Here at FireEye, the New Year gives us an opportunity to look back at 2013 and analyze what happened in cyber security from a high-level and strategic perspective.
Let’s start with Asia. Cyber attacks against government websites in Southeast Asia and Australia made the front-page news, reminding security professionals that cyber threats are both a global and a regional issue.
While attention-seeking hackers are trying to attract as much press as possible, organized and resourceful cyber criminals and nation-state threat actors are capable of more advanced – and stealthy – attacks. Motivated by economic and political aims, some of the most advanced cyber attacks are designed to steal information (or, like Stuxnet, sabotage critical infrastructure) and evade detection. Therefore, this class of attacks can often go unnoticed for long periods of time.
Advanced Attacks in Asia: 2013
In our research at FireEye Labs, the Asia Pacific as a region is two times more likely to be targeted by advanced cyber attacks than the world as a whole.
Based on our data, here is a list of the top 10 most targeted countries in Asia during the past year. This data represents only those attackers that we regard as “advanced persistent threats” (APT) or targeted attacks.
- South Korea
- Hong Kong
Beyond the top 10, Figure 1 highlights APT attacks that FireEye discovered in the region in 2013.
Figure 1: APT Heat Map in Asia Pacific. The darker the hue, the higher the number of attacks we found.[/caption]
Next, let’s consider which industry verticals in Asia were most often targeted by advanced attackers. Here is our top 10 list for 2013:
- Financial Services
- Government (Federal)
- Chemicals / Manufacturing / Mining
- Services / Consulting
- Higher Education
- Telecom (Internet, Phone & Cable)
- Energy / Utilities / Petroleum
- Entertainment / Media
- State and local government
Within each country, we can examine the breadth of advanced attacks by counting the number of targeted verticals (see Figure 2).
[caption id="attachment_4316" align="alignnone" width="602"]
Clearly, APT actors were busy last year, stealing information from every sector. And unfortunately, 2014 is likely to bring more of the same.
The Contest for Intellectual Property
According to the 2012 World Intellectual Property Organization (WIPO) report, which cited global data collected in 2010, three of the top five patent offices are now located in Asia, and they represented more than 45 percent of all patents filed worldwide. With such a high volume of intellectual property concentrated in the region, Asia is a logical battleground for cyber attacks. Stealing information about an advanced-stage product can allow an unscrupulous competitor to bring a similar product to market at a much lower cost and effort — and at the direct expense of the victim.
The 2013 Ponemon Institute Research Report estimated that the average total organizational cost of such data breaches is more than $4 million in Australia and more than $2 million in Japan. In high-profile advanced cyber attacks discovered in recent years, the cost of remediation for direct and indirect breaches has been estimated at between $50 million and $177 million.
Top APT Malware Detection in the Asia Pacific
These threat actors are using many tools, techniques, and procedures (TTPs), the most common of which in 2013 were Gh0stRat, Sisproc, Darkcomet, Heartbeat, and LV. In certain countries such as Japan, Taiwan, and South Korea, FireEye discovered more than 30 unique APT families.
Gh0stRat is one of the most commonly used remote administration tools (RAT) in the world. But we have also found an increased use of malware such as Houdini — a heavily obfuscated VBScript-based RAT that was analyzed by FireEye researchers in a recent blog post.
Some APT malware, such as Mirage, has been used for specific purposes in Asia. Threat actors using this malware often employ spear phishing attacks using legitimate decoy documents that are related to a target’s national economy or politics including regional events such as ASEAN summits, Asia-Pacific Economic Cooperation (APEC) summits, energy exploration, or military affairs.
Hotspots in the Asia Pacific
FireEye has consistently seen large concentrations of APT malware in Japan and South Korea. And unsurprisingly, both countries are also home to some of the world’s most productive patent offices.
That two of the most recently discovered zero-day vulnerabilities have been used in advanced cyber attacks specifically targeted at Japanese and Korean language users is striking:
- CVE-2013-3893 - Internet Explorer SetMouseCapture Vulnerability
- CVE-2013-3897 - Internet Explorer CDisplayPointer Vulnerability
Zero-day vulnerabilities are often hard to come by, and the frequent use of these exploits against Japan and Korea is an indicator of determined and resourceful attackers, as well as the high value of the information they are extracting from these targets.
In North Asia, APT tools such as Terminator RAT (also known as FakeM) have been repeatedly used by a single APT actor against Tibetan and Uyghur activists. But we are also seeing an increased number of such attacks in Taiwan. This APT group is also one of many that have been changing their tools, tactics, and procedures (TTPs) in order to evade security defenses.
In South Asia, a recent zero-day vulnerability was found to be exploited in both targeted attacks and crimeware campaigns concentrated in India and Pakistan:
- CVE-2013-3906 – Graphic component vulnerability exploited through Word documents
The Future: A Cyber Arms Race
In the Asia Pacific region, the threat of advanced cyber attacks is both complex and diverse. We have seen attacks that are customized toward language-specific platforms, strategic web compromises of local and regional websites, and spear-phishing with highly customized themes and content.
Many organizations today, however, rely on security strategies that were developed several years ago using traditional controls such as anti-virus software and firewalls. While these strategies served well in the past, security professionals must reassess their efficacy against the evolving APT threat landscape and the evasive tactics used in these cyber attacks.