Are You the Victim of Targeted Attacks?

Targeted attacks are akin to a burglar breaking into your home or an Airbnb host setting up a camera to watch you in the bathroom.

Researchers use the term to describe malware delivery and other malicious attacks that focus on a specific individual, organization, or even industry. Targeted attacks often require dedicated or personal reconnaissance by an attacker to discover vulnerabilities that can be exploited. As cyber warfare has escalated, targeted attacks have become automated or semi-automated, crawling the Internet and finding targets via profiling and a catalog of known vulnerabilities.

Terminology in cybersecurity is somewhat fluid, and you may hear the terms "targeted threat" and "targeted surveillance", which have slightly different meanings. Targeted threats are the actual malware or exploits delivered via attacks.

Targeted surveillance contrasts with mass surveillance, and the distinction is important for the privacy-conscious. Upstream and PRISM, the NSA programs revealed to the world by the 2013 Edward Snowden disclosures, are examples of mass surveillance. These programs are designed to scoop up as much data as possible from huge numbers of people — at least tens of billions of communications.

A single wiretap, in contrast, is an example of targeted surveillance (though somewhat anachronistic). In the age of the smartphone, targeted surveillance is often the goal of targeted attacks: rather than breaking in for the purpose of monetary gain (or just for the lulz), attackers may, for example, install spyware that will send communications back to the attacker. Operations by the NSA Tailored Access Operations (TAO) and the CIA Center for Cyber Intelligence (CCI) are targeted attacks that result in targeted surveillance.

When targeted attacks are deployed at a global scale by intelligence agencies, the lines between mass surveillance and targeted surveillance can start to blur, as we learned in 2017 when a giant cache of U.S government cyber weapons was disclosed by WikiLeaks:

Spying tools and operational protocols detailed in the [WikiLeaks Vault 7] leak have been used in cyberattacks against at least 40 targets in 16 different countries by a group Symantec calls Longhorn... It has used a range of back door Trojans in addition to zero-day vulnerabilities to compromise its targets. Longhorn has infiltrated governments and internationally operating organizations, in addition to targets in the financial, telecoms, energy, aerospace, information technology, education, and natural resources sectors. All of the organizations targeted would be of interest to a nation-state attacker.

Often, targeted attacks contain some element of social engineering to trick a person into giving the attacker privileged access to their computer, smartphone, or network.

Zero-day (or 0day) vulnerabilities are known weaknesses that can be exploited by attackers, with no fix or mitigation at the time of their disclosure ("Day Zero"). Until there is a fix or mitigation strategy, anyone with sufficient talent and resources can exploit a zero-day, discover related vulnerabilities, and expand or improve known attack methods.

"Zero Day" is also a song by MC Frontalot with an amazing music video, that actually tells you a lot about the term. Will zero-days lead to a post-apocalyptic society ruled by homicidal robot overlords? Probably not, and there are ways to stem the tide.

Zero-days aren't just exploited by script kiddies and hacktivists. Governments stockpile zero-days and actively work to weaponize them, creating huge and very dangerous archives that can leak and create havoc. This is what we saw with The Shadow Brokers (TSB), a group that leaked a trove of the NSA's targeted attacks in 2017. The EternalBlue zero-day from a TSB leak led to WannaCry and waves of ransomware that still plague people and organizations around the globe in 2020.

Of all the Big Tech players, Microsoft has perhaps been hit the hardest by zero-days, and all signs point to more headaches deriving from ancient flaws in Windows. After WannaCry, Microsoft called for a "Digital Geneva Convention", saying:

The tech sector plays a unique role as the Internet’s first responders, and we therefore should commit ourselves to collective action that will make the internet a safer place, affirming a role as a neutral Digital Switzerland that assists customers everywhere and retains the world’s trust.

A lofty goal, though one that is difficult to believe from the trenches.

Phishing is a social engineering technique that tricks people into thinking they are giving their sensitive information to a trustworthy person or entity. The attacker may be "fishing" for victims via e-mail spoofing, fake websites, or hijacking of legitimate websites.

Phishing is as old as networks, though it is usually associated with e-mail. It is still one of the biggest cybersecurity threats, especially for organizations, and one that has profound effects on our society. In 2020, the cash-strapped government of Puerto Rico lost more than $2.6 million to a phishing scam. In 2016, Hillary Clinton's campaign chairman John Podesta was phished, with staffers even reassuring him that the scam email asking for his Gmail password was "legitimate". Whether that became the origin of the leaked Podesta e-mails we don't know, especially since he also used "p@ssw0rd" for his Windows login credentials.

Spear phishing is when an attacker knows some information about you, such as your hometown, date of birth, or names of family members, and therefore is better able to gain your trust. These attacks are very tough to mitigate against, without the usage of a physical security token or another form of multi-factor authentication. In 2017, a study of university students proved just how predictable human behavior can be, and therefore easy to manipulate:

[We sent] over 1200 university students an email or a Facebook message with a link to (non-existing) party pictures from a non-existing person, and later asked them about the reasons for their link clicking behavior. We registered a significant difference in clicking rates: 20% of email versus 42.5% of Facebook recipients clicked. The most frequently reported reason for clicking was curiosity (34%), followed by the explanations that the message fit recipient's expectations (27%). Moreover, 16% thought that they might know the sender. These results show that people's decisional heuristics are relatively easy to misuse in a targeted attack, making defense especially challenging.

Phishing has many other spinoffs with clever nicknames, but the bottom line is that social engineering techniques aren't limited to your inbox. Often, they are the first step in carrying out a targeted attack, allowing the attacker to deliver a payload of malware or gain access to confidential resources using your credentials. Attackers may lay in wait on networks for many months or even years, testing for weaknesses and exploiting them while also identifying the most valuable information to steal. Though statistics show at least $700 million a month being lost to phishing, we'll never be able to quantify the loss of privacy from the billions of records breached via phishing and related social engineering scams.

Before you dismiss phishing as something only your grandmother would fall for, remember that even Amazon titan and "world's richest man" Jeff Bezos was hacked via social engineering and an infected video file sent to his iPhone.

Ransomware is malware that either threatens to publish a victim's data, locks up data, or blocks access to a computer system or network until a ransom is paid. In modern attacks, it almost always involves encrypting a victim's data and offering the password or key to decrypt that data when the attacker receives payment, requested in the form of cryptocurrency such as Bitcoin.

Ransomware is an old concept that bounced back with a vengeance in 2017, when the Microsoft Windows EternalBlue vulnerability allowed waves of ransomware attacks to proliferate. In that year alone, WannaCry affected 150 countries and Petya affected 65. These attacks were often targeted at government, municipal, and healthcare systems, creating very dire problems worldwide. The UK's National Health System (NHS) was the most prominent example of the ransomware chaos but a 2020 study underscores that the U.S. was certainly not immune:

More than 1,500 healthcare organizations have been hit with successful ransomware attacks since 2016, costing the sector over $160 million during that time... given the HHS reporting tool only includes breaches impacting 500 patients or more and other reseach limitations, researchers stressed that the findings “only scratch the surface of the problem.”... Ransomware amounts varied from just $1,600 to as much as $14 million, while downtime spurred by an infection could vary by weeks and even months. And hackers have demanded ransoms as much as $16.48 million since 2016. However, since not all providers disclose demand amounts, the numbers could be vastly different. In fact, a break down of downtime costs found that states that saw only one ransomware incident could expect to lose a minimum of $918,000 for the event, or as much as $1.4 million. While states like California – that saw 25 ransomware incidents – could see downtime costs between about $22.95 million and $35 million.

Law enforcement agencies recommend that victims not pay ransoms, especially since only approximately 19% get their data back. Despite this, public and private organizations often pay up, a fact which may never be disclosed. Doug Levin of the K-12 Cybersecurity Resource Center underscores the secrecy and embarrassment often playing a role in school districts that have been attacked, explaining that, in most cases, "it can be very difficult to know whether or not there has been a data breach."

It is relatively trivial to alter ransomware to just wreak havoc without any care for monetary gain, to disguise nation-state cyber attacks as typical cybercrime, and to play "pranks" on people. A new strain asks for photos of a woman's breasts for payment, and the violation such a payment represents is anything but a joke. Whatever the intent of those attacks, there's no question that fine-grained and very personal targeting is fueling the rebirth of ransomware:

The pivot back to ransomware can largely be attributed to the attacker’s ability to contextualize the malware and weaponize it in targeted attacks. These enhanced capabilities are exacerbated by the ease of access through ransomware as a service, which enables script kiddies to launch formidable attacks.

Ransomware is a targeted attack that has a huge impact on our personal lives and institutions, and seems to have once again gained momentum in 2019 and early 2020.

Powerful network actors stockpile vulnerabilities and create exploits with their vast knowledge of holes in computer systems. Targeted attacks that utilize these exploits are often called cyber weapons, especially when the goal of the attacker is to cause political instability or gain a strategic advantage over a nation-state competitor. When exploits are "weaponized", it means that attacks are made easy to reproduce and deploy, just like a computer operator flying a Predator drone from a distance.

Much of the Snowden disclosures about the NSA concerned mass surveillance, but there were also revelations regarding targeted surveillance by the Tailored Access Operations (TAO) unit:

[Often] an implant is coded entirely in software by an NSA group called, Tailored Access Operations (TAO). As its name suggests, TAO builds attack tools that are custom-fitted to their targets. The NSA unit's software engineers would rather tap into networks than individual computers because there are usually many devices on each network. Tailored Access Operations has software templates to break into common brands and models of "routers, switches, and firewalls from multiple product vendor lines," according to one document describing its work.

Targeted surveillance via direct attacks on infrastructure have a long history in the annals of U.S. intelligence and, it seems, a long future. After 2013, it seems much of the arsenal of cyber weapons was shifted from the NSA to the CIA. This became clear in 2017 with the WikiLeaks Vault 7 and Vault 8 disclosures, where the new organizational chart of the CIA showed that targeted attacks were the primary business of the Center for Cyber Intelligence (CCI). CCI itself has more departments and sub-units than the rest of the CIA, an infrastructure that is primarily focused on target attacks and the obfuscation of those attacks via misattribution.

The CCI unit's capabilities cannot be understated. It was able to compromise cars, smart TVs, all popular Web browsers, Android, iOS, Windows, macOS, and even GNU/Linux, as well as infecting the firmware of a huge percentage of the world's router brands such as Cisco/Linksys. WikiLeaks worked directly with the affected companies and organizations to patch and mitigate, but it is likely the CCI has rebounded. In the context of targeted attacks, it's important to emphasize just how widespread these cyber weapons were deployed. They approach the level of ubiquity of NSA programs like PRISM, questioning our assumptions about the separation of mass and dragnet surveillance versus what we call "targeted". While the spotlight was on the NSA and mass surveillance became increasingly criticized and costly (partially thanks to the implementation of encryption), the CIA quietly built its arsenal of cyber weapons and hired more weapons designers.

In 2019 and 2020, there is no doubt that other intelligence organizations and their contractors have cyber weapons arsenals rivaling, or developed in tandem with, the CIA and NSA. Israel's NSO group is a prime example, deploying targeted attacks against human rights activists and journalists in various countries. These may include the U.S., UK, India, Mexico, UAE, Saudi Arabia, Pakistan, and more, though the extent of NSO's reach is not yet known. NSO was complicit in the murder and dismemberment of Saudi journalist Jamal Kashoggi in 2019, the same year that they infiltrated WhatsApp and were sued by Facebook for doing so. When Canada's Citizen Lab investigated NSO, they too were targeted, and it's now clear that NSO has also attacked citizens in the U.S.

New York Times journalist Ben Hubbard was targeted via an SMS text that included a malicious hyperlink to the NSO's Pegasus spyware, an example of phishing being used successfully on a cellphone. It now seems likely that a similar attack on the phone of Jeff Bezos is linked to Pegasus, and there are deep ties to the NSO both in the Ivy League and Britain.

For individuals and organizations worried about cyber attacks, the proliferation and deployment of cyber weapons by nation-state actors, as well as groups that exfiltrate these weapons for their own means, is bad news. We're less secure than ever because, rather than de-escalate and disclose security vulnerabilities in a responsible manner, the world's most powerful nations are stockpiling and hoarding cyber weapons.

When the whole world seems to be conspiring against you (criminals, opportunists, voyeurs, and spies), take a deep breath and look for solutions rather than throwing your hands up in defeat. Most of these targeted attacks, even those deployed by spies, rely upon social engineering and take advantage of our goodwill and naïvety. The first step is to be skeptical and slow down while communicating via any computer or mobile device. The Privacy Issue offers these tips, which will help you navigate social engineering and make smart software choices:

1. Targeted attacks often try to use greed, fear, and uncertainty as a motivation, luring you to act before you can think. When you receive a message, look for:
   
   • Errors in spelling, grammar, or punctuation.
   • Offers that are "too good to be true" or requiring you to act quickly.
   • Appeals to emotion, such as tragic stories or alarming news about a loved one.
   • A lack of personalization (e.g. "Sir", "Madam", etc.)
2. Legitimate companies have stopped requesting information directly via e-mail or text message. If you have never been contacted by a company via a text or e-mail before, and never gave permission for the company to do so, it's a big red flag. Targeted attacks may come in the form of:
   
   • A service provider like Google or Apple warning you about an account closing.
   • A delivery company asking about a failed delivery.
   • A retailer asking about gift cards.
   • Software support asking to take control of your desktop computer.
   • A tax rebate or immigration authority.
   • A bank asking about purchase of an expensive item.
3. Keep your software updated and patched for the latest security vulnerabilities. This may not always protect you, but is often the frontline to avoid the latest attacks.
4. Consider trying a GNU/Linux or other Free and Open-Source Software (FOSS) operating system. These operating systems aren't completely impervious to attack, but rely upon a global community of experts for fast patching and security audits. Secrecy is one of the primary reasons Microsoft Windows machines are attacked with such frequency, as is their cooperation and source code disclosure with U.S. government agencies such as the NSA.
5. If you have an iPhone / iOS, consider choosing a new phone with a version of Android that does not rely upon Google.
   
   • iOS has a disproportionate number of attacks targeting it in the Vault 7 and Vault 8 archives, elluding to a desire by intelligence agencies to attack owners of these status-symbol phones.
   • Android is fundamentally flawed due to its reliance upon Google, but there are versions of it ("ROMs") that do not ship with any Google code.
   • You can install software from the tracker-free F-Droid instead of Google Play. F-Droid only includes apps with public source code available, and installing apps from F-Droid reduces the attack surface of the software your phone is running.
6. Whatever operating system you're running, be careful before installing software from unauthorized sources. On a desktop computer, learn how to verify checksums for software. This will ensure the software you download and install is identical to the software the developers intended.
7. Choose a "dumb phone" or a smartphone running a completely different operating system than Android or iOS.
8. Develop a password strategy that includes a password manager and a physical token or multi-factor authentication.
9. Regularly scan your files for malware, including your backups. Even if you are not facing an attack, you can stop the proliferation through your networks by "being a good neighbor".

As all of these strategies make clear, there are no "magic bullets". For that reason, you should also be skeptical of anyone claiming there are easy answers to these hard problems. Even if we stop the proliferation of cyber weapons, which is fostering black markets of targeted attacks, there will always be vulnerabilities and exploits that can be used against us. If we want a better, brighter, and safer digital future, we must empower ourselves and each other. And, hey, the next time someone says, "I think someone attacked my phone," maybe you should believe them.