SAN FRANCISCO -- If Internet espionage in 2011 looks anything like it did in 2010, then expect plenty of one-time-only targeted attacks that will surprise researchers and continue to victimize enterprises.
That was the message from Mikko Hypponen, chief research officer for Helsinki-based security services firm F-Secure Corp. During a cyberespionage session Thursday at RSA Conference 2011, Hypponen used recent examples from actual attacks to demonstrate how cybercriminals seek to pilfer data from unsuspecting companies, governments and individuals.
Hypponen noted that Internet espionage can be distinguished from financially motivated attacks because of clear, specific targets -- defense contractors, public sector organizations, governments and ministries and advocacy groups top the list -- that often offer little financial incentive for attackers, like pro-Tibet organizations and supporters of Inner Mongolian minorities.
Adobe reader is the worst piece of software I've seen, right after QuickTime.
Hypponen said almost all targeted attacks happen via email, though some occur during the use of online chat services or Web-based exploits. The vast majority, he said, look similar: an email purports to be from a trusted colleague, customer, partner or friend, discussing everyday topics.
However, these emails are actually created and sent by attackers; they contain code to trigger exploits that open backdoors on affected systems, often granting cybercriminals unfettered access to steal data, spy on users and usher systems into their ever-expanding botnets.
While many computer infections are the result of a lack of user awareness or simply bad luck, Hypponen said targeted attacks for the purpose of Internet espionage have a high success rate because attackers research topics their subjects are likely to be interested in, and create malicious emails and documents using some or all of legitimate, third-party writings.
Worse yet, Hypponen said these attacks increasingly use one-time-only malware samples that are difficult for antimalware systems to detect.
"When we typically get a [malware] sample in our labs, we have hundreds or thousands of samples" of the same malware, Hypponen said, but in these cases the malware is unique; something researchers have never seen before and will never see again.
However, one trend that remains constant is the use of certain types of documents to carry the malicious payloads. According to F-Secure, 61% of targeted attacks in 2010 relied on malicious PDF documents; nearly all the rest utilized tainted Microsoft Office documents, including Word, Excel and PowerPoint files.
Ironically, attackers conducting Internet espionage often cloak their efforts in documents and emails containing information about cyberattacks. Hypponen showed an example of a malicious email discussing cyberwarfare that was sent to a mailing list focused on cyberwar, targeting a whole group of people on the same mailing list.
He also discussed the case of a security analyst who discovered malware that had been successfully planted on the Nobel Peace Prize webpage. Not long after the researcher discovered and addressed the issue, he received an email recognizing his efforts with an attached PDF invitation to the upcoming Nobel Peace Prize ceremony. The only problem was the email was fake and the PDF was actually a targeted attack.
Hypponen said it's still hard to detect Internet espionage, but he recommended instructing users not to open unexpected email attachments. If users receive them, they should call the senders first to confirm their legitimacy. He also noted that most PDF exploits target flaws in Adobe Reader, so enterprises can reduce the likelihood of successful attacks by encouraging use of alternative PDF-reader applications.
"Adobe reader is the worst piece of software I've seen, right after QuickTime," Hypponen said.
Marc, an attendee from a U.S. government agency who wished to remain anonymous, said it's clear users should avoid Adobe Reader, but the problem is that users don't know how insecure it is or how important it is to use an alternative.
Attendee Harry Bryson, a U.K.-based software engineer with Hewlett-Packard Co., said the combination of malicious PDFs and social engineering make Internet espionage difficult to stop.