Cyber warfare: Hydraq and Stuxnet make 2010 'Year of the targeted attack'

Symantec finds a huge volume of new threats in 2010 in its Internet Security Threat Report (ISTR), Volume 16, including new megatrends that involve targeted and sophisticated attacks against high profile targets utilising malware such as Stuxnet and Hydraq. 

This malware led Symantec vice president and managing director Craig Scroggie to declare 2010 "the year of the targeted attack".

The ISTR report found 286 million unique malicious programs in 2010, a 93% increase in web-based attacks.  There were 260,000 identities exposed per breach in data breaches caused by hacking and zero-day vulnerabilities, or vulnerabilities in the software unknown to the developers, played a key role in the targeted attacks involving Stuxnet and Hydraq.

The Stuxnet malware reportedly appeared in July of last year and infected the Bushehr nuclear power plant in Iran among others in the country and utilities around the world.  It did not do any lasting damage, reports said, but was widespread and sophisticated. Pundits see everyone from the CIA to Israel behind the so-called cyber-attack.

Mr Scroggie said the malware was designed to cause physical damage and in particular, to speed up an engine until it exploded. 

He said the designers knew that Stuxnet would have to be deliberately delivered by USB to an organization’s control system, since most utilities employed systems with no internet connection in order to give heightened security.

“It also required a lot of skill, it needed very specialised code skill, there were multiple languages, it needed a lot of money to do it, a very well funded organization or possibly government that would have been behind it.”

The Hydraq malware aimed to get into an organization and target confidential information to be extracted quickly, he said.  The organizations were generally large, public multinational companies or agencies, said Mr Scroggie. 

He said the Hydraq and Stuxnet attacks were very large scale events the likes of which were likely to continue into the next twelve months.

Social attacks
The ISTR also highlighted the fertile nature of social networks for the activities of cybercriminals.  Social network attacks were growing, said Mr Scroggie, because of the volume of people using social networking. 

In particular, the use of shortened URLs to trick users into visiting malicious or phishing websites was common.  This method involved attackers logging onto an infected social networking account and posting a shortened link to a malicious website in the status area, which is then automatically distributed to the news feeds of the infected account’s friends. 

This has a potential for hundreds or thousands of victims in minutes, the report stated.In 2010, 65% of malicious links in news feeds observed by Symantec used shortened URLs.

Mr Scroggie said because they were “trusted” that social networks engendered some complacency about security.

“In a social network obviously you don’t think your friends and family are trying to infect you or send you to a malicious website,” said Mr Scroggie.

Weak passwords
He said weak passwords, root kits and the practice of social engineering, where an attacker learns as much as possible about the user via the internet to guess a user name and password, were ways social networking accounts could become infected.

“People still use passwords like ‘password’.  Top ten passwords not use? Well, ‘password’ is in there.”

Attack toolkits, or software programs that can be used by anyone to aid in launching attacks upon network computers, were also in widespread use in 2010, the report stated.  The toolkits were generally written and then sold to someone wishing to use them, said Mr Scroggie.  Attack kits were often designed to propagate spam and send malware around for financial gain, he said.  The report stated that vulnerabilities in the Java code were increasingly targeted by attack kits as a popular cross-browser, multi-platform technology.

Mobiles targetted, including tablets
Mobile platforms are also in the line of fire, the report said, with Symantec expecting attacks on these platforms to increase.  In 2010, most malware took the form of Trojan Horse programs posing as applications, the report said, where in many cases malicious logic was inserted into existing legitimate applications. 

Mr Scroggie said that people updating their Facebook profiles from their mobile phones was a problem now that phones had faster CPUs and could run multiple programmes.  This meant, he said, that malicious software could be run in the background and the focus of attackers would shift to mobile platforms, including tablets.

“This year will be the year of obviously the tablet computer but with that mobility brings a whole new raft of security challenges we’ve not really tackled before.”