The cybersecurity community has identified an alarming shift in the tactics deployed by hackers in recent months. Instead of focusing their efforts on indiscriminate attempts to plant malware or crack passwords to gather financial data, more malicious programmers are aggressively pursuing specific, high-level targets. This emerging class of threats – categorized as cyber espionage – has put government agencies, defense contractors and heavy industry on high alert.
The latest such threat, known to Internet security researchers as Luckycat, was first documented earlier in the year. But a deeper analysis conducted by Trend Micro has revealed the full scope of the attack as an advanced persistent threat (APT) campaign targeting everything from Indian military research and Japanese energy companies to Tibetan activists.
One of the most important takeaways provided by the report was the notion that the majority of targeted attacks are not isolated incidents. Although Symantec researchers were first to draw attention to the matter and identify Indian military intelligence as Luckycat's initial target, more extensive monitoring by Trend Micro has suggested that the incident was only one link in a wider APT campaign.
According to the report, Japanese energy companies were targeted in a phishing scam predicated on last year's devastating earthquake and resultant destruction of the Fukushima Nuclear Power Plant. Email recipients were baited into opening malicious attachments purportedly related to the results of radiation sample measurements. The embedded malware would then infiltrate the system and establish a communication link with Luckycat's command and control servers.
The same method was applied in an attempt to disrupt the operations of Tibetan protesters. According to the report, malicious attachments were embedded in a series of bait emails related to activist themes, including self-immolation. The political nature of this particular Luckycat attack has raised broader questions as to who may be pulling the strings of the campaign.
"The fact [that] they targeted Tibetan activists is a strong indicator of official Chinese government involvement," Center for Strategic and International Studies director James Lewis explained in an interview with the New York Times. "A private Chinese hacker may go after economic data, but not a political organization."
In fact, researchers may have traced Luckycat activities all the way back to an individual programmer. The Trend Micro report connected the attacks to an online alias, but further investigation identified the owner of the digital disguise as a former Chinese graduate student who is, according to the Times, "now apparently" an employee at China's leading Internet portal company.
While diplomatic implications go far beyond the scope of the Trend Micro report, researchers were able to provide detailed intelligence related to the architecture and strategy underlying the Luckycat attacks.
Just as the campaign was not limited to a single target, hackers did not limit themselves to only one methodology. Trend Micro identified 90 separate Luckycat attacks since June 2011, each with its own unique malware coding meant to track the success rate of the individual plot. Additionally, threats were constructed from five different malware families and even displayed signs of collaboration with separate known APT campaigns.
Not surprisingly, the hackers relied upon a wide range of free, "throw-away" web hosting services to make it more difficult to track IP addresses. However, the report revealed that virtual private servers were likely used to anchor operations in the event that free hosting services were shut down for malicious activity.
With this information in hand, researchers believe that their diligent monitoring efforts can be leveraged for the development of strategic defenses against not only Luckycat, but the broader class of APTs it represents.
"Understanding the attack tools, techniques and infrastructure used in the Luckycat campaign as well as how an individual incident is related to a broader campaign provides the context necessary for us to assess its impact and come up with defensive strategies in order to protect our customers," report authors stated.
Trend Micro security researchers advocated for the importance of attack prevention fundamentals, such as effective patch management, endpoint and network security and firewall regulation. But in an era when even the best-protected systems can be infiltrated by experienced cybercriminals, data loss prevention strategies have grown in importance as well.
Additionally, predictive intelligence could be the distinguishing factor between deflecting threats and becoming a victim. Retaining comprehensive visibility is essential, according to the report, and diligent analysis of endpoint, server and network monitoring logs can detect anomalies before they compromise operations. Consistent integrity checks were also recommended as most malware strands leave clues behind as they routinely modify files and registries to survive.
The ultimate weapon against APTs, however, is human intelligence. With employees aware of the latest trends in social engineering attacks and network administrators capable of detecting, quarantining and resolving suspicious activities, organizations will stand a far better chance of limiting damage or avoiding attacks altogether.
Data Security News from SimplySecurity.com by Trend Micro