Stealing money - either by directly accessing bank accounts or by stealing confidential data - is not the only motive behind security breaches
BANGALORE, INDIA: Once again, it's time for us to deliver our customary retrospective of the key events that have defined the threat landscape in 2013. Let's start by looking back at the things we thought would shape the year ahead, based on the trends we observed in the previous year.
Targeted attacks and cyber-espionage
The onward march of ‘hacktivism'
The use of legal surveillance tools
Cloudy with a chance of malware
Vulnerabilities and exploits
Who do you trust?
Mac OS malware
Dude, where's my privacy?!
If we now focus on the highlights on 2013, you can judge for yourself how well we did in predicting the future.
The top stories of 2013
Here's our shortlist of the top security stories of 2013.
1. New "old" cyber-espionage campaigns
In any retrospective of top stories of 2013 you might expect to read about incidents that occurred this year. But it's not quite that straightforward when looking at targeted attacks. Often, the roots of the attack reach back in time from the point at which they become known and are analyzed and reported. You might remember, for example, that this was the case with Stuxnet - the more we analyzed it, the further back we had to place its date of origin. It's true also of some of the major cyber-espionage campaigns we've seen this year.
Red October is a cyber-espionage campaign that has affected hundreds of victims around the world - including diplomatic and government agencies, research institutions, energy and nuclear groups and trade and aerospace organizations. The malware is highly sophisticated - among other things, it includes a ‘resurrection mode' that enables the malware to re-infect computers. The code is highly modular, allowing the attackers to tweak the code easily for each specific target. Interestingly, Red October didn't just harvest information from traditional endpoints, but also from mobile devices connected to the victims' networks - a clear recognition by cybercriminals that mobile devices are a core component of today's business environment and contain valuable information. We published the results of our analysis in January 2013, but it's clear that the campaign dates back to 2008.
RedOctober victims map
In February, we published our analysis of MiniDuke, designed to steal data from government agencies and research institutions. Our analysis uncovered 59 high profile victim organizations in 23 countries, including Ukraine, Belgium, Portugal, Romania, the Czech Republic, Ireland, Hungary and the US. Like many targeted attacks, MiniDuke combined the use of ‘old school' social engineering tactics with sophisticated techniques. For example, MiniDuke included the first exploit capable of bypassing the Adobe Acrobat Reader sandbox. In addition, compromised endpoints received instructions from the command-and-control server via pre-defined Twitter accounts (and used Google search as a fallback method).
We learned of a wave of attacks in March that targeted top politicians and human rights activists in CIS countries and Eastern Europe. The attackers used the TeamViewer remote administration tool to control the computers of their victims, so the operation became known as ‘TeamSpy'. The purpose of the attacks was to gather information from compromised computers. Though not as sophisticated as Red October, NetTraveler and other campaigns, this campaign was nevertheless successful - indicating that not all successful targeted attacks need to build code from scratch.
NetTraveler (also known as "NetFile"), which we announced in June, is another threat that, at the time of discovery, had long been active - in this case, since 2004.
This campaign was designed to steal data relating to space exploration, nano-technology, energy production, nuclear power, lasers, medicine and telecommunications. NetTraveler was successfully used to compromise more than 350 organizations across 40 countries - including Mongolia, Russia, India, Kazakhstan, Kyrgyzstan, China, Tajikistan, South Korea, Spain and Germany. The targets were from state and private sector organizations that included government agencies, embassies, oil and gas companies, research centers, military contractors and activists.
If your organization has never suffered an attack, it's easy to tell yourself that 'it won't happen to me', or to imagine that most of what we hear about malware is just hype. It's easy to read the headlines and draw the conclusion that targeted attacks are a problem only for large organizations. But not all attacks involve high profile targets, or those involved in ‘critical infrastructure' projects. In truth, any organization can become a victim. Every organization holds data that could be of value to cybercriminals, or they can be used as a ‘stepping-stones' to reach other companies. This point was amply illustrated by the Winnti and Icefog attacks.
In April we published a report on the cybercrime group ‘Winnti'. This group, active since 2009, focuses on stealing digital certificates signed by legitimate software vendors, as well as intellectual property theft (including theft of source code for online game projects). The Trojan used by the group is a DLL library compiled for 64-bit Windows environments. It uses a properly signed driver and operates as a fully-functional Remote Administration Tool - giving the attackers full control over the compromised computer. In total, we found that more than 30 companies in the online gaming industry fell victim to the group's activities - mostly in South-East Asia, but also affecting companies in Germany, the US, Japan, China, Russia, Brazil, Peru, Belarus and the UK. This group is still active.
The Icefog attacks that we announced in September (discussed in the next section of this report) were focused on the supply chain and, as well assensitive data from within the target networks, also gathered e-mail and network credentials to resources outside the target networks.