Amit Nath Country Manager India and SAARC Trend Micro said “The number of targeted attacks has dramatically increased. Unlike largely indiscriminate attacks that focus on stealing credit card and banking information associated with cybercrime, targeted attacks noticeably differ and are better characterized as cyber espionage. Highly targeted attacks are computer intrusions threat actors’ stage in order to aggressively pursue and compromise specific targets, often leveraging social engineering, in order to maintain persistent presence within the victim’s network so they can move laterally and extract sensitive information.”
He added “In a typical targeted attack, a target receives a contextually relevant e-mail that encourages a potential victim to click a link or open a file. The links and files the attackers send contain malicious code that exploits vulnerabilities in popular software.”
The exploits’ payload is a malware that is silently executed on the target’s computer. This exploitation allows the attackers to take control of and obtain data from the compromised computer. In other cases, the attackers send disguised executable files, usually compressed in archives that, if opened, also compromise the target’s computer. The malware connects back to command-and-control (C&C) servers under the attackers’ control from which they can command the compromised computer to download additional malware and tools that allow them to move laterally throughout the target’s network. These attacks are, however, not isolated smash-and-grab incidents but are part of consistent campaigns that aim to establish covert presence in a target’s network so that information can be extracted as needed. Targeted attacks are rarely isolated events. In fact, they are constant. It is more useful to think of them as campaigns—a series of failed and successful attempts to compromise a target’s network over a certain period of time. The attackers, in fact, often keep track of the different attacks within a campaign in order to determine which individual attack compromised a specific victim’s network. As the attackers learn more about their targets from open source research—relying on publicly available information, as well as previous attacks, the specificity of the attacks may sharply increase.
Targeted attacks have been extremely successful, making the scope of the problem truly global. These have been affecting governments, militaries, defense industries, high-technology companies, intergovernmental organizations, non-governmental organizations (NGOs), media organizations, academic institutions, and activists worldwide. Targeted attacks are not isolated smash-and-grab incidents. They are part of consistent campaigns that aim to establish persistent, covert presence in a target’s network so that information can be extracted as needed. Targeted attacks may not be easy to understand but careful monitoring allows researchers to leverage the mistakes attackers make to get a glimpse inside their operations. Moreover, we can track cyber-espionage campaigns over time using a combination of technical and contextual indicators.
In the course of our research, we discovered that it had a much more diverse target set than previously thought. Not only did the attackers target military research institutions in India, as earlier disclosed by Symantec, they also targeted sensitive entities in Japan and India as well as Tibetan activists. They used a diversity of infrastructure as well, ranging from throw-away free-hosting sites to dedicated VPSs. We also found that the Luckycat campaign can be linked to other campaigns as well. The people behind it used or provided infrastructure for other campaigns that has also been linked to past targeted attacks such as the ShadowNet campaign. Understanding the attack tools, techniques, and infrastructure used in the Luckycat campaign as well as how an individual incident is related to a broader campaign provides the context necessary for us to assess its impact and come up with defensive strategies in order to protect our customers.
Targeted attacks that exploit vulnerabilities in popular software in order to compromise specific target sets are becoming increasingly commonplace. These attacks are not automated and indiscriminate nor are they conducted by opportunistic amateurs. These computer intrusions are staged by threat actors that aggressively pursue and compromise specific targets. Such attacks are typically part of broader campaigns, a series of failed and successful compromises, by specific threat actors and not isolated attacks. The objective of the attacks is to obtain sensitive data. Targeted attacks remain a high priority threat that is difficult to defend. These attacks leverage social engineering and malware that exploits vulnerabilities in popular software to slip past traditional defenses. While such attacks are often seen as isolated events, they are better conceptualized as campaigns, or a series of failed and successful intrusions. Once inside the network, the attackers are able to move laterally in order to target sensitive information for ex-filtration. The impact of successful attacks can be severe and any data obtained by the attackers can be used in future, more precise attacks. However, defensive strategies can be dramatically improved by understanding how targeted attacks work as well as trends in the tools, tactics and procedures of the perpetrators. Since such attacks focus on the acquisition of sensitive data, strategies that focus on protecting the data itself, wherever it resides, are extremely important components of defense. By effectively using threat intelligence derived from external and internal sources combined with context-aware data protection and security tools that empower and inform human analysts, organizations are better positioned to detect and mitigate targeted attacks.