Most Attacks Are Targeted - Building an Information Security Awareness Program: Defending Against Social Engineering and Technical Threats, First Edition (2014)

Building an Information Security Awareness Program: Defending Against Social Engineering and Technical Threats, First Edition (2014)

CHAPTER 4. Most Attacks Are Targeted

Bill Gardner Marshall University, Huntington, WV, USA


Over the past several years, a number of industries have been targeted in attacks seeking to steal intellectual property from large multinational companies, nonprofits, and governments. Some of these attacks have targeted everything from large defense firms to small law firms. These targeted attacks often leverage spear phishing for the initial breach. The attackers then use the footholds gained in the initial attack to further penetrate the organization to steal privilege and confidential data and intellectual property. Attackers are better funded and better staffed than more of the organizations being targeted, and they are getting around traditional network defenses like firewall and antivirus by using spear phishing and other social engineering attacks. The best defense against spear phishing and other social engineering attacks is a security awareness program.


Targeted attacks

Social engineering


Shady RAT


Night Dragon

Targeted Attacks

Most attacks are targeted. They are targeted by either application, port, platform, occupation, or industry. When building an information security awareness program, it is important to include information and examples that are specific to your organization. If your organization is a law firm, point out how bad guys are targeting law firms and lawyers. If your organization is a nonprofit, give examples of how bad guys have targeted nonprofits in the past. These examples go a long way in destroying the myth of “no one wants our stuff.”

Attackers target users by targeting applications and services users use daily to do their work and that users use for fun such as social networking. One way attackers target users is through e-mail. Spear phishing attacks take the form of e-mail targeted to a specific user or group of users in enticing the user to click on links contained in the e-mail or to open attachments sent with the e-mail. The first step in crafting a spear phishing e-mail is for the attackers to research their target using your organization's website, social media sites, and other open-source information from online public websites and directories. Once the attackers figure out what the interests of the targeted users are, they will use those interests to build targeted e-mail.

For example, if a targeted user, in this case let's say it's the CEO of an organization, says they are interested in stamp collecting, the attacker will send the targeted user a phishing e-mail about stamp collecting that contains a link or an attachment that will allow the attacker to take control of the targeted user's computer. Once the CEO's computer has been exploited using this method, the attacker will then turn their attention to pivoting the attack to penetrate and exploit the rest of the network and to steal data.

Recent Targeted Attacks

Attackers recently have begun to target industries related to defense and government contracting. In 2011, RSA, who provides two-factor authentication tokens, called SecurID, to the US government and US government contractors, uncovered a breach of the database that transmits and stores the tokens. During the same period, defense contractors Raytheon, General Dynamics, and L-3 Communications also reported breaches. Some in the industry linked the RSA breach to the other breaches [1]. While some continue to debate if the breaches are somehow linked, they are examples of targeted attacks. Defense contractors hold valuable information from the design of the latest fighter/bomber designs to nuclear research. They definitely hold data that would be valuable to hackers, spies, and other governments.

Targeted Attacks Against Law Firms

In 2009, the FBI alerted law firms and public relations firms that they were being targeted in phishing attacks. The phishing e-mails contained “zip,” “jpeg,” or other safe-looking attachments that when opened attempt to download and execute the file “srhost.exe” from the domain “Law firms have a tremendous concentration of really critical, private information,” Bradford Bleier, unit chief in the cyber division of the FBI, told The Associated Press. Infiltrating those computer systems “is a really optimal way to obtain economic, personal and personal security related information” [2].

Beginning in September 2010, Chinese-based hackers broke into law firms based in Canada to derail a $40 billion dollar acquisition of an Australian potash mining company:

…hackers rifled one secure computer network after the next, eventually hitting seven different law firms as well as Canada's Finance Ministry and the Treasury Board, according to Daniel Tobok, president of Toronto-based Digital Wyzdom. His cyber security company was hired by the law firms to assist in the probe.

The investigation linked the intrusions to a Chinese effort to scuttle the takeover of Potash Corp. of Saskatchewan Inc. by BHP Billiton Ltd. as part of the global competition for natural resources, Tobok said. Such stolen data can be worth tens of millions of dollars and give the party who possesses it an unfair advantage in deal negotiations, he said.

Though the deal eventually fell apart for unrelated reasons, the incident illustrates the vulnerability of law firms. They are increasingly threatened with a loss of client business if they can’t show improved security as such attacks continue to escalate [3].

Typically, the security in law firms has been lower than in other high-profile targets such as banks and other financial institutions. While many lawyers realize they hold sensitive and confidential information on their networks, historically, law firms have not spent time and money to beef up their security to keep attackers from targeting their networks.

According to security firm Mandiant, 80 US-based law firms were breached in 2012. The FBI says as financial firms have become better about information security, law firms are becoming bigger targets. The FBI met with 200 of the top law firms in New York City in the fall of 2011 to engage firms on threat and a rising number of law firm intrusions. The agency warned that “hackers see attorneys as a back door to the valuable data of their corporate clients.”

Mary Galligan, head of the cyber division in the New York City office of the FBI at the time, said, “Everybody wants network administrator rights…It's trendy.” She said partners insist on mobility—including the flexibility to review case documents at weekend homes or on the road—which means highly sensitive documents are routinely transferred by e-mail [4].

In January 2010, the FBI's Internet Crime Complaint Center (IC3) issued a warning about a counterfeit check scheme targeting US law firms:

The FBI continues to receive reports of counterfeit check scheme targeting U.S. law firms. As previously reported, scammers send e-mails to lawyers, claiming to be overseas and seeking legal representation to collect delinquent payments from third parties in the U.S. The law firm receives a retainer agreement, invoices reflecting the amount owed, and a check payable to the law firm. The firm is instructed to extract the retainer fee, including any other fees associated with the transaction, and wire the remaining funds to banks in Korea, China, Ireland, or Canada. By the time the check is determined to be counterfeit, the funds have already been wired overseas.

In a new twist, the fraudulent client seeking legal representation is an ex-wife “on assignment” in an Asian country, and she claims to be pursuing a collection of divorce settlement monies from her ex-husband in the U.S. The law firm agrees to represent the ex-wife, sends an e-mail to the ex-husband, and receives a “certified” check for the settlement via delivery service. The ex-wife instructs the firm to wire the funds, less the retainer fee, to an overseas bank account. When the scam is executed successfully, the law firm wires the money before discovering the check is counterfeit.

All Internet users need to be cautious when they receive unsolicited e-mails. Law firms are advised to conduct as much due diligence as possible before engaging in transactions with parties who are handling their business solely via e-mail, particularly those parties claiming to reside overseas [5].

In February 2012, Anonymous attacked the law firm of Puckett and Faraj. The DC-based law firm was targeted by the hacktivist group for defending the Marines who killed 24 unarmed Iraqi civilians in Hadith in November 2005. The trial of the Marines ended with an acquittal. Decrying the verdict as unjust, Anonymous launched an assault on the firm's website and internal network that resulted in the defacement of the firm's website and the theft of 2.6 GB of e-mail. The firm's e-mail was later released on Pastebin and Pirate Bay [6].

Even more embarrassing, the firm did not know they had been breached until they were contacted by the website Gawker, “Puckett could not be immediately reached for comment; when we called a few minutes ago he was in a meeting and the receptionist had no idea the firm had been hacked” [7]. As of this writing, the firm's website remains off-line nearly two years after the attack [8].

There is no doubt that lawyers and law firms are being targeted (Figure 4.1). Part of defending themselves is to make sure lawyers and staff know the severity and the kinds of threats they face, including spear phishing, to make their data less at risk for social engineering attacks.


FIGURE 4.1 Puckett and Faraj website.

Operation Shady RAT

One of the largest examples of a targeted attack is “Operation Shady RAT,” which targeted governments, defense contractors, insurance companies, international nonprofits, accounting firms, media outlet, and corporations who specialize in high-technology products and think tanks. According to McAfee, who uncovered the operation, the breaches dated back as far as mid-2006. RAT stands for “remote access tool”:

McAfee won't say who is behind the operation, but it did say that the attacks were organized by one “state actor.” Most experts think the hacking sponsor is China. As reported by Reuters, the International Olympic Committee and the World Anti-Doping Agency are among the nonprofits that suffered intrusions.

NPQ looked at the McAfee report, which seems to suggest that among the hacking victims were five “international sports” organizations, two think tanks, one “political non-profit,” and one “U.S. national security non-profit.” Forty-nine of the 72 hacked entities are U.S.-based. These aren't all quick “smash-and-grab” operations. Although some of the intrusions were only one month long, at another, unnamed (Asian) Olympic committee, the hackers were there on and off for 28 months.

McAfee's VP of threat research and author of the McAfee report Dmitri Alperovitch wrote that the firm was “surprised by the enormous diversity of the victim organizations and were taken aback by the audacity of the perpetrators” [9].

The McAfee report also mentions other targeted attacks:

Having investigated intrusions such as Operation Aurora and NightDragon (the systemic long-term compromise of Western oil and gas industry), as well as numerous others that have not been disclosed publicly, I am convinced that every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised (or will be shortly), with the great majority of the victims rarely discovering the intrusion or its impact. In fact, I divide the entire set of Fortune Global 2000 firms into two categories: those that know they’ve been compromised and those that don’t yet know [10].

McAfee has refused to publicly identify the targets and says that many of the targets refused to believe they had been breached when confronted by the evidence in the McAfee report [10].

Operation Aurora

In 2009, Google, Adobe, and a number of other high-profile companies were targeted in an attack that came to be known as Operation Aurora. The attack, which originated out of China, targeted the intellectual property of the target companies, including source code that controlled major systems, including Google's Gmail service. The attackers then used the information gained through the breach to access to the Gmail accounts of human rights activists. “We have never ever, outside of the defense industry, seen commercial industrial companies come under that level of sophisticated attack,” says Dmitri Alperovitch, vice president of threat research for McAfee. “It's totally changing the threat model” [11].

Night Dragon

The Night Dragon attacks, attributed to China, targeted energy corporations. The attacks took place over a four-year period and targeted intellectual property [12]. Also uncovered by McAfee in 2011:

Starting in November 2009, coordinated covert and targeted cyberattacks have been conducted against global oil, energy, and petrochemical companies. These attacks have involved social engineering, spearphishing attacks, exploitation of Microsoft Windows operating systems vulnerabilities, Microsoft Active Directory compromises, and the use of remote administration tools (RATs) in targeting and harvesting sensitive competitive proprietary operations and project-financing information with regard to oil and gas field bids and operations. We have identified the tools, techniques, and network activities used in these continuing attacks—which we have dubbed Night Dragon—as originating primarily in China [13].

Watering Hole Attacks

The RSA Advanced Threat Intelligence Team first defined Watering Hole attacks in 2012.

According to RSA, Watering Hole attacks have three phases:

In the new attack we’ve identified, which we are calling “VOHO,” the methodology relies on ‘trojanizing’ legitimate websites specific to a geographic area which the attacker believes will be visited by end users who belong to the organization they wish to penetrate. This results in a wholesale compromise of multiple hosts inside a corporate network as the end-users go about their daily business, much like a lion will lie in wait to ambush prey at a watering hole.

The details of the attack are still developing, but what we are aware of so far is as follows:

1. The victim visits a compromised ‘watering hole’ website.

2. This website, through an injected JavaScript element, redirects the visiting browser to an exploit site.

3. This exploit site checks that the visiting machine is running a Windows operating system and a version of Internet Explorer, and then exploits the Java client on the visiting host, installing a ‘gh0st RAT’ variant [14].

A recent example of a Water Hole or Watering Hole attack is the use of a compromised website containing the menu for a Chinese restaurant to serve exploits to a targeted oil company. The result of the attack was that the attackers were able to circumvent a number of sophisticated defensive measures and products that the company had paid a lot of money to implement.

“Unable to breach the computer network at a big oil company, hackers infected with malware the online menu of a Chinese restaurant that was popular with employees. When the workers browsed the menu, they inadvertently downloaded code that gave the attackers a foothold in the business’s vast computer network” [15].

Watering Hole attacks, while not as popular as phishing attacks, have increased in number over the past few years as users get better at spotting phishing attacks. Watering Hole attacks will likely never pass spear phishing attacks because they require compromising a site that the target regularly uses, which increases the complexity of carrying out the attack. Phishing campaigns are much less complex to execute.

Common Attack Vectors: Common Results

The common attack vectors in Operation Aurora, Operating Shady RAT, and the targeted attacks against RSA and defense contractors where they all used highly targeted spear phishing to infect the organizations with previously unknown malware, which then siphoned confidential information and intellectual property out of each organization. The other commonality is that these organizations have spent millions, if not tens of millions, of dollars on antivirus, intrusion detection systems, instruction prevention systems, and other information security defenses and they had been circumvented by someone inside of the organization by simply opening a link or an attachment contained in an e-mail, which leads to the compromise of their entire enterprise networks.

All organizations no matter how large or small contain information that is of interest to attackers, and attackers will use any means possible to get to that information. Smaller breaches go unreported because the organization does not know they have been breached or they don’t want to admit to business partners and customers that they have lost data. The goal of state breach notification laws was to address the part of the problem of underreporting. Just because your organization might be small or midsized doesn’t mean that you don’t have information of value. In fact, like most organizations, it is likely that your security program is underbudgeted and understaffed while attackers are well funded and fully staffed by highly trained staff. You are being targeted. Implementing a security awareness program is your best defense against these well-funded, determined attackers.


[1] Targeted Attacks On U.S. Defense Contractors: Fallout From RSA Breach? [accessed on 27.07.13].

[2] Hackers Targeting Law Firms, FBI Warns. [accessed on 27.07.13].

[3] Bloomberg: China-Based Hackers Target Law Firms to Get Secret Deal Data. [accessed on 29.07.13].

[4] Bloomberg: China-Based Hackers Target Law Firms to Get Secret Deal Data. [accessed on 29.07.13].

[5] Internet Crime and Complaint Center: New Twist on Counterfeit Check Scheme Targeting U.S. Law Firms. [accessed on 29.07.13].

[6] NMissCommentor: Anonymous targets defense law firm representing Srgt. who led Hadditha Massacre. [accessed on 30.07.13].

[7] Anonymous Leaks Huge Cache of Emails From Iraq War Crimes Case. [accessed on 30.07.13].

[8] [accessed on 30.07.13].

[9] NonProfit Quarterly: Nonprofits Targeted in the World's Biggest Hacking Campaign. [accessed on 03.08.13].

[10] McAfee: Revealed: Operation Shady RAT. [accessed on 04.08.13].

[11] Wired: ThreatLevel: Google Hack Attack Was Ultra Sophisticated, New Details Show. [accessed on 04.08.13].

[12] NetworkWorld: 'Night Dragon' attacks from China strike energy companies. [accessed on 04.08.13].

[13] McAfee: Global Energy Cyberattacks: “Night Dragon". [accessed on 04.08.13].

[14] McAfee: Lions at the Watering Hole - The “VOHO” Affair. [accessed on 04.09.14].

[15] Hackers Lurking in Vents and Soda Machines. [accessed on 04.09.14].