The Rise of the Targattacks*: Cyber espionage and sabotage: the new way

*Abbr.: targeted attacks

During the last 18 months we saw a growing number of targeted attacks against numerous companies and organizations. Let’s briefly have a look at some of them:

• The Aurora Attack: an attack that began in mid 2009 and continued until December 2009. The primary goal of this attack was to gain access to high tech, security and defense companies and potentially modify source code repositories. For example at Adobe, Juniper, Google, Yahoo, etc…
• German Emissions Trading Authority (DEHSt): suffered from phishing attacks carried out in January 2010. Scamsters circulated their fraudulent emails masquerading as email from the DEHSt and persuaded the recipients to login to a counterfeit website, ironically to protect themselves against alleged hacker attacks. Using the stolen access data, the attackers transferred emissions permits, primarily to Denmark and Great Britain, and in so doing allegedly gained up to three million Euros illegally. It is readily apparent that targeted phishing attacks can be very lucrative.
• Stuxnet: a Windows computer worm discovered in July 2010 that targets industrial SCADA  software and equipment with the aim of attacking an Iranian nuclear plant. The attack seems to have been successful as the enrichment of Uranium was heavily delayed.
• G20 Files attack: was announced in March 2011 but had already been going on for several months. The G20 is made up of the finance ministers and central bank governors of 19 countries and discusses key issues of the global economy. Over 150 ministry computers of the G20 were attacked. The attacks aimed at files related to the G20 meetings.
• RSA breach: RSA is a well known security company specialized in identity and access solutions. Hackers may have gained access to part of the code generation algorithm used in RSA SecurID tokens. At least some information was extracted but it’s still unsure if it will actually cause future problems.
• EU Commission Summit attack: this was a targeted attack against some specific servers at the EU Commission in Brussels, found and stopped before the EU March 2011 Summit. As not much is known about it, we suppose that nothing important has been leaked.
• Epsilon email breach: Epsilon is a well known online marketing company that is working with hundreds of large companies around the world and stores millions of email addresses in its databases. Hackers have stolen customer email addresses and names belonging to a “subset of its clients”. Some big companies such as Disney, Citibank, Verizon, etc … were involved.

 And this list is still not complete.

What do they all have in common? It is a fact that all attacks were targeted at a specific organization, industry or company. Most of these targeted attacks were looking for confidential information. With the RSA attack they were looking for intellectual property. Stuxnet was an exception as cyber sabotage seemed the real motivator. Sometimes it is very difficult to figure out the motive.  Sometimes it is even difficult to estimate if the attack was successful or not, as this depends on the attacker’s intentions.  Above all, social engineering has been used in all of these cases, ranging from spear sent mails (spear phishing) to the use of infected USB sticks – but all this involved human action.

Nevertheless, all these attacks or breaches illustrate the new reality concerning security:  cyber espionage as like cybercrime is simpler to perpetrate but a lot more difficult to spot. There is hardly any risk involved if you compare it to the more traditional methods. This is the new front line – including attacks against military facilities as well as politically and financially motivated attacks.

As some of the attacks were quite successful we expect to see at least another growing number of targeted attacks as the cybercriminals have now access to more email addresses and new targets to direct the attack at. A rise of specific targeted phishing mails is only one thing to watch out for in the coming months.

But what have we learnt?

• All systems can be attacked, even systems not connected to the internet or autonomous networks protected by a gateway.
• Every system  requires updates for the installed software (Flash, Adobe, OS, etc…)
• Even if the gateway is protected you still require protection on the internal systems regardless of whether there is important data on them or not.

The combination of social tricks against humans and outdated software on their systems is the key issue in these attacks. Unfortunately, this was also the same problem 10 years ago. Needless to say, we require good security software in place, but if we don’t change our mindset or improve the way we are updating, we still have a long way to go before we win the battle, as this problem will continue to grow in the future.

 During some lectures this year I will elaborate on this growing problem.