APT – Going for Cybergold

After an investigation which commenced in autumn of 2011, yesterday (April 11, 2013) Kaspersky Labs announced the results of its investigation into malware in the gaming industry. Kaspersky has identified the attackers as the Winnti organization. Kaspersky observed:

It’s tempting to assume that Advanced Persistent Threats (APTs) primarily target high-level institutions: government agencies, ministries, the military, political organizations, power stations, chemical plants, critical infrastructure networks and so on. In this context it seems unlikely that a commercial company would be at risk unless it was operating on the scale of Google, Adobe or The New York Times, which was recently targeted by a cyberattack, and this perception is reinforced by the publicity that attacks on corporations and government organizations usually receive. However, any company with data that can be effectively monetized is at risk from APTs. This is exactly what we encountered here: it was not a governmental, political, military, or industrial organization but gaming companies that were targeted.

The target of the attack — gaming cyber gold, among other things.

As Kaspersky describes in detail in its 95 page report, in the Winnti attacks the attackers used all manner of highly tuned malware uniquely created to exploit the systems and engineering processes of each victim.  The exploits that were used against Victim A were different than the exploits used against Victim B.  In a particularly evil twist, the attackers stole the digital signatures of victims and then compiled new malicious code using the digital signatures of previous victims.  This is consistent with our observation that, contrary to the assumptions of the Department of Homeland Security and the President of the United States, knowing the details of the attack on one entity are of little value in protecting other victims.  We discuss the inherent weakness in the information sharing model here.

The Winnti attacks also reiterate the infiltration method — highly targeted spearphishing emails.  Using their advanced forensic tools and skills, Kaspersky identified some of the attack emails.  In this example, the attackers replaced the real sending address with a spoofed internal from address.  In the inbox, the victim saw this:


Could there be a more enticing item in the inbox?  Of course, the victim opened this clever piece of social engineering. And this is what they saw:

targeted email

The attachment purported to have the specifics of the pay and benefits adjustments.  Regrettably, the attachment could not be recovered; however, all of the circumstances make it clear that the malware which compromised the victim was delivered by this clever piece of deception.

Your personnel will receive deceptive emails.  Your security hangs in the balance when an employee decides to click a link or open an attachment.  Telling employees to avoid suspicious emails is good advice.  The attackers use this same guidance — that is why cyberattackers use social engineering to craft emails that are not suspicious. IT must intervene in the email processing decision.  That is the role of SP Guard.  Using SP Guard, IT can determine a list of trusted senders and provide this information to staff at the moment the person is deciding to click or pass.  In the SP Guard environment, staff can, for example, easily distinguish a trusted HR email from a spoof HR email.

You can contact us at   408-727-6342,ext 3 or use our online form.


Comments are closed.