such attack campaigns? Can we observe multiple connections among those attacks, for example regarding the subjects used the malicious attachments, the targeted recipients or the date of the attack?


To identify series of targeted attacks that are likely performed by the same individuals, we have used a novel attack attribution named TRIAGE. Developed by Symantec in the context of the European funded WOMBAT research project (, TRIAGE is a novel attack attribution method based on a multi-criteria decision algorithm. This new attribution method has been implemented in an analytical software framework that is now being maintained in the context of VIS-SENSE, a European research project that aims at improving security analysis with novel Visual Analytics technologies.
By leveraging our TRIAGE data analytics, targeted attacks are automatically grouped together based upon common elements likely due to the same root cause. As a result, we are able to identify complex patterns showing various types of relationships among series of targeted attacks, giving insights into the manner by which attack campaigns are orchestrated. The TRIAGE approach is illustrated in figure B.19, below.

Data and Commentary

Insights into targeted attack campaigns
Symantec’s TRIAGE technology has identified 130 clusters of attacks, which are quite likely reflecting different campaigns organized by the same groups of individuals. Indeed, within the same cluster, all attacks are linked by at least 3 or 4 characteristics among the following ones:
  • The origins of the attack (Email ‘From’ address or IP address used by the attacker).
  • The attack date.
  • The characteristics of the malicious file attached to the email (MD5 checksum, AV signature and file name).
  • The email subject.
  • The targeted recipient (‘To:’ or ‘Bcc:’ address fields in the email).
Figure B.19: Illustration of Symantec's TRIAGE methodology. Source: Symantec
The Table below gives some global characteristics calculated across all attack campaigns identified by Symantec in 2011.
Figure B.19: Characteristics identified in targeted attacks, 2011. Source: Symantec
The Table shown below in figure 20, gives some global characteristics calculated across all attack campaigns identified by Symantec in 2011.
Figure B.20: Characteristics identified in targeted attacks, 2011. Source: Symantec
Based on the number of targeted recipients and sectors, we have classified the attack campaigns into two main types (Figure B.21):
  • Type 1 - Single-sector: highly focused attack campaigns targeting one (1.a) or several (1.b) organizations within the same activity Sector;
  • Type 2 - Multi-sector: larger-scale campaigns that usually target a large number of organizations across multiple sectors. This type of attacks fit the profile of Massive Organizationally Targeted Attack (MOTA).
Figure B.21: Classification of campaigns according to the number of targeted recipients and activity sectors. Source: Symantec

Type 1 – Highly targeted campaigns: Sykipot attacks

Two-thirds of attack campaigns identified by Symantec were targeting either a single, or a very limited number of organizations active in the same sector. Over 50% of those single-sector campaigns target the Government and Defense sectors. However, other industries clearly are experiencing such highly targeted attacks. Symantec research shows that “niche” sectors are usually more targeted by highly focused attacks. Industries active in sectors like Agriculture, Construction, Oil and Energy mainly see attacks that are highly targeted at a small number of companies and individuals within them.
A good example of such highly targeted campaign is the Sykipot series of attacks using the Sykipot family of malware, with a majority of these attacks targeting the defense industry or governmental organizations. The modus operandi of the attackers is always the same: they send to specifically chosen recipients an email with an appealing subject, sometimes using a spoofed email address in relation to the activity or the position of the targeted recipient, and containing a malicious document, which exploits some unknown vulnerability in Adobe Reader and Acrobat or in Microsoft Office software products. Figure B.22, below shows an example of such email. The name and address used by the attacker was those of a high-level executive having a position of Associate General Counsel within the targeted Defense industry.
Figure B.22: Example of targeted email using Sykipot malware. Source: Symantec
Figure B.23, below visualizes Sykipot attack waves identified by Symantec’s TRIAGE technology during April 2011. Three different attackers (red nodes) have sent about 52 emails to at least 30 mailboxes of employees working for two different Defense industries on three different dates. The subject lines, indicated in yellow, are shared among attackers and two of them used the same mailer agent from the very same IP address to launch the attacks. Three different MD5s were used in this Sykipot campaign (nodes in gray).
Figure B.23: A Sykipot campaign identified by Symantec's TRIAGE methodology. Source: Symantec

Type 2 – Massive Organizational Targeted Attacks (MOTA): Nitro and Taidoor attacks

One third of attack campaigns were organized on a large-scale and fit the profile of a Massive Organizationally Targeted Attack (MOTA): they target multiple people in multiple organizations, in different sectors, over multiple days. Most of these large-scale campaigns are very well resourced, with up to 4 different exploits used during the same campaign. Some are even multilingual: the language used in the email attack is tuned to the targeted recipients.
The Taidoor attacks illustrate perfectly this type of mass-scale attack campaign. These attacks can include a long series of attack waves, sometimes spread over a long period of time (several months, or even a few years in some cases). As illustrated in the figure below, the relationships between attackers in those campaigns are usually much more complex, involving many inter-relationships at different levels (for example, common MD5s, same mailer or IP address, etc.).
This may indicate that several teams of attackers are collaborating or sharing some of their resources (like malicious code, virtual servers to launch attacks, or intelligence data on the targets). They usually target a very large number of recipients working for different organizations, which can be active in completely different sectors.
Figure B.24: A Nitro campaign identified by Symantec's TRIAGE methodology. Source: Symantec
The Nitro attacks are another example of mass-scale attack campaign. The bulk of the Nitro attacks was launched in late July 2011 and continued into mid-September. Another unconfirmed Nitro campaign was also identified later in October 2011. The purpose of the attacks appears to be industrial espionage, mainly targeting the chemical and petroleum industries, to collect intellectual property for competitive advantage.
An example of email sent during those Nitro attack waves is shown in figure B.25, below. In this campaign, blocked over 500 attacks of this type, in which the attackers use a spoofed email address (presumably coming from an IT support desk) to entice users to install a fake Adobe software update packaged in a zip file, and which contains a zero-day exploit to compromise the users machines.
While most targeted recipients were employees working for chemical industries, our research has showed that the Nitro attackers have also targeted senior executives working in the Defense industry and the Aerospace domain during the same series of attacks in October 2011.
Figure B.25: Example of an email using the Nitro malware. Source: Symantec
Attack campaigns are quite often characterized by the use of specific Mailers. In our research, we have observed a substantial amount of attacks sent through free Webmail providers. The second most frequently used Mailer agents are Microsoft Outlook (Express), accounting for 18% and 6% respectively, as shown in figure B.26, below.
However, some other, less frequent Mailers have also been used in targeted attacks, such as GMX Web Mailer, which was used during the Sykipot attacks in December 2011 while targeting Defense contractors and Governmental organizations.
Figure B.26: Most frequent Mailers used in targeted attacks. Source: Symantec