Russian attackers targeted energy sector targets and a Chinese nexus intrusion group infected foreign embassies with malware using watering hole tactics in 2013, CrowdStrike researchers found in its first-ever Global Threat Report.
CrowdStrike's Intelligence Team tracked more than 50 different threat actor groups believed to be behind the majority of sophisticated threats against enterprises in 2013. These groups operated out of China, Iran, India, North Korea, and Russia. In its Global Threat Report, CrowdStrike identified many of the tactics, techniques, and procedures used by these groups to craft and launch sophisticated attacks against major targets around the world. CrowdStrike outlined details of how these groups carried out their attacks and what tools were used in the report, released Wednesday.
Attackers are human, which means “they make mistakes, and they have habits,” said Adam Meyers, vice-president of Intelligence at CrowdStrike, a firm focused detection and mitigation of targeted attacks. Attack tools, no matter how sophisticated, have specific “marks” that can be used to track back to the humans who created them, he said. The marks can be something like password reuse, a certain string that appears frequently in code, or even the name of the registrar hosting the domain name. These marks cannot be obfuscated and CrowdStrike researchers rely on these clues to connect different attacks and campaigns to each other.
Strategic Web Compromises
The report found that Strategic Web Compromises (SWC), where attackers infect strategic Websites as part of a watering hole attack to target a specific group of users, were a favorite attack method for groups operating out of Russia and China. The attack against the Council of Foreign Relations website in early 2013, which also compromised Capstone Turbine and Napteh Engineering & Development Co., involved three different adversaries using multiple types of malware, the report found. In March 2013, one of the attack groups compromised a Harvard University site targeting people who were concerned with military, international relations, and human rights issues in the Far East.
The Chinese group Emissary Panda carried out its own watering hole attack against foreign embassies a few months after the attack against the Department of Labor website, the report found. The group hosted a booby-trapped Microsoft Word document on the Website of a Spain-based defense manufacturer. Another watering-hole-attack affected the website for the Russian Federation's embassy in the United States. CrowdStrike observed multiple additional SWC operations by EMISSARY PANDA using a number of compromised sites, the report found.
Attackers may prefer using SWC over spear phishing because users are getting better about identifying malicious emails and email filters make it harder for these messages to reach the user's inbox in the first place, CrowdStrike said. In contrast, the only way to avoid being hit with SWC is to have “technical countermeasures in place to detect the SWC or prevent exploitation,” the researchers wrote.
“Spear phishing is still the most common delivery mechanism for targeted intrusion operations; however, the frequency of SWC operations is increasing. CrowdStrike believes that this tactic will remain popular among targeted intrusion adversaries, and its use will likely continue to increase in frequency,” the report said.
Energy Sector Attacks
Energetic Bear, an adversary group out of the Russian Federation, have conducted intelligence collection operations against the energy sector since at least August 2012, the report said. There were hints that watering hole attacks were this group's “preferred delivery vector,” although there were other attacks based on booby-trapped PDF files targeted Adobe Reader. This group used two primary remote access tools, HavexRAT and SysMain RAT, which share code and have several techniques in common, CrowdStrike said.
While the energy sector was the primary target, CrowdStrike found that Energetic Bear had compromised hosts in 23 countries including the European government, defense contractors, energy providers, and IT providers. Other impacted groups included European, U.S., and Asian academia, European, U.S., and Middle Eastern manufacturing and construction industries, U.S. healthcare providers, non-European precision machinery tool manufacturers, and research institutes.
“Observed indicators obtained from monitoring this adversary’s activity suggest that ENERGETIC BEAR is operating out of Russia, or at least on behalf of Russia-based interests, and it is possible that their operations are carried out with the sponsorship or knowledge of the Russian state,” CrowdStrike said in its report.
CrowdStrike also included details about the various operations conducted by Deadeye Jackal, also known as the Syrian Electronic Army, including the attacks against Twitter accounts for multiple media outlets, the theft of TrueCaller.com's database and others, and compromising DNS records for various websites including The New York Times and The Washington Post. One important thing about Deadeye Jackal was the fact that the group changed its attack methods several times over the course of the year, the report found. For example the group used spear phishing tactics to collect login credentials towards the end of the year.
“Given the observed development of DEADEYE JACKAL since May 2011, from Facebook spamming to account takeover to data exfiltration and then to more efficient targeting against third-party service providers of victims, it is quite plausible that this adversary would use the infrastructure of their previously compromised victims as a resource to support ongoing campaigns,” the report found.
Understanding Tactics, Adversaries
CrowdStrike expects that cyber-targeting will increase in 2014, and that special events, such as the World Cup, the G20 summit, the Winter Olympic Games in Sochi, Russia, and the withdrawal of U.S. Forces from Afghanistan will be of special interest to attackers.
CrowdStrike believes organizations have an “adversary problem, not a malware problem,” Meyers said. The best way to understand the types of threats the organization is facing is to focus on the tactics and tools used by the adversaries instead of getting bogged down trying to detect and identify every type of malware the group may use. Criminal groups “diverse and difficult to track, but they, too, leave human toolmarks in the binaries and tools they leverage to steal information and criminalize the Internet,” the report said.
For example, attack groups often use the same registrar. Organizations can be proactive and look for what other domains are associated with the registrar to narrow down where the attack may come from, Meyers said. The fact that Microsoft will end-of-life Windows XP in April means these adversary groups have another potential attack vector. Organizations can take steps now to proactively close off that avenue of attack, Meyers said.
The full report from Crowdstrike is available here.
Listen to the Podcast: