Understanding Highly Targeted Attacks

Written by: Danielle Anne Veluz

What is a highly targeted attack?

A highly targeted attack manages to intentionally stay undetected in a network or system for a long time while successfully executing its intended payload. It typically goes after sensitive data that does not have an identifiable monetary value in the cybercrime underground. It can thus be likened more to espionage.

These attacks usually take longer to plan and execute. These make use of a variety of tools, some of which are not used in typical malware attacks. While some attacks make use of off-the-shelf remote access tools (RATs), highly targeted attacks are designed for a specific purpose, target a specific entity, and intend to achieve longevity within a compromised system and/or network to steal pertinent information and/or to monitor affected users' activities over time.

How are highly targeted attacks typically conducted?

Staging such attacks involves detailed reconnaissance work to gather information and to identify a particular target’s system and infrastructure weaknesses. To do this, attackers will hunt down all types of information, including data found in the target’s website, social networking accounts, publicly available documents, published accounts, and so on. This information will help them identify who or what to target in order to gain entry. The information they gather includes employees’ names and their personal details (e.g., email addresses, social networking profiles, etc.) as well as the company’s IT policies, preferred OS, applications, software, and network structure.

After the target has been successfully tricked into executing the malware, it accesses the attackers' command-and-control (C&C) servers, allowing it to be used for information theft. Once a targeted system has been compromised, it is difficult to discover the existence of the malware.

What are some previous attacks that can be considered highly targeted?

The highly targeted attack that used the REMOSH hacking tool detected as HKTL_REMOSH (a.k.a Night Dragon) earlier this year involved specific networks. The cybercriminals behind this compromised part of their target’s network by installing the hacking tool, which generates backdoor applications detected as BKDR_REMOSH.SMF that allow them to execute certain commands in order to steal critical data.

Apart from stealing data, the backdoor application can also create and delete files, send and receive files, capture screenshots, run remote command line shells, and uninstall itself. Based on the list of possible commands the application can issue or follow, a successful attack can lead to data theft and/or loss and to other malware infections.

The HYDRAQ a.k.a Aurora attack also broke out in January 2010 when Trend Micro received several reports and inquiries about the exploitation of a vulnerability in certain versions of Internet Explorer (IE). This led to the download of HYDRAQ variants onto vulnerable systems. The successful exploitation of the vulnerability allowed the attackers to take complete control of infected systems, enabling them to install programs; to view, change, and/or delete data; or to create new online accounts with full user rights.

What can users and companies do to protect themselves from highly targeted attacks?

  • Create memorable and effective campaigns in-house that instill proper behavior in employees with regard to security.
  • Employ firewall, vulnerability assessment tools/devices, endpoint protection, data loss prevention solutions (since information is often the targeted asset), network scanning/management (since the attack tool needs to communicate with its owner), ideally with support.
  • Stay informed on news about malware that exploit vulnerabilities, keep all OSs and applications updated with the latest versions and patches.
  • Always back up sensitive information. Also, administrators are encouraged to use back-up and restore features or any solution that can restore any machine at any given time.
  • Use a solid security product that performs cleanup of malware traces and system modifications.

Are Trend Micro product users safe from highly targeted attacks?

Yes. Powered by theTrend Micro™ Smart Protection Network™, Trend Micro products protect users from attack tools used in highly targeted attacks. Using the power of the “cloud,” Trend Micro is in a unique position in the security industry, as it has millions of sensors distributed worldwide that feed its large network of collection systems with threat information.

Trend Micro maintains the world’s largest and most reliable email, file, and Web reputation databases with billions of dynamically rated spam sources, files, and websites, respectively, that are used to block malicious email messages, files, and sites. Using a combination of messaging, file, and Web security business protection, Trend Micro customers get the benefit of integrated threat intelligence across threat vectors. The reputation services are based on in-the-cloud technologies and not on static onsite updates, allowing users to always have instant access to the latest protection without having to wait for signature updates. This results in real-time protection against the largest number of possible threats in the least amount of time. At present, we block more than 5 billion threats a day with the help of our five global datacenters.

Trend Micro™ Threat Management System aids customers by detecting communication between malware communicating to remote servers and/or sites. In addition, Trend Micro™ Deep Security detects suspicious activity on your network by employing integrity monitoring and log inspection.


"Highly targeted attacks refer to attacks by threat actors that aggressively pursue specific targets, often through the use of social engineering, in order to maintain persistent control within the victims’ networks so that they can extract sensitive information." —Nart Villeneuve, Trend Micro senior threat researcher