Malware & cyber espionage, ongoing attacks on sensitive information

Pierluigi Paganini August 02, 2012

Malware once were used primarily to destroy the victim’s PC, but the scenario has completely changed today.

While surviving the need of wanting to harm with malicious software, for example in the development of cyber weapons, the current trend is to develop agents that serve primarily to the function of spying.

Cybercrime, governments, and groups of hacktivists, with different purposes, tend to lean toward the spread of malicious agents that have the capacity to infiltrate the targets be silently stealing from them the most information. Profit, Power, Protest the main motivations behind the attacks, that are radically changing user’s approach to the web and the their perception of security.

We usually blame China but recent events have shown that it is common practice to use malware with these purposes

Google for example has detected a massive operation against performed by Chinese Hackers against several tens U.S. and multinational companies, but China is not the only nations involved in similar attacks, let’s consider for example United States and researches to develop cyber weapon that are able to infiltrate sensitive networks to steal information. The project Olympic Games is the evidence of the effort spent in this new form of offense, and other valid examples of malware used with cyber espionage purpose are Duqu and Flame both developed to gather sensible information from Iranian Government.

It’s true that most cyber operations of espionage traces back to China, but not all are related to government activities. According Joe Stewart, director of malware research at managed security provider Dell Secureworks,  many of them are conducted by private businesses.

“The victims are, by and large, in Asia,” he said. “But China is absolutely attacking everyone. There are plenty of victims.”

A recent study on cyber-espionage has demonstrated that more than 200 families of malware have been designed and used to spy on government and corporate representatives.

We have assisted to the diffusion of new agents that works in botnet architectures, in similar way to the ones used by cybercrime for massive attacks, but that are specifically developed for selected targets that resulting to have a minor dimension.

The study reveals that more than 1,100 domain were used in the attacks, in particular the experts have traced the botnet used analyzing the traffic produced, the Sinkholing, a consolidated technique used by many security firms,

Sinkholing is a technique that researchers use to redirect the identification of the malicious C&C server to their own analysis server. With this methods researcher design a map of the botnet and of the control center identifying the type and numbers of final attacks.

In many cases when the malicious domains expires security company acquire them to continue the analysis posing as C&C servers. The study of Dell Secureworks demonstrated that the identified botnet have hit with multiple attacks Japanese targets in both private and business sectors.

Attacks have the primary intent to steal classified information from government agencies or trade secrets from corporations and the situation could be extremely dangerous for the economy of a company and of the overall country.

With similar attacks governments and business try to reduce the technological gap with their competitors, it’s clear how much diffused is the phenomenon.

The cybercrime is not watching, it has increased focus in targeting individuals and organizations of all sizes to steal financial information, in particular under pressure has made the small businesses too vulnerable to cyber attacks.

The Trend Micro has reported a sensible increase of focused attacks respect previous quarter (27%), around  142 million threats which were blocked from infecting small businesses but also large companies have been hit by the crime as happened for the IXSHE campaign.

The web is a jungle where it is increasingly difficult to defend our identity and resources. Rik Ferguson, director of security research and communication, Trend Micro declared:

“The reason why criminals are focusing their attacks on stealing personal data is simple. It’s the sheer volume of people working from multiple devices that leaves them vulnerable to attacks,”

“While Trend Micro has been integral in working with authorities to break up a number of cybercriminal rings over the last year, these cybercriminals have acquired new techniques and tools from collaborating with one another to accelerate their ‘industry.’ The fact is: business is booming for cybercrime and everyone needs to take notice.”

Cyber espionage represents a serious cyber threat, and government agencies are defining best practices to reduce the risk of exposure to the attacks.

NIST has recently released the public comment release of Draft Special Publication 800-83 (SP) Revision 1, Guide to Malware Incident Prevention and Handling for Desktops and Laptops.

Malware is considered the most common external threat to most hosts, causing widespread damage and disruption and necessitating extensive recovery efforts within most organizations.

This publication provides recommendations for improving an organization’s malware incident prevention measures.

It also gives extensive recommendations for enhancing an organization’s existing incident response capability so that it is better prepared to handle malware incidents, particularly widespread ones.

The awareness  program sponsored by US government a good initiative to limit the diffusion of malicious agents a first and necessary step to protect our digital identities, our cyber space, our Nation.

Pierluigi Paganini

you might also like

leave a comment