The trends of cyber incidents leading to large scale cyber-crisis

Ilias Chantzos

1

Senior Director Government Affairs EMEA, Global CIP and Privacy Advisor

Agenda for discussion

• Do you remember?

• Who is being attacked and how?

• Most recent example

• Political considerations

• Conclusions

2

Code Red

Back in early 2000……Fast Spreading Exploits

Spread Even Faster…

Slammer

Since then…..

5

The change in the game

• When was the last time you saw mass malware distribution?

• Botnet usage reminiscent of this style of attack

• No longer hacking for fame but for fortune

• The biological bug vs the digital

• Polymorphism

• 1 mutation per 10 victims

6

7

• Targeted Attacks predominantly start as spear phishing attacks

• In 2012, Watering Hole Attacks emerged

– Popularized by the Elderwood Gang

Infect a website and lie in wait for them

Watering Hole Attack

Send an email to a person of interest

Spear Phishing

1 Watering Hole Attack in 2012

Infected 500 Companies

All Within

24 Hours

• Watering Hole attacks are targeted at specific groups

• Can capture a large number of victims in a very short time

8

Effectiveness of Watering Hole Attacks

Watering Hole Targeted iOS Developers

• The Watering Hole

• The attackers were looking for iOS developers

9

To watch out - Vulnerabilities & Mobile Malware

• Today there is no significant link between mobile OS vulnerabilities and exploitation by malware

• In the future that may change

10

Platform Vulnerabilities

Apple iOS 387

Android 13

Blackberry 13

Windows Mobile 2

Device Type # of Threats

Apple iOS Malware 1

Android Malware 103

Symbian Malware 3

Windows Malware 1

Targeted Attacks by Company Size

• Greatest growth in 2012 is at companies with <250 employees

• Up 42% in total in comparison to last year

11

50% 50%

9% 9%

2% 2%

1,501 to 2,500

3% 3%

5% 5%

31% 31%

1,001 to 1,500 501 to 1,000

251 to 500

1 to 250

18% in 2011

Employees 2,501+

50% 2,501+ 50% 1 to 2,500

• Manufacturing moved to top position in 2012

• But all industries are targeted

12

1%

2%

2%

2%

8%

10%

12%

17%

19%

24%

0% 10% 20% 30%

Transportation, Communications, Electric, Gas

Aerospace

Retail

Wholesale

Services – Professional

Energy/Utilities

Government

Services – Non-Traditional

Finance, Insurance & Real Estate

ManufacturingManufacturing

Finance, Insurance & Real Estate

Services – Non-Traditional

Government

Energy/Utilities

Services – Professional

Wholesale

Retail

Aerospace

Transportation, Communications, Electric, Gas

Targeted Attacks by Industry

R&D 27%

Senior 12%

C-Level 17%

Sales 24%

Shared Mailbox

13%

Recruitment 4%

Media 3% PA

1%

0%

5%

10%

15%

20%

25%

30%

• Attacks may start with the ultimate target but often look opportunistically for any entry into a company

13

Targeted Attacks by Job Function

14

Latest example - Hidden Lynx

Who is the Hidden Lynx group?

• “Hackers for Hire” established < 2009

• Based in China

• Highly customize tools & access to 0-day exploits

• Pioneered large scale “Watering Hole” attacks (AKA the VOHO Campaign)

• More capable than Comment Crew/APT1

• Proficient, Innovative, Methodical

15

TOOLS TOOLS TOOLS

Characteristics of Hidden Lynx

Symantec Security Response 16

Well resourced 50-100 people

Diverse range of targets

Concurrent campaigns

Can penetrate tough targets

The Two Sides of Hidden Lynx

Same organization but different teams…

17

Team Naid Elite, Precise, Surgical

Uses: Trojan.Naid

Scope: Special operations (small team)

Targets: Information of national interest

Examples: Bit9 attack, Operation Aurora

Team Moudoor Skilled, Prolific, Indiscriminant

Uses: Backdoor.Moudoor

(custom “Gh0st RAT”)

Scope:

Wide scope attacks (large team)

Targets: Financial sector, all levels of

government, healthcare, education and legal

Who’s Targeted – Verticals

18

Hundreds of targets

Hundreds of targets

Dozens of campaigns Dozens of campaigns

Direct/Indirect attacks

Direct/Indirect attacks

52.7% USA

15.5% Taiwan

9% China

4% Hong Kong

3% Japan

2.4% Canada

2.2% Germany

1.7% Russian Federation

1.5% Australia

1.5% Republic of Korea

Who’s Targeted – Top 10 Countries

19

Tools, Tactics and Procedures

• Custom Trojans

• Early adopters of watering hole techniques (VOHO)

• Spear-phishing

• Supply chain attacks

– Trojanizing driver files in the supply chain to infiltrate final targets

• 0-day and known exploits

– Since 2011, 5 exploits including 3 0-day exploits

– Including gaining early access to exploit details (Oracle Java CVE-2013-1493)

• Adaptable and resourceful

– Stole Bit9 signing certificate to bypass their trust protection model

• Tell-tale characteristics of a professional and skilled group

20

Political considerations

21

• Cyber as a tool for SIGINT

• Cyber as a tool in conflict management

• Asymmetric, deniable, effective

• Political tension and cyber links

• Cyber+CNI= Physical crisis

• Presumed capability and deterrence

• Trust model and PPP

Conclusions

• No agreed definition of large-scale cybercrisis

• Deterrence by denial is likely to prove superior to deterrence by counterstrike

• Militarization of some technologies is inevitable

• Cybersecurity moving towards SIGINT, EW, sabotage and strategic warfare

• Reliance on robotics will extend civilian and military use of cyber

• Combination of targeted and mass-scale likely to evolve

• Financial motivation will remain a prime driver

• Another political tool?

22

Thank you!

Copyright © 2010 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.

Thank you!

23

Ilias_chantzos@symantec.com