Posted on behalf of Martin Lee, Senior Software Engineer, Symantec.cloud
Targeted attacks are bespoke pieces of malware that are sent to email addresses that appear to have been specially selected by the attacker. In this way they differ from the rest of email malware that are sent in large numbers without apparent regard to the recipient. In this way non-targeted attacks appear to be designed to infect as many computers as possible, whereas targeted attacks appear to be designed to attack the computers of specifically targeted individuals presumably either to extract information that is valuable to the attacker or to act as a launching pad for further attacks within an organisation.
The targeted malware itself often exploits ‘0’ day or the most recent vulnerabilities. The low copy-numbers in which these malwares are sent and their sophistication means that they are often not detected by traditional anti-virus techniques and require heuristic analysis to be detected. Organisations relying on unsophisticated anti-virus protection may be completely unprotected against this class of threats.
Approximately 1 in every 208 emails contained malware in March 2011, rising to 1 in 168 in April; however, only 1 in every 5,000 (0.02%) of malware containing emails can be classed as targeted. Although these attacks are quite rare, Symantec.cloud detected an increase of 60.4% in the average number of daily attacks between 2010 and 2009.
Figure 1. Number of targeted attacks per day directed against Symantec.cloud customers since April 2008.
Table 1. Frequency of targeted attack against customers and increases in attacks, 2010 compared with 2009.
Since April 2008, almost a third of all targeted attacks have been sent to the public sector (32.42%), followed by companies in the manufacturing sector (15.98%), financial companies (8.04%), IT Services (6.12%) and educational organisations (predominately universities) (4.61%). In 2010 only 1 in 35 of our private sector clients received a targeted attack. Of those that do receive attacks, the vast majority receive no more than 4 such attacks in the year. Therefore, for our private sector clients, the vast majority may expect never receive such an attack, and if they do they will only receive a few such attacks in a year. Nevertheless a small percentage of clients are under repeat attack with 6.8% of clients receiving more than 50 such attacks per year, and 2.3% received more than 250 attacks during 2010.
Figure 2. Histogram of number of attacks directed against Symantec.cloud customers during 2010.
Compared with 2009 the number of targeted attacks is increasing as is the number of companies attacked. We saw a 17.40% increase in the number of attacked customers in 2010 over 2009 and a 31.37% increase in the number distinct attacks. However there is a clear increase in the number of attacks directed against the most frequently targeted organisations; targeted attacks appear to be becoming more common, but also more highly targeted.
Most of the recipients of targeted attacks can be identified from their internet footprint. 34% of recipients are senior managers with titles such as ‘Vice President’ or ‘Director’. 24% of recipients are individuals with managerial responsibilities, only 4% are of low seniority; many of these are personal assistants to senior managers. Interestingly, 19% of recipients are not identifiable through public internet searches, yet the attackers know of their identity. Possibly this has been achieved through successful attacks elsewhere.
19% of attacks are sent to mailbox type addresses such as ‘recruitment@’ or ‘enquiries@’. Such addresses may be seen as an easy means of ingress into a company since the people administering these addresses may be used to opening attachments sent by email from unknown senders.
Figure 3. Recipients of targeted attacks grouped by seniority of recipients.
One common factor between targeted attacks is the time of day when they are sent. Plotting the time each attack since April 2008 was sent provides an interesting graph.
Figure 4. Number of targeted attacks since April 2008 against hour of day the attack was sent.
We interpret this graph as there being one gang commencing work at approximately midnight GMT which corresponds to 9am on the western Pacific Rim; they work through morning local time, take a lunch break and return to work in the afternoon. At about the same time, a second gang is starting work at 7:00 GMT, which corresponds to 9am in Eastern Europe. This second gang also takes a lunch break at midday and ends work at 15:00 GMT.