Symantec: Attackers Targeting Smaller Firms, Set Sights On Supply Chain


Targeted attacks have declined this year as attackers began to refocus their efforts on smaller targets, including law firms, accounting agencies and health-care clinics.

The shift toward smaller businesses -- those with between one and 250 employees -- was seen in more than 48 percent of all unique attacks detected this year, according to the latest threat report (.PDF) issued Wednesday by Symantec, Mountain View, Calif. Attackers may be refining their methods, leveraging smaller firms as a stepping stone to the broader supply chain, Symantec said.

The report, which examined the threat landscape over the past nine months, found the average number of attacks per day is down 41 percent when compared with the same period last year. Manufacturers in the defense and engineering sectors were the leading target of unique attacks in 2012, but they are no longer on the receiving end of campaigns, Symantec said.

[Related: SMBs Not Immune To Targeted Attacks]

"Much of this could be related to supply chain attacks, where attackers look for the easiest point of entry and work their way up the chain," Symantec said.

Tactics are largely the same, mainly a mixture of spearphishing attacks with malicious email attachments and watering hole campaigns attempting to target regular visitors of a website. But Symantec said hackers are taking more time to ensure their techniques are successful.

"We've seen a shoring up of attack methods," Symantec said. "Since the techniques used in the last couple of years still continue to reap rewards, attackers probably see little reason to change them. Rather, we've seen efforts to refine their strategies."

Part of that shoring up has fueled an increase in more aggressive spearphishing attacks, Symantec said. The company's researchers observed spearphishing attacks accompanied by direct phone calls to targets in an attempt to get them to open up a malicious file attachment. The attacks began in Europe and are believed to be the work of a financially motivated cybercriminal group based out of the Ukraine.

The first such spearphishing attack documented by Symantec was against a French-based multinational company. The email attachment contained a remote access Trojan and cybercriminals used the infected machine to log keystrokes, view the desktop, and browse and steal files.

In addition, watering hole attacks have taken a broader approach, Symantec said. Instead of infecting a single website frequently visited by the targeted individuals, attackers are infecting multiple sites, setting them up as an attack platform for a diverse set of targets.
"This allows the attackers to leverage one vulnerability in multiple campaigns, or easily swap out exploits, cutting down on overall administration for the attackers," Symantec said.

Last month, the cybercriminals behind NetTraveler, a surveillance toolkit, were found to be turning to the drive-by attack technique, infecting systems in more than 40 countries by targeting a Java vulnerability. According to Kaspersky Lab, attackers had been mainly using a spearphishing campaign to spread the malware.

Attack targets are becoming more broadly defined, according to Symantec. The firm points to its research into the Hidden Lynx group, an organized group of cybercriminals from China believed to be responsible for the Bit9 data breach. The attackers stole a digital code-signing certificate from Bit9 and used it to shield its malware from detection. The organization is believed to have been in operation since 2009 and uses custom malware in its attacks, targeting a wide array of businesses in various industries.

The group, believed to be akin to cybermercenaries, continues to carry out attacks, Symantec said. They may have ties to Operation Aurora, a high-profile attack that targeted Google and other technology firms.

PUBLISHED OCT. 23, 2013