The number of serious cyber-attacks detected over the last two years has increased so much that new attacks rarely cause much surprise. It’s now commonplace for antivirus companies to issue a report about the discovery of another botnet or highly sophisticated malware campaign that is gathering data.
Companies are increasingly falling victim to cyber-attacks. According to a survey conducted by Kaspersky Lab and B2B International, 91% of the organizations polled suffered a cyber-attack at least once over a 12-month period, while 9% were the victims of targeted attacks.
The extensive use of computers and other digital devices in all areas of business has created ideal conditions for cyber espionage programs and malware capable of stealing corporate data. The potential is so great that malicious programs may soon completely replace company insiders as a way of gathering information. However, the risks to the corporate sector do not end there. This dependence on the reliable operation of computers and the channels that connect them means cybercriminals are presented with a variety of other ways to target companies using destructive programs, from so-called encryptors and shredders that spread like the plague in a corporate environment, to an army of zombies that devours every available resource on web servers and data transfer networks.
When it comes to the mass distribution of malicious programs any company can be affected. Notorious banking Trojans such as ZeuS and SpyEye can penetrate the computers of even small commercial organizations resulting in the loss of money and intellectual property.
However, there are also numerous cases of carefully planned activity aimed at infecting the network infrastructure of a specific organization or individual. The results of our research showed that in 2013 the victims of these targeted attacks included companies from the oil and telecommunications industries, scientific research centers, as well as companies working in sectors such as aerospace, shipbuilding and other hi-tech industries.
Cybercriminals have a large array of sophisticated tools to help them penetrate corporate networks. Planning a targeted attack on a company can take several months, after which all available tactics are deployed, starting with social engineering and progressing to exploits for unknown software vulnerabilities.
The attackers meticulously examine the target company’s commercial profile, public resources, websites, employee profiles on social networks, announcements and the results of various presentations, exhibitions etc. for any piece of useful information. When planning a strategy for an intrusion and subsequent data theft, the criminals may study the company’s network infrastructure, network resources and communication centers.
When planning their attack, the cybercriminals may create a fake malicious website that is an exact copy of the target’s own site and register it with a similar domain name. It will then be used to trick users and infect their computers.
One of the most popular techniques for inserting malware in corporate networks in 2013 was to send emails containing malicious attachments to company employees. More often than not, the documents in these emails were in familiar Word, Excel or PDF formats. When the attached file is opened a software vulnerability – if present – is exploited and the system is infected by a malicious program.
Employees who regularly have to communicate with people outside their corporate structure are often the recipients of malicious emails. More often than not the recipients work in the public relations department.
Departments involved in hiring new staff also receive lots of emails from external users. A cybercriminal may pretend to be a potential candidate for a job, and send a resume in an infected PDF file. Of course, the file will be opened by an HR employee, and if there is a vulnerability on the workstation, it will then be infected.
Finance departments may also receive malicious messages under the guise of requests or demands from the tax authorities, while legal departments might receive messages that appear to be from judicial bodies, the police or other government agencies.
The content of the message is intended to pique the interest of the employee it addresses, whether in relation to his/her job responsibilities or the company’s general sphere of business. For instance, the hacking group Winnti sent messages to private video game manufacturers suggesting possible cooperation as part of a targeted attack:
The spyware Miniduke was distributed in a letter about Ukraine’s foreign policy plans and Ukraine–NATO relations:
Cybercriminals actively use exploits to known software vulnerabilities.
The renowned Red October, for instance, used at least three different exploits to known vulnerabilities in Microsoft Office: CVE-2009-3129 (MS Excel), CVE-2010-3333 (MS Word) and CVE-2012-0158 (MS Word). Nettraveler used an exploit of CVE-2013-2465, which is a vulnerability of Java versions 5, 6 and 7; it was only patched by Oracle in June 2013.
However, so-called zero-day vulnerabilities – currently unknown to the software manufacturer – are the most dangerous. Cybercriminals actively search popular programs for unknown loopholes and create exploits to them. If such a vulnerability exists in a piece of software, it is very likely to get exploited. Miniduke used such a vulnerability (CVE-2013-0640) in Adobe Reader versions 9, 10, 11 – it was unknown at the time of the attack.
Cybercriminals continuously improve malware, using unconventional approaches and solutions to steal information.
Red October, once it got a foothold within a system, worked as a multifunctional module-based platform. It added various modules to the infected system depending on the set target. Each of these modules performed a certain range of actions: from collecting information about the infected computer and its network infrastructure, stealing various passwords, keylogging, self-propagation, sending stolen information etc.
It should be also noted that cybercriminals have also responded to the development of mobile technologies and the spread of mobile devices in corporate environments. A modern smartphone or tablet PC is effectively a full-bodied workstation storing a huge amount of data, and thus is a potential target for cybercriminals. The creators of Red October developed dedicated modules which determined when smartphones running under Apple iOS, Windows Mobile as well as cellphones manufactured by Nokia connected to the infected workstation, copied data from them and sent it to the C&C server.
The creators of Kimsuky have integrated an entire module into their piece of malware which can remotely manage infected systems. Interestingly, they have done so with the help of TeamViewer, a quite legitimate remote management tool, by introducing slight modifications into its program code. After that, operators could manual connect to infected computers to collect and copy information that was of interest.
The Winnti hacker group stole digital certificates from the corporate networks of online game manufacturers, and used them to sign their malicious driver, subsequently infecting other companies. For example, a digital certificate was stolen from the South Korean company KOG. When we informed the company about the theft, the compromised certificate was revoked.
This is the revoked certificate:
In addition, the 64-bit Trojan included a fully functional backdoor module. This is the first case, as far as we know, when a 64-bit malicious program has been used with a valid digital signature belonging to a legitimate company.
The Miniduke spyware used Twitter to receive information from C&C servers. Miniduke’s operators used dedicated accounts to publish specially crafted tweets which included an encoded C&C URL address.
The Trojan read Twitter on an infected computer and used the address to connect to the C&C.
Cybercriminals are interested in stealing information of all kinds. It could be cutting-edge technology developed by companies and research institutes, source codes of software products, financial and legal documents, personal information about employees and clients, and any other information that may constitute a commercial secret. This information is often stored in plain text in corporate networks in the form of electronic documents, draft documents, reports, drawings, presentations, images etc.
As stated above, cybercriminals take different approaches to data gathering. Some malicious programs collect practically all types of electronic documents. For example, Red October was interested in documents in txt, csv, eml, doc, vsd, sxw, odt, docx, rtf, pdf, mdb, xls, wab, rst, xps, iau, etc. formats; the malicious program sent all of these to the C&C servers.
Another approach, which we identified with Kimsuky and Icefog is essentially a manual analysis of the data stored in corporate networks using remote-access technologies integrated into malware on infected workstations, and the subsequent copying of those documents that were specifically required or of value to the cybercriminals. When launching such attacks, cybercriminals take into account all the details of the targeted company and have a clear understanding of what data formats are used in that company and what types of information are stored. Thus, during Kimsuky and Icefog attacks, the targeted companies lost documents which were very specific to their activities and were stored in the HWP format which is widely used in South Korea.
While analyzing the latest targeted attacks, we came to the conclusion that a new category of attackers has emerged. We call them cybermercenaries. These are organized groups of highly qualified hackers who can be hired by governments or private companies to organize and conduct complex, effective targeted attacks aimed at stealing information and destroying data or infrastructure.
Cybermercenaries are given a contract which stipulates the goals and a description of the task, after which they start to thoroughly prepare for and then launch the attack. While earlier attacks tended to steal information indiscriminately, cybermercenaries now aim to lay their hands on very specific documents or the contacts of people who might own the target information.
In 2013, we investigated the activity of the cybermercenary group Icefog, which launched target attacks under the same name. During the investigation, we managed to locate an Icefog operator activity log, which detailed all the attack activities. It became obvious from that log that the criminals not only have a good knowledge of Chinese, Korean and Japanese, but also know exactly where to look for the information they are interested in.
2013 saw some major disclosures about attacks launched by spyware that were related, directly or indirectly, to the activities of various governments. These disclosures could potentially lead to a loss of confidence in global services and corporations and greater interest in creating national equivalents of global services. This might lead to a peculiar type of de-globalization, causing a growing demand for IT in general, but a fragmentation of the users of the global network and a certain segmentation of online services. Already in many countries, there are local versions of global services, including national search engines, mail services, national IM services and even local social networks.
This growing number of new national software products and services is delivered by national manufacturers. These companies are typically smaller in size and budget than global market leaders. As a result it’s possible that their products may not be of the same quality as those of the larger international companies. Our experience of investigating cyber-attacks suggests that the smaller and less experienced the software developer is, the more vulnerabilities will be found in its code. As a result targeted attacks become easier and more effective.
Moreover, as states seize the initiative in controlling information and hardware resources, some states may legally oblige local companies to use national software products or online services, which may ultimately affect the security of the corporate sector as well.