When building a defense against Internet security threats, companies have to be thinking big. While there are certainly threats that can come within the country where they reside, it has been shown that cyber threats are more globalized than ever, including a recent attack discovered by security researchers in Russia. The so-called “Red October” operation targeted governments, research institutions and diplomats for at least five years before being discovered.
Wired said this was a “highly targeted” campaign focusing mainly on Central Asia and Eastern Europe. Ringleaders were looking to harvest documents and data from computers, storage utilities and a variety of mobile devices, according to Kaspersky, which discovered this spying operation. Other victims spread across 69 countries, including the United States, Ireland, Japan and many more. Affected institutions included nuclear and energy research companies, aerospace industries and government agencies and embassies, among others
“The main purpose of the operation appears to be the gathering of classified information and geopolitical intelligence, although it seems that the information-gathering scope is quite wide,” Kaspersky said in a report on the cyber espionage. “During the past five years, the attackers collected information from hundreds of high-profile victims, although it’s unknown how the information was used.”
How this operation worked
Malware was initially spread via spear-phishing campaigns, the security company said, which looked to target victims within the organization. Exploits in Microsoft Excel and Word hid a Trojan virus in the machines these people were working on and checked to see if any other devices were vulnerable. It was then able to spy, undetected, by recording keystrokes, taking screenshots, extracting browsing history, documents and account information and creating a one-way covert channel of communication.
“The main malware body acts as a point of entry into the system which can later download modules used for lateral movement,” Kaspersky’s report said. “After initial infection, the malware won’t propagate by itself – typically, the attackers would gather information about the network for a few days, identify key systems and then deploy modules which can compromise other computers in the network, for instance by using the MS08-067 exploit.”
Any information that was harvested and stolen by these cyber criminals was stored for later use. IT is provided that the hacked information could be full of intelligence to which hackers can refer to in times of need. At least 5 terabytes of confidential information could have been stolen over the five-year span of this operation, the security company predicted.
How to stop spear-phishing
Jason Clark of Websense wrote on CSO Online that companies do not have to simply sit and wait to be hit by one of these spear-phishing attacks. He said there are three ways that will stop nearly all spear-phishing attacks that may affect a company, starting with continuous network monitoring.
“First, stop malicious URLs from even getting to your users’ corporate inboxes at your gateway,” he said. “Even if you have inbound email sandboxing for your corporate email, some users might click on a malicious link through a personal email account, like Gmail. In that case, your corporate email spear-phishing protection is unable to see the traffic. Bottom line: your web security gateway needs to be intelligent, analyze content in real time, and be 98 percent effective at stopping malware.”
Two other tips for stopping spear-phishing is to keep up with the human element by watching employee behavior and training them on how to spot scams and screen email links and attachments.All of these together should help to prevent any organization from being hit by a spear-phishing email.
Security News from SimplySecurity.com by Trend Micro.