Trends in Targeted Attacks: 2013

FireEye has been busy over the last year. We have tracked
malware-based espionage campaigns and published research papers on
numerous advanced threat actors. We chopped through Poison
Ivy, documented a cyber
arms dealer, and revealed that Operation
Ke3chang had targeted Ministries of Foreign Affairs in Europe.

Worldwide, security experts made many breakthroughs in cyber defense
research in 2013. I believe the two biggest stories were Mandiant’s APT1
report and the ongoing Edward Snowden revelations, including the
revelation that the U.S. National Security Agency (NSA) compromised
50,000 computers around the world as part of a global espionage campaign.

In this post, I would like to highlight some of the outstanding
research from 2013.

Trends in Targeting

Targeted malware attack reports tend to focus on intellectual
property theft within specific industry verticals. But this year,
there were many attacks that appeared to be related to nation-state
disputes, including diplomatic espionage and military conflicts.

Conflict

Where kinetic conflict and nation-state disputes arise, malware is
sure to be found. Here are some of the more interesting cases
documented this year:

• Middle East: continued attacks targeting the Syrian
  opposition; further activity by Operation
  Molerats related to Israel and Palestinian territories.
• India and Pakistan: tenuous relations in physical world equate
  to tenuous relations in cyberspace. Exemplifying this trend was the
  Indian malware group Hangover,
  the ByeBye
  attacks against Pakistan, and Pakistan-based attacks
  against India.
• Korean peninsula: perhaps
  foreshadowing future conflict, North Korea was likely behind the Operation
  Troy (also known as DarkSeoul)
  attacks on South Korea that included defacements, distributed
  denial-of-service (DDoS) attacks, and malware that wiped hard disks.
  Another campaign, Kimsuky,
  may also have a North Korean connection.
• China: this was
  the source of numerous attacks, including the ongoing Surtr
  campaign, against the Tibetan and Uygur communities, which targeted
  MacOS
  and Android.

Diplomacy

Malware continues to play a key role in espionage in the Internet
era. Here are some examples that stood out this year:

• The Snowden documents revealed that NSA and GCHQ deployed key
  logging malware during the G20 meeting in 2009.
• In
  fact, G20 meetings have long been targets for foreign intelligence
  services, including this year’s G20
  meeting in Russia.
• The Asia-Pacific Economic
  Cooperation (APEC)
  and The Association of Southeast Asian Nations (ASEAN)
  are also frequent targets.
• FireEye announced that Operation
  Ke3chang compromised at least five Ministries of Foreign Affairs
  in Europe.
• Red
  October, EvilGrab,
  and Nettraveler
  (aka RedStar) targeted both diplomatic missions and commercial
  industries.

Technical Trends

Estimations of “sophistication” often dominate the coverage of
targeted malware attacks. But what I find interesting is that simple
changes made to existing malware are often more than enough to evade
detection. Even more surprising is that technically “unsophisticated”
malware is often found in the payload of “sophisticated” zero-day
exploits. And this year quite a number of zero-days were used in
targeted attacks.

Exploits

Quite a few zero-day exploits appeared in the wild this year,
including eleven discovered by FireEye. These exploits included
techniques to bypass ASLR and application sandboxes. The exploits that
I consider the most significant are the following:

• CVE-2013-0640,
  which was used in the MiniDuke
  attacks,
• CVE-2013-1347,
  which was used in a watering hole attack on the Department of Labor
  website,
• CVE-2013-3893,
  which was deployed by the same group, DeputyDog, which compromised
  Bit9 earlier in the year,
• CVE-2013-3906,
  which was used in both targeted attacks and in cybercrime
  campaigns
• DeputyDog
  in a watering hole attack.

Evasion

The malware samples used by several advanced persistent threat (APT)
actors were slightly modified this year, possibly as an evasive
response to increased scrutiny, in order to avoid detection. For
example, there were changes to Aumlib
and Ixeshe, which are malware families associated with APT12,
the group behind attacks on the New
York Times. When APT1 (aka Comment Crew) returned
after their activities were exposed, they also used modified malware.
In addition, Terminator
(aka FakeM),
and Sykipot
were modified.

Threat Actors

Attribution is a tough problem, and the term itself has multiple meanings.
Some use it to refer to an ultimate benefactor, such as a
nation-state. Others use the term to refer to malware authors, or
command-and-control (CnC) operators. This year, I was fascinated by
published research about exploit and malware dealers and targeted
attack contractors (also known as cyber “hitmen”), because it further
complicates the traditional “state-sponsored” analysis that we’ve
become accustomed to.

• Dealers — The malware and exploits used in targeted attacks
  are not always exclusively available to one threat actor. Some are
  supplied by commercial entities such as FinFisher,
  which has been reportedly used against activists around the world,
  and HackingTeam,
  which sells spyware to governments and law enforcement agencies.
  FireEye discovered a likely cyber
  arms dealer that is connected to no fewer than 11 APT
  campaigns – however, the relationship between the supplier and those
  who use the malware remains unclear. Another similar cluster, known
  as the Maudi
  Operation, was also documented this year.

• Hitmen — Although this analysis is still highly speculative,
  some threat actors, such as Hidden
  Lynx, may be “hackers for hire”, tasked with breaking into
  targets and acquiring specific information. Others, such as IceFog,
  engage in “hit and run” attacks, including the propagation of
  malware in a seemingly random fashion. Another group, known as Winnti,
  tries to profit by targeting gaming companies with malware (PlugX)
  that is normally associated with APT activity. In one of the
  weirdest cases I have seen, malware known as “MiniDuke”,
  which is reminiscent of some “old school” malware developed by 29A,
  was used in multiple attacks around the world.

My colleagues at FireEye have put forward some interesting stealthy
techniques in the near future. In any case, 2014 will no doubt be
another busy year for those of us who research targeted malware attacks.

Print Share Comment Cite Upload Translate

APA

() » Trends in Targeted Attacks: 2013. Retrieved from https://www.truth.cx/2014/01/13/trends-in-targeted-attacks-2013/.

MLA

" » Trends in Targeted Attacks: 2013." - , https://www.truth.cx/2014/01/13/trends-in-targeted-attacks-2013/

HARVARD

» Trends in Targeted Attacks: 2013., viewed ,

VANCOUVER

- » Trends in Targeted Attacks: 2013. [Internet]. [Accessed ]. Available from: https://www.truth.cx/2014/01/13/trends-in-targeted-attacks-2013/

CHICAGO

" » Trends in Targeted Attacks: 2013." - Accessed . https://www.truth.cx/2014/01/13/trends-in-targeted-attacks-2013/

IEEE

" » Trends in Targeted Attacks: 2013." [Online]. Available: https://www.truth.cx/2014/01/13/trends-in-targeted-attacks-2013/. [Accessed: ]

Select a language: Afrikaans Albanian Arabic Armenian Basque Bengali Bulgarian Catalan Cambodian Chinese (Mandarin) Croatian Czech Danish Dutch English Estonian Fiji Finnish French Georgian German Greek Gujarati Hebrew Hindi Hungarian Icelandic Indonesian Irish Italian Japanese Javanese Korean Latin Latvian Lithuanian Macedonian Malay Malayalam Maltese Maori Marathi Mongolian Nepali Norwegian Persian Polish Portuguese Punjabi Quechua Romanian Russian Samoan Serbian Slovak Slovenian Spanish Swahili Swedish Tamil Tatar Telugu Thai Tibetan Tonga Turkish Ukrainian Urdu Uzbek Vietnamese Welsh Xhosa <p>FireEye has been busy over the last year. We have tracked malware-based espionage campaigns and published research papers on numerous advanced threat actors. We chopped through <a href="http://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-poison-ivy.pdf">Poison Ivy</a>, documented a <a href="http://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-malware-supply-chain.pdf">cyber arms dealer</a>, and revealed that <a href="http://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-ke3chang.pdf">Operation Ke3chang</a> had targeted Ministries of Foreign Affairs in Europe.</p> <p>Worldwide, security experts made many breakthroughs in cyber defense research in 2013. I believe the two biggest stories were Mandiant’s <a href="http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf">APT1 report</a> and the ongoing Edward Snowden revelations, including the revelation that the U.S. National Security Agency (NSA) <a href="http://www.nrc.nl/nieuws/2013/11/23/nsa-infected-50000-computer-networks-with-malicious-software/">compromised 50,000 computers</a> around the world as part of a global espionage campaign.</p> <p>In this post, I would like to highlight some of the outstanding research from 2013.</p> <p> <b> <span style="font-size: medium;">Trends in Targeting</span></b></p> <p>Targeted malware attack reports tend to focus on intellectual property theft within specific industry verticals. But this year, there were many attacks that appeared to be related to nation-state disputes, including diplomatic espionage and military conflicts.</p> <p> <b>Conflict</b></p> <p>Where kinetic conflict and nation-state disputes arise, malware is sure to be found. Here are some of the more interesting cases documented this year:</p> <ul> <li>Middle East: continued attacks targeting the <a href="https://citizenlab.org/2013/06/a-call-to-harm/">Syrian</a> opposition; further activity by <a href="http://www.fireeye.com/content/fireeye-www/en_US/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html">Operation Molerats</a> related to Israel and Palestinian territories.</li> <li>India and Pakistan: tenuous relations in physical world equate to tenuous relations in cyberspace. Exemplifying this trend was the Indian malware group <a href="http://normanshark.com/wp-content/uploads/2013/08/NS-Unveiling-an-Indian-Cyberattack-Infrastructure_FINAL_Web.pdf">Hangover</a>, the <a href="https://community.rapid7.com/community/infosec/blog/2013/08/19/byebye-and-the-targeting-of-pakistan">ByeBye</a> attacks against Pakistan, and Pakistan-based <a href="http://www.threatconnect.com/news/where-there-is-smoke-there-is-fire-south-asian-cyber-espionage-heats-up/">attacks against India.</a></li> <li>Korean peninsula: perhaps foreshadowing future conflict, North Korea was likely behind the <a href="http://www.mcafee.com/us/resources/white-papers/wp-dissecting-operation-troy.pdf">Operation Troy</a> (also known as <a href="http://www.symantec.com/connect/blogs/four-years-darkseoul-cyberattacks-against-south-korea-continue-anniversary-korean-war">DarkSeoul</a>) attacks on South Korea that included defacements, distributed denial-of-service (DDoS) attacks, and malware that wiped hard disks. Another campaign, <a href="http://www.securelist.com/en/analysis/204792305/The_Kimsuky_Operation_A_North_Korean_APT">Kimsuky</a>, may also have a North Korean connection.</li> <li>China: this was the source of numerous attacks, including the ongoing <a href="https://citizenlab.org/2013/08/surtr-malware-family-targeting-the-tibetan-community/">Surtr</a> campaign, against the Tibetan and Uygur communities, which targeted <a href="http://www.alienvault.com/open-threat-exchange/blog/cyber-espionage-campaign-against-the-uyghur-community-targeting-macosx-syst">MacOS</a> and <a href="https://www.securelist.com/en/blog/208194186/Android_Trojan_Found_in_Targeted_Attack">Android.</a></li> </ul> <p> <b>Diplomacy</b></p> <p>Malware continues to play a key role in espionage in the Internet era. Here are some examples that stood out this year:</p> <ul> <li>The Snowden documents revealed that NSA and GCHQ deployed <a href="http://www.theguardian.com/uk/2013/jun/16/gchq-intercepted-communications-g20-summits">key logging malware</a> during the G20 meeting in 2009.</li> <li>In fact, G20 meetings have long been targets for foreign intelligence services, including this year’s <a href="https://community.rapid7.com/community/infosec/blog/2013/08/26/upcoming-g20-summit-fuels-espionage-operations">G20 meeting in Russia.</a></li> <li>The Asia-Pacific Economic Cooperation (<a href="http://blog.trendmicro.com/trendlabs-security-intelligence/spoofed-apec-2013-email-mixes-old-threat-tricks/">APEC</a>) and The Association of Southeast Asian Nations (<a href="http://www.fireeye.com/content/fireeye-www/en_US/blog/threat-research/2013/06/trojan-apt-seinup-hitting-asean.html">ASEAN</a>) are also frequent targets.</li> <li>FireEye announced that <a href="http://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-ke3chang.pdf">Operation Ke3chang</a> compromised at least five Ministries of Foreign Affairs in Europe.</li> <li> <a href="http://www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation">Red October</a>, <a href="http://about-threats.trendmicro.com/cloud-content/us/ent-primers/pdf/2q-report-on-targeted-attack-campaigns.pdf">EvilGrab</a>, and <a href="http://www.securelist.com/en/downloads/vlpdfs/kaspersky-the-net-traveler-part1-final.pdf">Nettraveler</a> (aka RedStar) targeted both diplomatic missions and commercial industries.</li> </ul> <p> <b> <span style="font-size: medium;">Technical Trends</span></b></p> <p>Estimations of “sophistication” often dominate the coverage of targeted malware attacks. But what I find interesting is that simple changes made to existing malware are often more than enough to evade detection. Even more surprising is that technically “unsophisticated” malware is often found in the payload of “sophisticated” zero-day exploits. And this year quite a number of zero-days were used in targeted attacks.</p> <p> <b>Exploits</b></p> <p>Quite a few zero-day exploits appeared in the wild this year, including eleven discovered by FireEye. These exploits included techniques to bypass ASLR and application sandboxes. The exploits that I consider the most significant are the following:</p> <ul> <li> <a href="http://www.fireeye.com/content/fireeye-www/en_US/blog/threat-research/2013/02/the-number-of-the-beast.html">CVE-2013-0640</a>, which was used in the <a href="https://www.securelist.com/en/blog/208194129%20The_MiniDuke_Mystery_PDF_0_day_Government_Spy_Assembler_Micro_Backdoor">MiniDuke</a> attacks,</li> <li> <a href="http://www.fireeye.com/content/fireeye-www/en_US/blog/threat-research/2013/05/ie-zero-day-is-used-in-dol-watering-hole-attack.html">CVE-2013-1347</a>, which was used in a watering hole attack on the Department of Labor website,</li> <li> <a href="http://www.fireeye.com/content/fireeye-www/en_US/blog/threat-research/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html">CVE-2013-3893</a>, which was deployed by the same group, DeputyDog, which <a href="https://blog.bit9.com/2013/02/25/bit9-security-incident-update/">compromised</a> Bit9 earlier in the year,</li> <li> <a href="http://www.fireeye.com/content/fireeye-www/en_US/blog/threat-research/2013/11/the-dual-use-exploit-cve-2013-3906-used-in-both-targeted-attacks-and-crimeware-campaigns.html">CVE-2013-3906</a>, which was used in both targeted attacks and in cybercrime campaigns</li> <li> <a href="http://www.fireeye.com/content/fireeye-www/en_US/blog/threat-research/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html">DeputyDog</a> in a watering hole attack.</li> </ul> <p> <b>Evasion</b></p> <p>The malware samples used by several advanced persistent threat (APT) actors were slightly modified this year, possibly as an evasive response to increased scrutiny, in order to avoid detection. For example, there were changes to <a href="http://www.fireeye.com/content/fireeye-www/en_US/blog/threat-research/2013/08/survival-of-the-fittest-new-york-times-attackers-evolve-quickly.html">Aumlib and Ixeshe</a>, which are malware families associated with APT12, the group behind attacks on the <a href="http://www.nytimes.com/2013/01/31/technology/chinese-hackers-infiltrate-new-york-times-computers.html">New York Times</a>. When APT1 (aka Comment Crew) <a href="http://www.threatconnect.com/news/rising-from-the-ashes-the-return-of-the-crew/">returned</a> after their activities were exposed, they also used modified malware. In addition, <a href="http://www.fireeye.com/content/fireeye-www/en_US/blog/threat-research/2013/10/evasive-tactics-terminator-rat.html">Terminator</a> (aka <a href="http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-fakem-rat.pdf">FakeM</a>), and <a href="http://www.alienvault.com/open-threat-exchange/blog/new-sykipot-developments">Sykipot</a> were modified.</p> <p> <b>Threat Actors</b></p> <p>Attribution is a tough problem, and the term itself has multiple <a href="http://www.nap.edu/openbook.php?record_id=12997&page=41">meanings</a>. Some use it to refer to an ultimate benefactor, such as a nation-state. Others use the term to refer to malware authors, or command-and-control (CnC) operators. This year, I was fascinated by published research about exploit and malware dealers and targeted attack contractors (also known as cyber “hitmen”), because it further complicates the traditional “state-sponsored” analysis that we’ve become accustomed to.</p> <ul> <li> <b>Dealers</b> — The malware and exploits used in targeted attacks are not always exclusively available to one threat actor. Some are supplied by commercial entities such as <a href="https://citizenlab.org/2013/03/you-only-click-twice-finfishers-global-proliferation-2/">FinFisher</a>, which has been reportedly used against activists around the world, and <a href="http://www.securelist.com/en/analysis/204792290/Spyware_HackingTeam">HackingTeam</a>, which sells spyware to governments and law enforcement agencies. FireEye discovered a likely <a href="http://www.fireeye.com/content/fireeye-www/en_US/company/press-releases/2013/fireeye-releases-report-revealing-a-possible-malware-cyber-arms-dealer.html">cyber arms dealer</a> that is connected to no fewer than 11 APT campaigns – however, the relationship between the supplier and those who use the malware remains unclear. Another similar cluster, known as the <a href="http://normanshark.com/wp-content/uploads/2013/06/NormanShark-MaudiOperation.pdf">Maudi Operation</a>, was also documented this year.</li> </ul> <ul> <li> <b>Hitmen</b> — Although this analysis is still highly speculative, some threat actors, such as <a href="http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/hidden_lynx.pdf">Hidden Lynx</a>, may be “hackers for hire”, tasked with breaking into targets and acquiring specific information. Others, such as <a href="http://www.securelist.com/en/downloads/vlpdfs/icefog.pdf">IceFog</a>, engage in “hit and run” attacks, including the propagation of malware in a seemingly random fashion. Another group, known as <a href="http://www.securelist.com/en/analysis/204792287/Winnti_More_than_just_a_game">Winnti</a>, tries to profit by targeting gaming companies with malware (PlugX) that is normally associated with APT activity. In one of the weirdest cases I have seen, malware known as “<a href="http://www.securelist.com/en/downloads/vlpdfs/themysteryofthepdf0-dayassemblermicrobackdoor.pdf">MiniDuke</a>”, which is reminiscent of some “old school” malware developed by 29A, was used in multiple attacks around the world.</li> </ul> <p>My colleagues at FireEye have put forward some interesting <a href="http://www.fireeye.com/content/fireeye-www/en_US/blog/threat-research/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html">stealthy</a> techniques in the near future. In any case, 2014 will no doubt be another busy year for those of us who research targeted malware attacks.</p> First name:

Last name: