Targeted attacks

A targeted attack is an attack, were the attacker is specifically interested in the target. Re-connaissance can take months and the attack is tailored to the target. Common targets of attacks are those unaware of the value of information (receptionists, administrative assistants, security), those with special privileges (IT administrators/help desk), manufacturers/vendors (of hard-/software used in the organization) or specific departments (HR, accounting).

Information may be found both using commodity tools, sources (OSINT) and methods, but also closed sources or active social engineering-methods (both online and physical) using the previously found information to retract data from people. The attacker is also called an APT or a state-sponsored attacker⁶⁷.

Examples of attack scenarios of this type are:

Spear-phishing This attack is carried out mostly through emails as the easiest attack vector, but also phone calls, face-to-face or through other means of communication [8] (as people may recognize voice or biomodalities of the impersonated person/organization); also called pretexting in some sources [27].

The goal is either information disclosure for further attacks (any goal, e.g. brute forcing logins to common web services) or to directly e.g. get a monetary gain (through encouraging bank transfers, acquire passwords, (bank) account information or NemID-keys – see also the entry on “regular” phishing in Section 2.5.2) or delivery of a attack payload for e.g.

espionage or activism or any other goal.

67As explained in the introduction, this is groups with virtually unlimited resources of knowledge, manpower, money, time etc.

The most important differences from un-targeted phishing attacks, is that they target a few, specific receivers, put more work into creating a credible email/relation through language, logo’s, current activities/contacts of the organization and non-threatening content.

However, while they may seek to imitate language of e.g. a professional email or invoice, another trait used in the emails is a sense of urgency and/or secrecy to convince the receiver to perform the task fast (e.g. a bank transfer) and without disclosing anything to colleagues [8, 38].

To improve credibility, the attacker can employ OSINT to discover:

• Current professional relations (e.g. suppliers, collaborators or customers) found on e.g. LinkedIn, Facebook, public forums, job advertisements (describing technical qualifications needed of new hires) or homepage of the organization or their vendors/-customers.

• Private relations or economic interests found on the aforementioned sources or through e.g. public leak data including company domain email addresses [25].

• Employee names and private e-mail addresses (from e.g. social media accounts) to deliver a malicious payload circumventing organizational countermeasures [37].

• Specifics of the organization’s structure from e.g. informative organizational chart, job postings, points of contact (for homepage, support or legals) or meta-data from documents on the organization’s homepage. Specifics can include names, positions, job titles, phone numbers, location⁶⁸ etc. Phone numbers can also serve as an alternative contact medium, where the attacker will then employ other parts of the collected OSINT.

• Knowledge of organizational operations (in addition to the previously mentioned) like travel plans, current issues (from public forums or bug reports) [25].

The attacker can of course also employ technical solutions to increase credibility by e.g.

acquiring access to email servers [7]. This requires prior use of social engineering to gather passwords, deliver malicious payloads or similar.

Examples of attack are invoice fraud⁶⁹with fake invoices looking to come from real vendors, coaxing employees into sending money to “colleagues”⁷⁰, delivering malicious payloads [7]

or trying to get further information on the organization/employees [11].

As a note, we can see how specific procedures of double-checking e.g. money transfers and information disclosures by calling the responsibles or the sender and general vigilance of employees can hinder these attacks, which were some of the most repeated advice in the sources surveyed in Section 2.3.

68The use of the target’s national language ortop level domain (TLD) can greatly improve credibility [7].

69https://www.tvsyd.dk/artikel/svindel-virksomhed-betalte-falsk-faktura-paa-100000-kroner,

https://www.b.dk/kultur/kriminelle-udgav-sig-for-at-vaere-direktoer-snoed-museum-for-CEO-fraud/whaling Considered a specific kind of spear-phishing, this attack impersonates or targets (depending on sources⁷¹) C-level employees – also calledwhales, as they are “the big targets”.

The aim is to perform acts similar to spear-phishing, but due to the large amount of money that may be involved with C-level roles, a larger reward can be collected by the attacker.

Prerequisites and traits of the attack are similar to spear-phishing as well; it may however not be necessary to know any vendors/customers of the organization for this attack, but only [27]:

• Name of head of the company.

• His e-mail address (to mimic or create something similar).

• Managers/employees authorized to perform a transfer of funds.

The emails may be even better crafted than regular spear-phishing emails through e.g.

more formal/correct language [38].

Examples of spear-phishing can also be considered whaling; in a specific example, The National Museum of Art in Denmark were recently phished for 805.000 DKK⁷².

In-person/“physical” attacks If the attacker is willing to interact directly with the target/hu-man sources of information in general by e.g. appearing physically on location or calling, an even wider range of scenarios are possible. These are naturally targeted in nature, as the attacker must choose some specific organization/place to appear physically.

Most of the scenarios described by Kevin Mitnick in [35] has some physical element to them.

They built upon spear-phishing attacks, but requires human interaction, methodically planning and agility of the attack plan. The attacks depicted in [35] are diverse in their necessity of information required to work, but all exploit the human mind (i.e. social engineering) by different methods as described in Section 2.4.

As an example, the story named “Not as safe as you think”⁷³ describes how the attacker through human interaction by phone only acquires internal hostnames, credentials to these, out-of-office voice-mails, phone (with internal extensions) and fax numbers, dial-in access⁷⁴ and in the end, the data of some project. For this attack, the information found from OSINT-sources beforehand was only:

• Some personal data to verify with (date of birth, family info, social security number etc.).

71For example, https://www.knowbe4.com/ceo-fraud and https://www.ncsc.gov.uk/guidance/whaling-how-it-works-and-what-your-organisation-can-do-about-itstates whaling is to target C-level employees, as they have the most privileges on the network, while e.g. [27],https://krebsonsecurity.com/tag/ceo-fraud/

andhttps://danskebank.dk/da-dk/Erhverv/Mellem-erhverv/Online-services/Sikkerhed/Pages/CEO-Fraud.

aspxstates the attack is impersonation of bosses to convince an employee to transfer funds.

72Seehttps://www.b.dk/kultur/kriminelle-udgav-sig-for-at-vaere-direktoer-snoed-museum-for-805.

000-kroner

73Found on p. 64 of [35].

74Probably what we will call a VPN today.

• Employees of different departments (only a few were necessary, the rest were offered by the employees he called⁷⁵).

• Company locations/sites

The rest of the information were discovered during the course of the attack. It should however be noted, that this story involves violation of many policies implemented in modern organization with controls such as those in DS/ISO 27001; those might however fail if the awareness among the employees are not sufficient.

Another method could be for the attacker to show up on premises, which requires proper attire of employees, vendors, shipping handlers etc., and maybe some knowledge of company behavior or locations; afterwards he can use social engineering-techniques to recover the necessary information.

Attacks of this type not requiring any particular OSINT-data includes baiting with infec-tious USB-devices dropped on the organization’s parking/grounds, tailgating (following employees) inside the organization’s premises or dumpster diving to recover confidential information.

Subverting the supply chain An example from [37], this is “to attack equipment or software being delivered to the organisation”. Its goal is to deliver a payload through the regular supply chain of the organization; suppliers which the organization has already put a high level of trust in and perhaps thus are less likely to question deliveries/content from.

We know NSA performs this practice against hardware/servers exported from the US⁷⁶ and some believe that Huawei-equipment⁷⁷ does the same⁷⁸. In a specific attack⁷⁹, a vendor of scanners running Microsoft XP Embedded OS were shipped with malware (named Zombie Zero). The malware targeted ERP-systems⁸⁰ of shipping and logistics and later also manufacturers.

It is not specified what information the attacker (which is unidentified and most likely an APT-group) had acquired beforehand, bu we can make a qualified guess. A lot of information may have gone into compromising the manufacturer, but from the target organization, it may only necessary to know:

• A type of software used in the company (here an ERP-system).

• A type of hardware deployed (here a scanner) or the distributor bought from.

• The attack could also be leveraged by identifying the employee responsible of procure-ment of IT equipprocure-ment (and contact information) e.g. from an organizational chart of social media.

75The namedropping tactic is the primary driver behind the story“Mr. Bigg wants this” on p. 110 of [35] and in general attacks of the CEO-fraud-type.

76 https://www.theguardian.com/books/2014/may/12/glenn-greenwald-nsa-tampers-us-internet-routers-snowden

77This is what is stated in the source article implying that maybe a state-sponsored group is behind.

78http://www.cbsnews.com/news/huawei-probed-for-security-espionage-risk/

79https://www.forbes.com/sites/kurtmarko/2014/07/10/trojan-hardware-spreads-apts/#71924d852536

80Enterprise resource planningsystems control areas like procurement, sales, economics and inventory control of organizations.

Targeted (D)DoS This attack can be employed if the attacker is politically motivated and wants to shut down a service/website/operations of the organization, but also as a tool of extortion. The danger of this is inherent in servers connected to the Internet; hostnames are quick to resolve and target, but if public IP’s not meant to be exposed/used by regular users, are found through e.g. Shodan or public pastes of stolen data, the right security measures might not be present. It can also be a problem if internal IP-addresses are found from e.g. internal documents or in website descriptions, as it can be used to claim credibility (by proving knowledge of internal network components). Additionally, techniques exist to

route traffic through public IP’s to unintended servers inside the network.

Some of the OSINT that could be exposed online might even be of such a personal character that it enables brute force of login to e.g. web services. Arguably we could also consider adding a scenario for this, but have not done so for now, as it to some extent is covered by the spear-phishing scenario. It can however also just be plain “drive-by” attacks attempting login with credentials from public leak databases, where it thus will fit better in Section 2.5.2.