The Trends in Targeted Attacks of 2012
Throughout 2012, we investigated a variety of targeted attacks including several APT campaigns such as LuckyCat and Ixeshe, as well as updates on some long running campaigns such as Lurid/Enfal and Taidoor. There was a lot of great research within the community related to targeted attacks published this year, and I’ve clustered the research I found to be the most interesting into six themes that I think also encapsulate the trends in targeted attacks of 2012:
- Targets and Tools – While targeted attacks were largely equated with APT during 2011, 2012 saw the emergence of a variety of attacks especially those in the Middle East including Shamoon in Saudi Arabia, the Mahdi Campaign, GAUSS and Wiper/Flame which were all well documented by Kaspersky. There were other attacks related to the conflict in the Middle East most notably Syria and Israel and Palestine (also see Norman’s analysis here). APT activity remained a significant concern in 2012, and Dell SecureWorks published a paper on clustering various APT campaigns as well as papers on Mirage and SinDigoo that illustrated the scope of the problem. Bloomberg published a series of articles about the “Comment Crew” that detailed the breadth and impact of an APT campaign.There was also considerable activity targeting Russia, Taiwan, South Korea, Vietnam, India and Japan. In addition to expanded geographic targets, we also saw the expansion of the technologies that were targeted, including Android mobile devices and the Mac platform. Seth Hardy from the Citizen Lab gave a great presentation at SecTor that provides an overview of the various Mac related RATs (SabPub, MacControl, IMULER/Revir and Dokster) that emerged this year. And although we have seen smartcard related attacks in the past, thanks to some great analysis of Sykipot from AlienVault we saw technical details around smartcards that were deliberately targeted.
- Stealth and Persistence – One of the key trends, documented in 2012 by Mandiant, is that APT activity comprises more than just malware because persistent access can be maintained through the use of legitimate applications such as VPNs. In addition, while the malware associated with many ongoing APT campaigns can be detected with network traffic analysis, Microsoft uncovered an older malware component that creates a stealthy backdoor at the NDIS (Network Driver Interface Specification) level making detection increasingly difficult. In addition to stealth at the network level, we saw interesting cases around digitally signed malware designed to make detection at the file system level more difficult. While digitally signed malware is certainly not new, a RAT known as PlugX was heavily used in targeted attacks and it used a technique, first described by Symantec, that leveraged DLL search order hijacking (which itself is not new). Another tool known as HiKit, which was documented by Mandiant, demonstrated both stealth at the file system level, using DLL search order hijacking, but also at the network level by listening for incoming (like old school RATs) rather than making outgoing connections to a command and control server. However, the Flame malware’s use of an MD5 collision attack to propagate by hijacking Windows Update functionality took stealth and persistence to a whole other level.
- Social Engineering – It is certainly not a surprise that spear phishing emails remain the primary mechanism to deliver malware in a targeted attack but other techniques such as “watering hole” attacks received some significant attention. Shadowserver published analysis of what they termed “strategic web compromises” that leveraged Java and Flash exploits, and RSA documented the VOHO campaign which also made use of this technique. However, one of the more interesting social engineering ploys used in 2012 was the re-use of the malware analysis by security vendors as a lure to deliver malware. Both FireEye and AlienVault documented such attacks which were reminiscent of the Nitro campaign’s use of Symantec’s research in the same way in late 2011. However, spearphish emails and compromised websites are not the only attack vectors available. Instant messengers (believed to be the attack vector in the Aurora attack on Google) also provide an avenue for attack and Skype was reportedly used to deliver the DarkComet RAT in conjunction with the conflict in Syria.
- Offense as Defense – There was a renewed interest in the concept of “offense as defense” throughout 2012 alongside the emergence of security startup Crowdstrike. While the concept is often narrowly understood as “hacking back” I prefer to understand it in the context of what David Dittrich calls the “Active Response Continuum”. There are a variety of tactics ranging from sinkholing and takedowns – either through technical means, reporting abuse, de-peering, naming and shaming, legal mechanisms or cooperation with law enforcement – through to deception operations that provide offensive actions that fall short of “hacking back”. These actions have been typically used against criminal actors but could be applied, to a certain extent, to infrastructure associated with attacks that fall somewhere between state-tolerated to state-sponsored. However, offensive capabilities beyond these measures are seen as attractive since prosecution in state-sponsored cases is not seen as an option and we’re starting to see such actions emerge. In 2012 there was a case in which CERT-GOV-GE not only gained access to the command and control servers of the “Georbot” botnet but they lured the botnet operator in stealing a malicious file, which when executed, allowed CERT-GOV-GE to remotely record video of the operator.
- “Cyber” Arms Trade – The controversial topic of the sale of 0day exploits and corporate malware received quite a bit of public scrutiny in 2012. The ACLU’s Christopher Soghoian gave the keynote presentation on the topic at VB2012. In addition to buying and selling vulnerabilities/exploits, there is also a market for malware that is used for government surveillance. Morgan Marquis-Boire published information on how a product known as FinFisher (which can also spy on smartphones) distributed by a UK company as well as a backdoor distributed by an Italian company were reportedly used by governments to spy on activists. Also, Dell SecureWorks’ Joe Stewart discovered “a sizable cyber-espionage operation carried out by a private computer security company in an Asian country (not China) against a foreign military” which further illustrates the extent of the problem.
- Data Destruction – While targeted attacks are typically conducted for the purpose of espionage, they do sometimes have a destructive capacity (see, Stuxnet). In 2012, Kaspersky documented a case known as Wiper that destroyed data as well as Shamoon (see Seculert’s analysis too) which targeted oil companies in the Middle East and destroyed data and is believed to be the malware that was used to damage thousands computers in Saudi Arabia and Qatar. The escalation of espionage to sabotage is likely to continue.
2012 has been quite a year in terms of targeted attacks, and I think that 2013 will be quite as interesting, or even more. I will be posting my 2013 predictions in relation to targeted attacks in the near future, so stay tuned!