Researchers Aim to Thwart Targeted Cyberattacks

Engin Kirda

When it comes to Internet attacks, hackers have tra­di­tion­ally taken a blanket approach, sending out mal­ware to large, random groups of people and hoping that some­thing would stick. But in recent years, the stan­dard oper­ating pro­ce­dure has shifted.

In the past we used to see these oppor­tunistic attacks where people get ran­domly attacked on the Internet,” said North­eastern pro­fessor Engin Kirda, a cyber­se­cu­rity expert who holds joint appoint­ments in the Col­lege of Com­puter and Infor­ma­tion Sci­ence and the Depart­ment of Elec­trical and Com­puter Engi­neering. “But lately we’ve seen orga­ni­za­tions and some­times even coun­tries specif­i­cally tar­geting an orga­ni­za­tion with the aim of indus­trial espionage.”

In ground­breaking new research to be pre­sented at the top-​​tier USENIX Secu­rity con­fer­ence this month, Kirda and his col­lab­o­ra­tors at the Max Plank Insti­tute in Ger­many and the Uni­ver­sity of Sin­ga­pore ana­lyzed what they called tar­geted, sophis­ti­cated attacks via email against a non­govern­mental orga­ni­za­tion in China called the World Uyghur Con­gress. The WUC rep­re­sents a large ethnic minority in China and was the victim of sev­eral sus­pected tar­geted attacks over the course of sev­eral years.

What they found was that “the lan­guage and sub­ject matter of mali­cious emails were intri­cately tai­lored to appear familiar, normal, or friendly,” in which the sender was imper­son­ating someone else to lure the recip­ient into opening an attach­ment or URL. As Kirda put it, “all hall­marks of social engineering.”

People started talking about this five, six years ago, but we didn’t see a lot of evi­dence of tar­geted attacks,” said Kirda, who directs Northeastern’s Insti­tute for Infor­ma­tion Assur­ance. “Now we’re seeing it a lot. So people know these things are hap­pening but in terms of sci­en­tific results, there wasn’t much out there because it’s dif­fi­cult to get the data.”

For their study, the NGO offered to share data directly with the researchers: Two vol­un­teers from the com­pany offered up more than 1,000 sus­pi­cious emails that were also sent to a total of more than 700 unique email addresses, including top offi­cials at the orga­ni­za­tion as well as jour­nal­ists, politi­cians, aca­d­e­mics, and employees of other NGOs.

In the new research, the team used soft­ware devel­oped at Las­tine—a secu­rity com­pany Kirda co-founded—as well as other tech­niques to iden­tify some key fea­tures of the WUC attacks. They found that social engi­neering was crit­ical to the attackers’ ability to gain access to vic­tims’ accounts; the sus­pi­cious emails were sent from com­pro­mised accounts within the com­pany or sported email addresses that dif­fered from friendly addresses by a single char­acter or two. Most of the mes­sages sent to WUC and others were in the Uyghur lan­guage, and about a quarter were in English.

They also dis­cov­ered that the vec­tors through which the mal­ware was deliv­ered were most often attached doc­u­ments, rather than ZIP files or EXE files, which were recently reported as the most common vec­tors by recent cyberes­pi­onage reports. In addi­tion, the mal­ware that was deliv­ered to the vic­tims was found to be quite sim­ilar to that used in other recent tar­geted attacks, rather than rep­re­senting so-​​called “zero-​​day mal­ware,” which is mal­ware that has never been observed before.

Kirda noted that stan­dard mal­ware detec­tion soft­ware is insuf­fi­cient for detecting tar­geted attacks because it looks at the sus­pi­cious doc­u­ments as static enti­ties after they’ve per­formed the attack. As a case in point, the research team ana­lyzed the entire body of existing mal­ware detec­tion soft­ware for its ability to detect the mali­cious attach­ments in the email corpus from WUC. No single soft­ware detected all of the mal­ware used in the tar­geted attacks and some mal­ware evaded all of the soft­ware ana­lyzed. Since tar­geted attacks uti­lize sophis­ti­cated mal­ware that can adapt to its envi­ron­ment, more sophis­ti­cated detec­tion tech­niques must be used instead, Kirda said.

In an effort to address that problem, his team at Last­line devel­oped soft­ware that is able to ana­lyze mal­ware “on the fly”—to observe it in action and see if it behaves sus­pi­ciously. While more research must be done to broaden the scope, the cur­rent work rep­re­sents an impor­tant first step in ana­lyzing the new wave of tar­geted attacks taking place around the globe.

Under­standing such attacks, Kirda said, is crit­ical to devel­oping soft­ware capable of pro­tecting against them. Last­line develops tech­nology to defend against today’s eva­sive and advanced cyberthreats.

It’s very impor­tant for high-​​tech uni­ver­si­ties like North­eastern to have spin-​​offs because you get the return on invest­ment and you get to see how the real world actu­ally works,” Kirda said. “We get data from the com­pany that we can use in our research.”