“Vampire Penetration” – Spear Phish + Payload Attack Targets Senior Defence Official

I speak, present and write about this phenomenon so often in my day job, I was utterly surprised to find that, trolling back over my personal blog, I’d never actually covered this topic.  It’s practically my favorite.  (Sad but true.)  So as I have briefed many times in my professional capacity, here’s my take on the modern Cyber attack.

Do geeks still hack routers and crack passwords?  Sure.

Do nerdy expert types manage to tunnel into secret stuff by technical wizardry?  All the time.

But in my mind, the “modern high-end Cyber attack” is all about penetration by manipulation, i.e. social engineering the user.  It’s axiomatic in the IT security business that people are the weakest part of the chain, or, as a hacker acquaintance of mine said it (perhaps a bit unapologetically) on his T shirt recently, “There’s no Patch Tuesday for Stupid”.

All the security in the world is of no use if the person with permission to circumvent it can be conned into allowing the attacker in voluntarily.  It’s what I like to call a “Vampire Penetration”.  You’re totally safe from attack inside your house until you yourself invite the bloodsucker in. So what does such a thing look like in practice?

Well, le’s do a quick review.  Traditional Phishing generally consists of manipulating the user into voluntarily giving up some valuable datum – some tidbit or password, e.g. “Your card has expired and so paypal account needs updating” or the like.  “Here’s my Visa card” says User Bob.

Malware-Phishing gets longer term access to the user’s machine by manipulating the user into downloading malicious code, e.g. a keylogger that records and sends the criminal ALL logins and passwords, e.g. “To watch this porno video, you need to download this special CODEC for Windows Media Player”.   Clickety-click goes User Bob.

Spear Phishing is a lot scarier than these.  It doesn’t spam or ensnare whoever happens by.  It targets someone specific based on their title, place of work or functional role.  For example, as early as 2000 or so, AOL employees began getting emails that used references to specific internal systems only known to employees that were designed to give outsiders access to company data.  Only AOL employees received these emails.

And the modern, high-end Cyber attack?  Take this to its logical extreme.  Someone sees you, meets you, finds your business card or trolls Facebook, LinkedIn, Twitter or the newspapers to find a target of interest.  Someone very specific with access to data they want.  They research the individual and find completely personalized angles of attack and manipulation, then send hand-crafted messages designed to penetrate a company or agency at the very highest levels, often targeting the “crown jewels” of whatever that entity has in terms of data.

Sounds a bit paranoid doesn’t it?  Here are a few fun examples:

Oil company executives targeted in booby trapped emails – What’s interesting about this is what was taken, something called “bid data” which details the size and location of reserves.  Kind of important stuff if you’re in the oil business I’d guess.

Want something scarier?  Ok, forget money, what about when they come after something even more upsetting, like defense information?

And the so-called “Google Hack”, or now-infamous “Operation Aurora” as it is also known among the nerd herd?  It successfully hit more than 30 of the leading lights of the American tech industry, stealing source code and other intellectual property, the “crown jewels” of an industry based entirely on Intellectual Property.  And how did they do it?  They researched individual employees, than attacked them via their social networks and friends.

So today’s item is really just another example of something that has been going on for years.  What made this one interesting was that it wasn’t just employees at a certain firm or even a small cadre of executives.  This story highlights a hand-crafted attack targeting a single, high profile Ministry of Defence official.  (Yes I know I spelled it in British, call me quirky.)

“Foreign spies targeted a senior British defence official in a sophisticated spear phishing operation that aimed to steal military secrets. The plan was foiled last year when the official became suspicious of an email she received from a contact she had met at a conference…” Read More

Disclaimer: The views expressed on this blog are mine alone, and do not represent the views, policies or positions of Cyveillance, Inc. or its parent, QinetiQ-North America.  I speak here only for myself and no postings made on this blog should be interpreted as communications by, for or on behalf of, Cyveillance (though I may occasionally plug the extremely cool work we do and the fascinating, if occasionally frightening, research we openly publish.)

%d bloggers like this: