Hacker groups embracing more effective tactics in targeted attacks

Hacker groups increasingly compromised industry websites in 2013 in an attempt to load malware onto the computers of employees of targeted companies and government agencies, a global threat report found.

[Even the tech-savvy are prone to compromise]

The so-called “watering hole” tactic was used as a more effective alternative to using email to trick employees into opening a malicious attachment of clicking on a link to an infected website, according to CrowdStrike’s year-in-review study released Tuesday. Compromising the sites frequented by employees raised the infection rate while reducing the amount of work.

With email attacks, called phishing, the hackers have to do research on the targeted groups of employees, in order to design a convincing message, Dmitri Alperovitch, co-founder and chief technology officer for CrowdStrike, said.

“If you do this for thousands of people that you want to potentially compromise, it takes quite a bit of effort from a human involvement perspective,” he said. “(A watering hole) allows you to scale these operations for compromising a whole slew of targets all at once.”

CrowdStrike based its findings on the more than 50 groups it tracked last year, many of which conducted effective watering-hole attacks. Owners of the sites compromised included The Council of Foreign Relations, Capstone Turbine and Napteh Egineering & Development Co.

Hacking groups in Russia and China were particularly fond of watering-hole attacks. A Chinese group CrowdStrike called Emissary Panda targeted foreign embassies, while a group called Energetic Bear, which has ties to the Russian government, focused on Western targets within the energy industry.

In the past, groups in Russia were more interested in military organizations. Over the last couple of years, their interests have shifted to stealing intellectual property and sensitive documents from Western energy companies. Russia is a major oil producer.

“Traditionally, we have seen (economic espionage) from the Chinese and we’ve also started seeing that from the Indians,” Alperovitch said.

This year, CrowdStrike expects to see a lot of hacker groups focus on breaking into systems running Windows XP, which Microsoft will no longer support in April. Hackers are expected to take advantage of the absence of regular vulnerability patches with malware targeting previously unknown exploits.

As a result, CrowdStrike is predicting a rise in XP infections in the second and third quarters of this year.

“You’re going to have a very vulnerable population,” Alperovitch said. “A lot of these machines are in enterprises and a lot them are running point of sale terminals in retailers, so you’re going to have a big problem on your hands.”

As of December, Windows XP accounted for 29 percent of the computers accessing the Internet, according to Net Applications.

[APT malware NetTraveler learning new tricks]

CrowdStrike also expects to see malware creators increasingly encrypt network traffic when communicating with remote servers. In addition, malware is expected to become better at appearing benign in order to bypass sandboxes meant to contain malicious code.

Finally, attackers will likely take advantage of major events in designing phishing and watering hole attacks. Such events include the Winter Olympics, the World Cup and the G20 Summit, a gathering of finance ministers and central bank governors from 20 major economies.