The Evolution Of Corporate Cyberthreats - Sanjay Kumar


Protecting Your Organization Today, Tomorrow, and Beyond


Most established organizations have large IT departments with staff exclusively devoted to IT security. As your business grows, hopefully your IT security team is thriving, too, and getting the intelligence and resources needed to stay abreast of the latest threats to your organization.


Unfortunately, the bad guys are keeping pace, and in some cases they’re taking the lead. To keep your organization safe, it’s imperative to stay at least a few steps ahead of the cybercriminals. Education is a key component of this defensive strategy in today’s cybercriminal ecosystem. If you don’t know it’s there, you can’t defend against it.


Threats are increasing in frequency and sophistication. In fact, according to the recently released Verizon Data Breach report, there were 1,367 confirmed data breaches and 63,437 security incidents in 2013. The severity and cause of these incidents vary depending on the goals of the cybercriminals and, sometimes, the size of the potential victim. Although you may be more equipped to fight cybercrime, larger organizations are vulnerable to a wider array of attacks, including Advanced Persistent Threats (APTs), cyberespionage, and more sophisticated malware.


Advanced Persistent Threats (APTs)

Every corporation, regardless of its size or industry, is at risk of becoming the victim of a targeted attack by a variety of threat actors including APT groups, politically-driven “hacktivists,” and more advanced cybercriminals, who offer their services for hire. These adversaries will target any organization that has valuable information or data relevant to their objectives.


Depending on the adversaries’ operational motives and objectives, the information identified as valuable will vary. However, it’s important to note that regardless of the motive, attackers are targeting very specific information from a specific set of victims, and they will relentlessly customize and optimize their techniques until they successfully realize their objective.



All APTs are vehicles for cybercrime but not all cybercrimes involved APTs. Although both are based on monetary gain, APTs specifically target more sensitive data including passwords, competitive intelligence, schematics, blueprints, and digital certificates and are paid for by third-party clients or resold in the underground. General cybercrime operations are direct “for profit” attacks and target customers’ personal and financial information which can be quickly monetized and laundered underground for ID theft and fraud.


Cybercriminals will either provide the hijacked information to the third-party who hired them to steal it, or they will repackage and resell the data underground to interested parties, such as nation-states or competing organizations. Earned through years of hard work and investment, stolen intellectual property enables third-parties to accelerate their technological and commercial developments while weakening corporations’ intellectual and competitive advantages in the global economy.


There are many different types of targeted attacks, including:

  • Economic Espionage Targeted Information: Intellectual property; proprietary information; geopolitical, competitive or strategic intelligence
  • Insider Trading TheftTargeted Information: Pending M&A deals or contracts; upcoming financial earnings; future IPO dates
  • Financial & Identify TheftTargeted Information: Employee and customer personally-identifiable information; payment transactions; account numbers; financial credentials
  • Technical Espionage Targeted Information: Password or account credentials, source code, digital certificates; network and security configurations; cryptographic keys; authentication or access codes
  • Reconnaissance and Surveillance:Targeted Information: System and workstation configurations; keystrokes; audio recordings; emails; IRC communications; screenshots; additional infection vectors; logs; cryptographic keys


One of the biggest challenges in defending against targeted attacks is being able to correlate data and identify attack patterns amidst the high volume of incidents coming from disparate sources at various times. However, with careful observation, research, and proper analysis, concrete information can show similarities in targeted attack campaigns.




Most APT campaigns are sustained over months or years, continuously stealing data from their victims. By contrast, the attackers behind Icefog, an APT discovered by the Kaspersky Security Network in September 2013, focused on their victims one at a time, in short-lived, precise hit-and-run attacks designed to steal specific data. Operational since at least 2011, Icefog involved the use of a series of different versions of the malware, including one aimed at Mac OS.



The Mask

In February 2013, the Kaspersky Lab security research team published a report on a complex cyberespionage campaign called The Mask or Careto (Spanish slang for ‘ugly face’ or ‘mask’). This campaign was designed to steal sensitive data from various types of targets. The victims, located in 31 countries around the world, included government agencies, embassies, energy companies, research institutions, private equity firms and activists.


The Mask attacks start with a spear-phishing message containing a link to a malicious website rigged with several exploits. Once victims are infected, they are then redirected to the legitimate site described in the e-mail they received (e.g. a news portal, or video). The Mask includes a sophisticated backdoor Trojan capable of intercepting multiple communication channels and of harvesting all kinds of data from the infected computer. Like Red October and other targeted attacks before it, the code is highly modular, allowing the attackers to add new functionality at will. The Mask also casts its net wide - there are versions of the backdoor for Windows and Mac OS X and there are references that suggest there may also be versions for Linux, iOS and Android. The Trojan also uses very sophisticated stealth techniques to hide its activities.


The key motivation of The Mask attackers is to steal data from their victims. The malware collects a range of data from the infected system, including encryption keys, VPN configurations, SSH keys, RDP files and some unknown file types that could be related to bespoke military/government-level encryption tools. Security researchers don’t know who’s behind the campaign. Some traces suggest the use of the Spanish language but that fact doesn’t help pin it down, since this language is spoken in many parts of the world. It’s also possible that this could have been used as a false clue, to divert attention from whoever wrote it. The very high degree of professionalism of the group behind this attack is unusual for cybercriminal groups – one indicator that The Mask could be a state-sponsored campaign.




This campaign underlines the fact that there are highly-professional attackers who have the resources and the skills to develop complex malware – in this case, to steal sensitive information. It also highlights the fact that targeted attacks, because they generate little or no activity beyond their specific victims, can ‘fly under the radar’.


The entry point of The Mask involves tricking individuals into doing something that undermines the security of the organization they work for – in this case, by clicking on a link or an attachment. Currently, all known C&C (Command-and-Control) servers used to manage infections are offline. But researchers believe that the danger hasn’t been totally eradicated and that it’s possible for the attackers to renew the campaign in the future.



Bitcoin is a digital crypto-currency. It operates on a peer-to-peer model, where the money takes the form of a chain of digital signatures that represent portions of a Bitcoin. There is no central controlling authority and there are no international transaction charges – both of which have contributed to making it attractive as a means of payment.


As use of Bitcoin has increased, it has become a more attractive target for cybercriminals. In end-of-year forecasts, security researchers anticipated attacks on Bitcoin. “Attacks on Bitcoin pools, exchanges and Bitcoin users will become one of the most high-profile topics of the year. Such attacks will be especially popular with fraudsters as their cost-to-income ratio is very favorable.”


MtGox, one of the biggest Bitcoin exchanges, was taken offline in February 2014.6 This followed a turbulent month in which the exchange was beset by problems – problems that saw the trading price of Bitcoins on the site fall dramatically. There have been reports that the exchange’s insolvency followed a hack that led to the loss of $744,408.


Spammers are also quick to make use of social engineering techniques to draw people into a scam. They took advantage of the climb in the price of Bitcoins in the first part of this quarter (prior to the MtGox collapse) to try to cash in on people’s desire to get rich quick. There were several Bitcoin-related topics used by spammers. They included offers to share secrets from a millionaire on how to get rich by investing in Bitcoins; and offers to join a Bitcoin lottery.




Tor (short for The Onion Router) is software designed to allow someone to remain anonymous when accessing the Internet. It has been around for some time, but for many years was used mainly by experts and enthusiasts. However, use of the Tor network has spiked in recent months, largely because of growing concerns about privacy. Tor has become a helpful solution for those who, for any reason, fear the surveillance and the leakage of confidential information.


Tor’s hidden services and anonymous browsing enable cybercriminals to cover their operations and provides a hosting platform to sell the stolen information using bitcoins as the currency. Since Bitcoin’s architecture is decentralized and more difficult to trace than traditional financial institutions, it provides a more efficient way for cybercriminals to launder their ill-gotten gains.

In 2013, security experts began to see cybercriminals actively using

Tor to host their malicious malware infrastructure and Kaspersky Lab

experts have found various malicious programs that specifically use

Tor. Investigation of Tor network resources reveals lots of resources

dedicated to malware, including Command-and-Control servers,

administration panels and more. By hosting their servers in the Tor

network, cybercriminals make them harder to identify, blacklist and



Cybercriminal forums and market places have become familiar on the ‘normal’ Internet. But recently a Tor-based underground marketplace has also emerged. It all started with the notorious Silk Road market and has evolved into dozens of specialist markets — for drugs, arms and, of course, malware. Carding shops are firmly established in the Darknet, where stolen personal information is for sale, with a wide variety of search attributes like country, bank etc. The goods on offer are not limited to credit cards: dumps, skimmers and carding equipment are for sale too.


A simple registration procedure, trader ratings, guaranteed service, and a user-friendly interface are standard features of a Tor underground marketplace. Some stores require sellers to deposit a pledge – a fixed sum of money – before starting to trade. This is to ensure that a trader is genuine and his services are not a scam or of poor quality.


The development of Tor has coincided with the emergence of the anonymous crypto-currency, Bitcoin. Nearly everything on the Tor network is bought and sold using Bitcoins. It’s almost impossible to link a Bitcoin wallet and a real person, so conducting transactions in the Darknet using Bitcoin means that cybercriminals can remain virtually untraceable. Kaspersky Lab’s expert blog, Securelist, discusses bitcoins extensively.


It seems likely that Tor and other anonymous networks will become a mainstream feature of the Internet as increasing numbers of ordinary people using the Internet seek a way to safeguard their personal information. But it’s also an attractive mechanism for cybercriminals – a way for them to conceal the functions of the malware they create, to trade in cybercrime services, and to launder their illegal profits. Researchers believe that use of these networks for cybercrime will only continue.


Like technology, the specifics of cybercrime are constantly changing. To keep your organization safe today and into the future, partnering with a cybersecurity expert is critical.


© Sanjay Kumar 2018