With targeted attacks and advanced persistent threats being very much in the news in 2011, in this section we review targeted attacks and look more closely at what has been described as “advanced persistent threats” or APTs for short. Terms such as APT have been overused and sometimes misused by the media, but APTs are a real threat to some companies and industries.
As noted earlier in this section, overall in 2011, 1 in 238.8 emails were identified as malicious, but approximately one in 8,300 of those were highly targeted. This means that highly targeted attacks, which may be the precursor to an APT, account for approximately one in every two million emails, still a rare incident rate. However, targeted malware in general has grown in volume and complexity in recent years, but as it is designed to steal company secrets, it can be very difficult for recipients to recognize, especially when the attacker employs compelling social engineering techniques, as we highlight in this report.
Targeted attacks have been around for a number of years now, and when they first surfaced back in 2005, Symantec.cloud identified and blocked approximately one such attack in a week. Over the course of the following year, this number rose to one or two per day and over the following years it rose still further to approximately 60 per day in 2010 and 154 per day by the end of 2011.
A highly targeted attack is typically the precursor to an APT, and the typical profile of a highly targeted attack will commonly exploit a maliciously crafted document or executable, which is emailed to a specific individual, or small group of individuals. These emails will be dressed-up with a social engineering element to make it more interesting and relevant.
The term “APT” has evolved to describe a unique category of targeted attacks that are specifically designed to target a particular individual or organization. APTs are designed to stay below the radar, and remain undetected for as long as possible, a characteristic that makes them especially effective, moving quietly and slowly in order to evade detection. Unlike the fast-money schemes typical of more common targeted attacks, APTs may have international espionage and/or sabotage objectives.
The objective of an APT may include military, political or economic intelligence gathering, confidential or trade secret threat, disruption of operations, or even the destruction of equipment. Stuxnet was a good, albeit extreme example of the latter: the malware enabled an attacker to disrupt the industrial control systems within the Uranium enrichment process of a particular target.
Another characteristic of an APT is that it will also be part of a longer-term campaign, and not follow the opportunistic “smash-and-grab” approach typical of most malware in circulation today. Its purpose will be to remain undetected for as long as possible, perhaps using a variety of attacks over that period; if one attack fails then a process of continual monitoring will ensure that a follow-up attack may be more likely to succeed a few weeks later with a different approach. If successful, an attacker can use the compromised systems as a beachhead for subsequent attacks.