IT Threat Evolution in Q1 2013: New Incidents and Old Suspects

PETALING JAYA, May 31, 2013 - In their latest report, the experts at Kaspersky Lab  analyzed the development of IT threats in the first quarter of 2013. The first three months of the year turned out to be full of incident, especially when it came to cyberespionage and cyberweapons.

At the very beginning of the year, Kaspersky Lab published a major report with the results of a study into a five-year program of global cyberespionage operations. The operation was dubbed Red October  . These attacks targeted various government agencies, diplomatic organizations and companies around the world. In addition to workstations, Red October was also capable of stealing data from mobile devices, gathering data from network equipment, collecting files from USB drives, stealing email databases from local Outlook archives or from remote POP/IMAP servers and extracting files from local FTP servers on the Internet.

In February a new malicious program, dubbed MiniDuke, appeared on the scene. It penetrated systems using a 0-day vulnerability in Adobe Reader (CVE-2013-0640). An investigation into incidents involving this piece of malware was conducted by Kaspersky experts in conjunction with the Hungarian company CrySys Lab. MiniDuke’s victims turned out to be government agencies located in Ukraine, Belgium, Portugal, Romania, the Czech Republic and Ireland, as well as a research organization in Hungary, and a research institute, two scientific research centers and a medical facility in the US. In total, we detected 59 victims in 23 countries.

February also saw the publication of an extensive PDF report by Mandiant on a series of attacks launched by a group of Chinese hackers going by the name of APT1. Mandiant states that APT1 appears to be a division of the Chinese army. This is not the first time Beijing has been accused of complicity in cyberattacks against government agencies and organizations in other countries. And there is nothing particularly surprising about the Chinese government’s firm rejection of the claims made in the Mandiant report.

Following on in late February, Symantec published a study  on a newly identified “old” version of Stuxnet — Stuxnet 0.5. It turned out to be the earliest known modification of the worm, and was active between 2007 and 2009. Experts have repeatedly stated that there were (or still are) earlier versions of the notorious worm, but this represents the first hard evidence.

“The first quarter of 2013 brought a huge number of major incidents related to cyberespionage and cyberweapons. Incidents that require months of relentless investigation are relatively rare in the antivirus industry. Even rarer are events that remain relevant three years after they take place — like the detection of Stuxnet, for example,” said Dennis Maslennikov, Senior Malware Analyst at Kaspersky Lab.  “Although this worm has been studied by numerous antivirus vendors, there are still lots of modules that have only been examined briefly, if at all.  The study of Stuxnet version 0.5 has provided more information about this malicious program in general. It’s likely that we’ll find even more information in the future. The same can be said about the other cyberweapons detected after Stuxnet, as well as malware used in cyberespionage — there’s a lot we still don’t know.”

 The first quarter of 2013 also saw more targeted attacks against Tibetan and Uyghur activists. The attackers appeared to be using everything at their disposal to achieve their goals, and users of Mac OS X, Windows, and Android were subjected to attacks.

Back in 2011, we witnessed mass hacks of several companies and some major leakage of users’ data. It might seem like these attacks came to nothing — but not so! Cybercriminals remain as interested as ever in hacking large companies and getting their hands on confidential data, including user information. In the first quarter of 2013 victims included Apple, Facebook, Twitter, and Evernote, among others.

The mobile threat front was also full of incident in Q1 2013. January may have been a quiet month for mobile virus writers, but over the next two months Kaspersky Lab detected in excess of 20,000 new mobile malware modifications, which is equivalent to roughly half of all the malware samples detected over the whole of 2012.

There were also minor changes to the threat geography.  This time around, Russia (19%, -6 percentage points) and the US (25%, +3 percentage points) once again switched places in the ratings in terms of malicious hosting services — the US returned to first place. The percentages of other countries were more or less unchanged from Q4 2012.

The rating of the most prevalent vulnerabilities saw no significant shifts. Java vulnerabilities are still on top, detected on 45.26% of all computers. On average, Kaspersky experts counted eight different breaches on every vulnerable machine.

You can read the full version of the report on the evolution of IT threats in Q1 2013 at securelist.com <http://www.securelist.com/en/analysis/204792292/IT_Threat_Evolution_Q1_2013>