Trend Micro collected and analyzed APT-related spear-phishing emails between February and September 2012, and found that APT attacks – certainly those against government agencies and large corporations – are almost entirely dependent upon spear-phishing emails. While it may not be surprising that spear-phishing is the opening gambit of an APT attack, it is perhaps more surprising that the infection vector is so predominantly (94%) a malicious attachment rather than a drive-by lure. (These figures may well be different for mass mail scams rather than targeted attacks.)
The new research provides a remarkably clear picture of the methods and targets for APT attacks, all starting with the spear-phish. Spear-phishing is defined by Trend Micro as “highly targeted phishing aimed at specific individuals or groups within an organization.”
The targeting is achieved by ‘pre-infiltration reconnaissance’ where individuals are first identified and then profiled. The profiling comes from information posted both on social networks and on the organizations’ own websites. It enables the attacker to build a picture of the target and develop a compelling email designed to make the recipient open the attached file and get infected, most likely with a remote access trojan (RAT).
The primary targets are government agencies (two recent high profile cases support this: the hack of South Carolina’s Department of Revenue and the breach at the French Élysée Palace both involve government agencies and both started from successful spear-phishing). The criminals use attachments because that’s how government personnel work: they share files and information with each other via email. “This may be due to the fact that downloading off the Internet in such a setting is frowned upon,” notes the report.
The malicious attachments are usually contained in ZIP files, or disguised as XLS or RTF files. They tend not to be straightforward .EXE attachments because “emails with .EXE file attachments are usually detected and blocked by any security solution,” says the report.
Experts suggest that it is almost impossible to defend against well-crafted and determined spear-phishing. But what the Tend Micro research says today is that organizations should do everything possible to make socially-engineered attacks less successful. “The abundance of information on individuals and companies makes the job of creating extremely credible emails far too simple,” warns Rik Ferguson, director of security research and communications at Trend Micro. “It’s a part of a custom defense that should not be ignored.”