A look at advanced targeted attacks through the lens of a human-rights NGO, World Uyghur Congress
by Dr. Engin Kirda - Chief architect at Lastline and Professor at the Northeastern University in Boston - Wednesday, 13 August 2014.
In my capacity as an academic researcher at Northeastern University, I collaborated with computer scientists Stevens Le Blond, Adina Uritesc and Cedric Gilbert at the Max Planck Institute for Software Systems as well as Zheng Leong Chua and Prateek Saxena at the National University of Singapore to study cyber-attacks against the human-rights Non-Governmental Organization (NGO) representing the Uyghur ethnic minority group living in China and in exile: World Uyghur Congress (WUC).

Our findings illuminate a series of apparently targeted, sophisticated cyber-attacks deployed against WUC and affiliated organizations and individuals -- with a combination of social engineering and exploits through email (similar to spear phishing) -- over a period of four years.

Two volunteers at WUC provided more than 1,000 suspicious emails sent to more than 700 different email addresses from 2009-2013, including WUC leaders as well as:
  • Journalists (including at AFP, CNN International, Los Angeles Times, New York Times and Reporters Without Borders)
  • Politicians (including in the Socialist Party of the Netherlands and the Chinese Democratic Party)
  • Academics (including at Penn State University, Howard University, Syracuse University, George
  • Washington University and the Xinjiang Arts Institute China)
  • Employees of other NGOs (including Amnesty International and Save Tibet - International Campaign for Tibet).
We analyzed those emails including any embedded URLs, attachments or files to determine if and how often they contained social engineering techniques, attack vectors, exploits and malware.

We found that the language and subject matter of malicious emails were intricately tailored to appear familiar, normal or friendly, with the sender impersonating someone else to lure the recipient into opening an attachment or URL: all hallmarks of social engineering.

The majority of the messages sent to WUC and others were in the Uyghur language, and about a quarter were in English. Emails were sent from compromised accounts inside the WUC organization or from email addresses that were a character or two off from the known email address to trick the eyes of the recipients.

The majority of these first-stage malware attacks were executed through attached documents (rather than. zip or .exe files) using recent but disclosed vulnerabilities that tend to evade common defenses. Interestingly, in November 2010 there was a marked shift from Adobe to MS Office documents coinciding with the addition of sandboxing technology to Adobe Reader and the public disclosure of a stack buffer overflow MS Office vulnerability.

Also, the malicious documents sent to WUC contained several different families or classifications of malware. More than 25% of this malware can be linked to entities that have been reported to engage in targeted attacks against political and industrial organizations, and Tibetan NGOs.

We tested existing AV software for effectiveness in detecting the attacks in the WUC emails shared with us. No single tool detected all of the attacks, and some attacks evaded detection from all of the antivirus scanners. Yet we found the attacks in the malicious documents to be quite similar to those used in other recent targeted attacks, rather than attacks using zero-day vulnerabilities.

Keep in mind, we were scanning these samples months or years after they had been deployed against WUC. Even so, standard anti-virus detection software was insufficient in detecting these targeted attacks despite their similarity to known threats because it relies on static signatures rather than malicious behavior profiling.

Spotlight

Leveraging network intelligence and deep packet inspection

Posted on 26 November 2014.  |  Tomer Saban, CEO of WireX Systems, talks about how deep packet inspection helps with identifying emerging threats, the role of network intelligence, and more.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Thu, Nov 27th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //