Industrial Espionage and Targeted Attacks: Understanding the Characteristics of an Escalating Threat

  • Olivier Thonnard
  • Leyla Bilge
  • Gavin O’Gorman
  • Seán Kiernan
  • Martin Lee
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7462)


Recent high-profile attacks against governments and large industry demonstrate that malware can be used for effective industrial espionage. Most previous incident reports have focused on describing the anatomy of specific incidents and data breaches. In this paper, we provide an in-depth analysis of a large corpus of targeted attacks identified by Symantec during the year 2011. Using advanced triage data analytics, we are able to attribute series of targeted attacks to attack campaigns quite likely performed by the same individuals. By analyzing the characteristics and dynamics of those campaigns, we provide new insights into the modus operandi of attackers involved in those campaigns. Finally, we evaluate the prevalence and sophistication level of those targeted attacks by analyzing the malicious attachments used as droppers. While a majority of the observed attacks rely mostly on social engineering, have a low level of malware sophistication and use little obfuscation, our malware analysis also shows that at least eight attack campaigns started about two weeks before the disclosure date of the exploited vulnerabilities, and therefore were probably using zero-day attacks at that time.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
  2. 2.
    Bejtlich, R.: Understanding the Advanced Persistent Threat. Searchsecurity Magazine (July 2010),
  3. 3.
    Chien, E., O’Gorman, G.: The Nitro Attacks, Stealing Secrets from the Chemical Industry. Symantec Security Response,
  4. 4.
    Cova, M., Leita, C., Thonnard, O., Keromytis, A.D., Dacier, M.: An Analysis of Rogue AV Campaigns. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 442–463. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  5. 5.
    Dacier, M., Pham, V., Thonnard, O.: The WOMBAT Attack Attribution Method: Some Results. In: Prakash, A., Sen Gupta, I. (eds.) ICISS 2009. LNCS, vol. 5905, pp. 14–18. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  6. 6.
    Downs, J.S., Holbrook, M.B., Cranor, L.F.: Decision strategies and susceptibility to phishing. Institute for Software Research. Paper 20 (2006)Google Scholar
  7. 7.
    Dumitras, T., Shou, D.: Toward a Standard Benchmark for Computer Security Research: The Worldwide Intelligence Network Environment (WINE). In: EuroSys BADGERS Workshop (2011)Google Scholar
  8. 8.
    Falliere, N., Murchu, L.O., Chien, E.: W32.Stuxnet Dossier (February 2011),
  9. 9.
    Kornblum, J.: Identifying almost identical files using context triggered piecewise hashing. Digital Investigation 3(suppl.), 91–97 (2006)CrossRefGoogle Scholar
  10. 10.
    MacSweeney, G.: The Top 9 Most Costly Financial Services Data Breaches,
  11. 11.
    Pescatore, J.: Defining the Advanced Persistent Threat (2010),
  12. 12.
    Ross, R., Katzke, S., Johnson, A., Swanson, M., Stoneburner, M., Stoneburner, G.: Managing Risk from Information Systems: An Organizational Perspective. NIST Spec. Publ. 800-39 Appendix BGoogle Scholar
  13. 13.
    Doherty, S., Krysiuk, P.: Trojan.Taidoor: Targeting Think Tanks. Symantec Security Response,
  14. 14.
    Symantec. Symantec Intelligence Report (November 2011),
  15. 15.
    Symantec Security Response. The Luckycat Hackers, White paper,
  16. 16.
    Symantec Security Response. The Trojan.Hydraq Incident: Analysis of the Aurora 0-Day Exploit (January 2010),
  17. 17.
    The Ponemon Institute. Growing Risk of Advanced Threats. Sponsored by Netwitness (June 2010),
  18. 18.
    The Security for Business Innovation Council. When Advanced Persistent Threats Go Mainstream (August 2011),
  19. 19.
    Thonnard, O.: A multi-criteria clustering approach to support attack attribution in cyberspace. PhD thesis, École Doctorale d’Informatique, Télécommunications et Électronique de Paris (March 2010)Google Scholar
  20. 20.
    Thonnard, O., Dacier, M.: A strategic analysis of spam botnets operations. In: Proceedings of the 8th Annual Collaboration, Electronic Messaging, Anti-Abuse and Spam Conference, CEAS 2011, pp. 162–171. ACM, New York (2011)CrossRefGoogle Scholar
  21. 21.
    Thonnard, O., Mees, W., Dacier, M.: On a multicriteria clustering approach for attack attribution. SIGKDD Explor. Newsl. 12(1), 11–20 (2010)CrossRefGoogle Scholar
  22. 22.
    Week, I.: RSA SecurID Breach Cost $66 Million,
  23. 23.
    WOMBAT. Deliverable D22 (D5.2) Root Causes Analysis: Experimental Report,

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Olivier Thonnard
    • 1
  • Leyla Bilge
    • 1
  • Gavin O’Gorman
    • 2
  • Seán Kiernan
    • 2
  • Martin Lee
    • 3
  1. 1.Symantec Research LabsSophia AntipolisFrance
  2. 2.Symantec Security Response, Ballycoolin Business ParkDublinIreland
  3. 3.Symantec.cloudGloucesterUK

Personalised recommendations