Hacker groups embracing more effective tactics in targeted attacks

Hacker groups increasingly compromised industry websites in 2013 in an attempt to load malware onto the computers of employees of targeted companies and government agencies, a global threat report found.

The so-called "watering hole" tactic was used as a more effective alternative to using email to trick employees into opening a malicious attachment of clicking on a link to an infected website, according to CrowdStrike's year-in-review study released Tuesday. Compromising the sites frequented by employees raised the infection rate while reducing the amount of work.

With email attacks, called phishing, the hackers have to do research on the targeted groups of employees, in order to design a convincing message, Dmitri Alperovitch, co-founder and chief technology officer for CrowdStrike, said.

"If you do this for thousands of people that you want to potentially compromise, it takes quite a bit of effort from a human involvement perspective," he said. "(A watering hole) allows you to scale these operations for compromising a whole slew of targets all at once."

CrowdStrike based its findings on the more than 50 groups it tracked last year, many of which conducted effective watering-hole attacks. Owners of the sites compromised included The Council of Foreign Relations, Capstone Turbine and Napteh Egineering & Development Co.

Hacking groups in Russia and China were particularly fond of watering-hole attacks. A Chinese group CrowdStrike called Emissary Panda targeted foreign embassies, while a group called Energetic Bear, which has ties to the Russian government, focused on Western targets within the energy industry.

In the past, groups in Russia were more interested in military organizations. Over the last couple of years, their interests have shifted to stealing intellectual property and sensitive documents from Western energy companies. Russia is a major oil producer.

"Traditionally, we have seen (economic espionage) from the Chinese and we've also started seeing that from the Indians," Alperovitch said.

This year, CrowdStrike expects to see a lot of hacker groups focus on breaking into systems running Windows XP, which Microsoft will no longer support in April. Hackers are expected to take advantage of the absence of regular vulnerability patches with malware targeting previously unknown exploits.

As a result, CrowdStrike is predicting a rise in XP infections in the second and third quarters of this year.

"You're going to have a very vulnerable population," Alperovitch said. "A lot of these machines are in enterprises and a lot them are running point of sale terminals in retailers, so you're going to have a big problem on your hands."

As of December, Windows XP accounted for 29 percent of the computers accessing the Internet, according to Net Applications.

CrowdStrike also expects to see malware creators increasingly encrypt network traffic when communicating with remote servers. In addition, malware is expected to become better at appearing benign in order to bypass sandboxes meant to contain malicious code.

Finally, attackers will likely take advantage of major events in designing phishing and watering hole attacks. Such events include the Winter Olympics, the World Cup and the G20 Summit, a gathering of finance ministers and central bank governors from 20 major economies.

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about Capstone TurbineForeign RelationsMicrosoftPanda

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts