Researchers aim to thwart targeted cyberattacks

Aug 13, 2014 by Angela Herring
Professor Engin Kirda and his collaborators have developed advanced malware detection software that can protect against targeted attacks, which represent the growing majority of cyberespionage taking place today. Credit: Brooks Canaday.

When it comes to Internet attacks, hackers have traditionally taken a blanket approach, sending out malware to large, random groups of people and hoping that something would stick. But in recent years, the standard operating procedure has shifted.

"In the past we used to see these opportunistic attacks where people get randomly attacked on the Internet," said Northeastern professor Engin Kirda, a cybersecurity expert who holds joint appointments in the College of Computer and Information Science and the Department of Electrical and Computer Engineering. "But lately we've seen organizations and sometimes even countries specifically targeting an organization with the aim of industrial espionage."

In groundbreaking new research to be presented at the top-tier USENIX Security conference this month, Kirda and his collaborators at the Max Plank Institute in Germany and the University of Singapore analyzed what they called targeted, sophisticated attacks via email against a nongovernmental organization in China called the World Uyghur Congress. The WUC represents a large ethnic minority in China and was the victim of several suspected targeted attacks over the course of several years.

What they found was that "the language and subject matter of malicious emails were intricately tailored to appear familiar, normal, or friendly," in which the sender was impersonating someone else to lure the recipient into opening an attachment or URL. As Kirda put it, "all hallmarks of social engineering."

"People started talking about this five, six years ago, but we didn't see a lot of evidence of targeted attacks," said Kirda, who directs Northeastern's Institute for Information Assurance. "Now we're seeing it a lot. So people know these things are happening but in terms of scientific results, there wasn't much out there because it's difficult to get the data."

For their study, the NGO offered to share data directly with the researchers: Two volunteers from the company offered up more than 1,000 suspicious emails that were also sent to a total of more than 700 unique email addresses, including top officials at the organization as well as journalists, politicians, academics, and employees of other NGOs.

In the new research, the team used software developed at Lastine—a security company Kirda co-founded—as well as other techniques to identify some key features of the WUC attacks. They found that was critical to the attackers' ability to gain access to victims' accounts; the suspicious emails were sent from compromised accounts within the company or sported email addresses that differed from friendly addresses by a single character or two. Most of the messages sent to WUC and others were in the Uyghur language, and about a quarter were in English.

They also discovered that the vectors through which the was delivered were most often attached documents, rather than ZIP files or EXE files, which were recently reported as the most common vectors by recent cyberespionage reports. In addition, the malware that was delivered to the victims was found to be quite similar to that used in other recent targeted attacks, rather than representing so-called "zero-day malware," which is malware that has never been observed before.

Kirda noted that standard malware detection software is insufficient for detecting targeted attacks because it looks at the suspicious documents as static entities after they've performed the attack. As a case in point, the research team analyzed the entire body of existing malware detection software for its ability to detect the malicious attachments in the email corpus from WUC. No single software detected all of the malware used in the targeted attacks and some malware evaded all of the software analyzed. Since targeted attacks utilize sophisticated malware that can adapt to its environment, more sophisticated detection techniques must be used instead, Kirda said.

In an effort to address that problem, his team at Lastline developed software that is able to analyze malware "on the fly"—to observe it in action and see if it behaves suspiciously. While more research must be done to broaden the scope, the current work represents an important first step in analyzing the new wave of targeted attacks taking place around the globe.

Understanding such attacks, Kirda said, is critical to developing software capable of protecting against them. Lastline develops technology to defend against today's evasive and advanced cyberthreats.

"It's very important for high-tech universities like Northeastern to have spin-offs because you get the return on investment and you get to see how the real world actually works," Kirda said. "We get data from the company that we can use in our research."

Explore further: Serious cyber-attack threat compounded by lack of individuals' online security

add to favorites email to friend print save as pdf

Related Stories

Understanding the social side of cyber-security issues

May 04, 2011

When Engin Kirda started focusing on cyber-security research 10 years ago, those primarily responsible for launching Internet attacks were teenagers out for kicks, he said. But the scope of threats existing ...

2007 looks like year of 'malware'

Sep 18, 2007

The problem of malicious software or malware appears to be getting exponentially worse. So far this year, IBM Internet Security Systems (ISS) X-Force research and development team has identified more than 210,000 new malware ...

BAE report says Ukraine has faced cyberattacks

Mar 10, 2014

Ukraine was repeatedly attacked by sophisticated cyberspies as tensions between pro-Russian and Western-leaning factions escalated in recent months, according to a report from U.K.-based defense contractor BAE Systems.

ISPs need to do more to tackle major cyber-attack

Jun 17, 2014

Warnings about the impending cyber-attack have gone unheeded and more must be done to tackle the threat of an infection, according to the Institution of Engineering and Technology (IET).

Recommended for you

Throwing money at data breach may make it worse

14 hours ago

Information systems researchers at the University of Arkansas, who studied the effect of two compensation strategies used by Target in reaction to a large-scale data breach that affected more than 70 million customers, have ...

China condemns 'cyber terrorism' in wake of Sony attack

18 hours ago

China's foreign minister condemned all forms of "cyber terrorism" in talks with his American counterpart, a statement said Monday, as the US accused Beijing's ally North Korea with being behind a cyber attack on Sony Pictures.

User comments : 0

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.