ISTR 2019: Targeted Attack Groups Increase Despite Growing Risk of Exposure

One of the ironies within the cyber security realm is that some of the most troubling and dangerous cyber attacks are often the least noticed and publicized. That’s just the way the perpetrators of targeted attacks want it.

Consider the varying goals of different types of hackers, thieves and other online criminals. If you’re using a distributed denial of service attack to take down major websites or encrypting critical data and demanding a ransom to release it, subtly isn’t exactly the name of your game.

By contrast, the overarching goal – to date, at least – of targeted attack groups is to gather intelligence, ranging from government and military secrets to corporate intellectual property. The longer these attackers can go undetected and unidentified, the better for perpetuating their stealthy activities.

That said, it’s getting tougher for targeted attack groups to remain fully anonymous, given the growing capabilities of cyber security researchers to track them down. During 2018, for example, Symantec uncovered four new targeted attack groups, according to the 2019 edition of the company’s annual Internet Security Threat Report (ISTR). Those four join a relatively small number of known groups – about 155 – identified to date.

“Intelligence gathering is the bread and butter of these groups,” says Dick O’Brien, principal editor with the Symantec Security Response organization. Indeed, Symantec estimates that stealing intelligence is a motive driving 96% of targeted attack groups. A few groups do have multiple, or entirely different motives: overall 10% aim to cause some form of disruption, and 6% seek financial gain, Symantec reports.

“Often, a group will send spear phishing emails to employees at a targeted organization,” O’Brien says. “If an employee opens a link in the messages, the user’s computer is infected with malware, giving the attacker a toehold in the organization’s network. From there, they can deploy various tools, map the network, and find the information they’re seeking.”

Pulling off targeted attacks requires a variety of skills and resources, and a fair degree of sophistication. While it’s possible an individual might sometimes manage such an attack, groups of experts are usually involved. And, given the targets of these attacks – which often include military and government agencies, diplomatic operations and strategic infrastructure – “the majority of targeted attack groups have state-sponsored hallmarks,” O’Brien says.

One of the most concerning targeted attack trends identified by Symantec last year was an uptick in focus on strategic infrastructure. The ISTR warns of “… a growing number of groups displaying an interest in compromising operational computers, which could potentially permit them to mount disruptive operations if they chose to do so.”

In fact, one of the four new attack groups identified by Symantec– which it dubbed the Thrip group – fell into this category of potential disruptors. This espionage group breached the computers and networks of a number of telecommunications operators and other organizations, including a defense contractor. One target was a satellite communications operator, suggesting a possible goal of the attackers was to infect the computers that monitored and controlled strategic satellites.

Like a growing number of cyber attackers, the Thrip group employed living off the land techniques to keep their actions low profile. Symantec was only able to discover the initial signs of the Thrip attack thanks to the firm’s Targeted Attack Analytics (TAA) technology. TAA employs sophisticated artificial intelligence and machine learning technology that was able to flag suspicious activity involving a common Microsoft tool called PsExec. It’s unlikely that human security analysts could have processed all of the data that TAA was able to crunch in order to detect the PsExec-disguised movements of the attackers within the network of the initial victim identified – a Southeast Asian telecom operator.

Symantec was ultimately able to pinpoint the source of the Thrip attack. While the actual perpetrators of the attack have yet to be identified, there are hopeful indications that they and other targeted attack groups are becoming much more vulnerable to exposure and prosecution.

The ability of government and private cyber security sleuths to track down individual attackers became clear during 2018 with the highly publicized indictment of foreign nationals and three companies charged with interfering in the 2016 U.S. Presidential election. While this indictment garnered most of the headlines, there were 49 targeted attack group individuals or organizations indicted during 2018, according to Symantec’s ISTR. That compared to just four such indictments in 2017 and five in 2016.

Further, A U.S. Department of Justice indictment against two foreigners associated with an attack group called Advanced Persistent Threat 10 provides a window into the nature and objectives of these types of attackers. Symantec’s ISTR notes that such indictments – aided by investigative and analytic cyber security tools such as its TAA – could put targeted attack groups and their sponsors under increasing scrutiny and pressure. Still, there is no doubt that such attacks will persist, and that cyber defenses will need to continually improve. The potential payoffs of targeted attacks – be they information gained, or infrastructure disrupted – will motivate groups, and the countries that sometimes sponsor them, even as the risk of exposure increases.