Research in Attacks, Intrusions, and Defenses

Volume 7462 of the series Lecture Notes in Computer Science pp 64-85

Industrial Espionage and Targeted Attacks: Understanding the Characteristics of an Escalating Threat

  • Olivier ThonnardAffiliated withLancaster UniversitySymantec Research Labs
  • , Leyla BilgeAffiliated withLancaster UniversitySymantec Research Labs
  • , Gavin O’GormanAffiliated withCarnegie Mellon UniversitySymantec Security Response, Ballycoolin Business Park
  • , Seán KiernanAffiliated withCarnegie Mellon UniversitySymantec Security Response, Ballycoolin Business Park
  • , Martin LeeAffiliated withCarnegie Mellon

* Final gross prices may vary according to local VAT.

Get Access


Recent high-profile attacks against governments and large industry demonstrate that malware can be used for effective industrial espionage. Most previous incident reports have focused on describing the anatomy of specific incidents and data breaches. In this paper, we provide an in-depth analysis of a large corpus of targeted attacks identified by Symantec during the year 2011. Using advanced triage data analytics, we are able to attribute series of targeted attacks to attack campaigns quite likely performed by the same individuals. By analyzing the characteristics and dynamics of those campaigns, we provide new insights into the modus operandi of attackers involved in those campaigns. Finally, we evaluate the prevalence and sophistication level of those targeted attacks by analyzing the malicious attachments used as droppers. While a majority of the observed attacks rely mostly on social engineering, have a low level of malware sophistication and use little obfuscation, our malware analysis also shows that at least eight attack campaigns started about two weeks before the disclosure date of the exploited vulnerabilities, and therefore were probably using zero-day attacks at that time.