> Enterprise > Security Response > Internet Security Threat Report > View the Report > Symantec Internet Security Threat Report - 2011

Symantec Internet Security Threat Report - 2011

Introduction | 2011 In Review | 2011 In Numbers | Executive Summary | Safeguarding Secrets: Industrial Espionage in Cyberspace | Against the Breach: Securing Trust and Data Protection | Consumerization and Mobile Computing: Balancing the Risks and Benefits in the Cloud | Spam Activity Trends | Malicious Code Trends | Closing the Window of Vulnerability: Exploits and Zero-day Attacks | Conclusion: What’s Ahead in 2012

Safeguarding Secrets: Industrial Espionage in Cyberspace

Safeguarding Secrets: Industrial Espionage in Cyberspace

Cyber-espionage in 2011

The number of targeted attacks increased dramatically during 2011 from an average of 77 per day in 2010 to 82 per day in 2011. And advanced persistent threats (APTs) attracted more public attention as the result of some well publicized incidents.
Targeted attacks use customized malware and refined targeted social engineering to gain unauthorized access to sensitive information. This is the next evolution of social engineering, where victims are researched in advance and specifically targeted. Typically, criminals use targeted attacks to steal valuable information such as customer data for financial gain. Advanced persistent threats use targeted attacks as part of a longer-term campaign of espionage, typically targeting high-value information or systems in government and industry.
In 2010, Stuxnet grabbed headlines. It is a worm that spreads widely but carried a specialized payload designed to target systems that control and monitor industrial processes, creating suspicion that it was being used to target nuclear facilities in Iran. It showed that targeted attacks could be used to cause physical damage in the real world, making real the specter of cyber-sabotage.
In October 2011, Duqu came to lightiv. This is a descendent of Stuxnet. It used a zero-day exploit to install spyware that recorded keystrokes and other system information. It presages a resurgence of Stuxnet-like attacks but we have yet to see any version of Duqu built to cause cyber-sabotage.
Various long term attacks against the petroleum industry, NGOs and the chemical industryv also came to light in 2011. And hactivism by Anonymous, LulzSec and others dominated security news in 2011.
Figure 1: Targeted attacks trend showing average number of attacks identified each month, 2011. Source: Symantec

Advanced Persistent Threats

Advanced persistent threats (APTs) have become a buzzword used and misused by the media but they do represent a real danger. For example, a reported attack in March 2011 resulted in the theft of 24,000 files from a US defense contractor. The files related to a weapons system under development for the US Department of Defense (DOD).
Government agencies take this type of threat very seriously. For example, the US DOD has committed at least $500 (USD) million to cyber security research and development and the UK Government recently released its Cyber Security Strategy, outlining a National Cyber Security Programme of work funded by the GBP £650 million investments made to address the continuously evolving cyber risks, such as e-crime as well as threats to national securityvi.
All advanced persistent threats rely on targeted attacks as their main delivery vehicle, using a variety of vectors such as drive-by-downloads, SQL injection, malware, phishing and spam.
APTs differ from conventional targeted attacks in significant ways:
  1. They use highly customized tools and intrusion techniques.
  2. They use stealthy, patient, persistent methods to reduce the risk of detection.
  3. They aim to gather high-value, national objectives such as military, political or economic intelligence.
  4. They are well-funded and well-staffed, perhaps operating with the support of military or state intelligence organizations.
  5. They are more likely to target organizations of strategic importance, such as government agencies, defense contractors, high profile manufacturers, critical infrastructure operators and their partner ecosystem.
The hype surrounding APTs masks an underlying reality—these threats are, in fact, a special case within the much broader category of attacks targeted at specific organizations of all kinds. As APTs continue to appear on the threat landscape, we expect to see other cybercriminals learn new techniques from these attacks. For example, we’re already seeing polymorphic code used in mass malware attacks and we see spammers exploit social engineering on social networks. Moreover, the fact that APTs are often aimed at stealing intellectual property suggests new roles for cybercriminals as information brokers in industrial espionage schemes.
While the odds of an APT affecting most organizations may be relatively low, the chances that you may be the victim of a targeted attack are, unfortunately, quite high. The best way to prepare for an APT is to ensure you are well defended against targeted attacks in general.

Targeted Attacks

Targeted attacks affect all sectors of the economy. However, two-thirds of attack campaigns focus on a single or a very limited number of organizations in a given sector and more than half focus on the defense and aerospace sector, sometimes attacking the same company in different countries at the same time. On average they used two different exploits in each campaign, sometimes using zero-day exploits to make them especially potent.
Figure 2: Targeted email attacks, by top-ten industry sectors, 2011. Source:
Figure 3: Attacks by size of targeted organization. Source:
It is, however, a mistake to assume that only large companies suffer from targeted attacks. In fact, while many small business owners believe that they would never be the victim of a targeted attack, more than half were directed at organizations with fewer than 2,500 employees; in addition, 17.8% were directed at companies with fewer than 250 employees. It is possible that smaller companies are targeted as a stepping-stone to a larger organization because they may be in the supply chain or partner ecosystem of larger, but more well-defended companies.
While 42% of the mailboxes targeted for attack are high-level executives, senior managers and people in R&D, the majority of targets were people without direct access to confidential information. For an attacker, this kind of indirect attack can be highly effective in getting a foot in the door of a well-protected organization. For example, people with HR and recruitment responsibilities are targeted 6% of the time, perhaps because they are used to getting email attachments such as CVs from strangers.
Figure 4: Analysis of job functions of recipients being targeted. Source: Symantec

Where attacks come from

Figure 5 represents the geographical distribution of attacking machines’ IP addresses for all targeted attacks in 2011. It doesn’t necessarily represent the location of the perpetrators.
Figure 5: Geographical locations of attacking machines’ IP addresses. Source: Symantec

Case study

In 2011, we saw 29 companies in the chemical sector (among others) targeted with emails that appeared to be meeting invitations from known suppliers. These emails installed a well-known backdoor trojan with the intention of stealing valuable intellectual property such as design documents and formulas.