Third-party Attacks On The Rise In The Cyber Space

by CXOtoday News Desk    Jan 29, 2014

cyber threat

Organized cyber attackers are using indirect and more sophisticated routes to target enterprises rather than striking a direct attack, says a new CrowdStrike report. While examining the methods of motivation and practices of several cyber-attack groups across the world, the intelligence company found out that cybercriminals are increasingly targeting third parties through which they collect information about their targeted users thereby infecting their preferred websites. This method is more sophisticated than the ones used earlier when targeted attacks meant phishing attacks that were done directly on members of the targeted organization.

The report studies five organized cyberattack groups including the Syrian Electronic Army as well as groups in China, Iran, and Russia throughout 2013. Using specific examples from these attacks, the CrowdStrike report illustrates recent shifts in attacker strategy, such as the trend toward making targeted attacks by infiltrating a trusted third party.

The report that outlines details of exploits by the SEA, a group that the researchers call Deadeye Jackal. Here the critical user data was extracted through the breach of third-party communications platforms and applications. The report states that third-party vendors often have less-robust security than their larger customers, and their networks offer an avenue through which those customers can be compromised. It anticipates more such attacks to occur in the next one year as well.

Researchers at CrowdStrike also point out while many attackers traditionally have sought to infect the user through by sending a fake email something of a phishing attack, some organized groups are now using strategic Web compromises (SWC) “watering holes” that are legitimate websites that have been infected by an attacker in order to steal the personal data of those who frequent the site. For example, an attacker looking to collect data on political officials might infect the site of a conference or event that is attended by those officials.

Dmitri Alperovitch, co-founder and CTO of CrowdStrike observes in the report that instead of spear-phishing which is becoming a thing of the past, companies have seen many more SWCs throughout last year. A pertinent example would be the recent attacks by organized Chinese hacker groups on the US Department of Labor and the Council on Foreign Relations, says the report.

CrowdStrike warns that in 2014, organized groups will likely build phishing attacks and SWCs around events such as the FIFA World Cup, the G20 Summit, and upcoming national elections in Egypt, Iraq, Tunisia, and Turkey. One group that targeted national elections in Iran last year known as Magic Kitten, launched a series of attacks targeting political dissidents and those supporting Iranian political opposition, says the report. The group’s preferred attack vector is spear-phishing, along with malicious Word documents and image files, which enabled the attackers to retrieve information about victims’ computers, and perform keylogging, file execution, voice recording, and file exfiltration.

CrowdStrike says that such politically motivated groups will continue to evolve their tactics to avoid detection and take advantage of vulnerabilities in new technologies. With good threat intelligence, every organization should be able to do predictive analytics based on its history of security events. “If you know what your attacker did last year, you can get a sense for what he might do this year,” says the report, further concluding that organizations should however also look forward at the potential future attacks, rather than just look back as attacks will continue to be new and evolving.