University of Toronto published today a great research paper on targeted attacks.
We've talked about targeted attacks for years. These cases usually go like this:
1. You receive a spoofed email with an attachment
2. The email appears to come from someone you know
3. The contents make sense and talk about real things (and in your language)
4. The attachment is a PDF, DOC, PPT or XLS
5. When you open up the attachment, you get a document on your screen that makes sense
6. But you also get exploited at the same time
7. The exploit drops a hidden remote access trojan, typically Grey Pigeon or Gh0st Rat variant
8. No one else got the email but you
9. You work for a government, a defense contractor or an NGO
But the real news is that Greg Walton & co actually managed to get an inside view of some of the servers used in these spying attacks. This means they got to see what was being done with the infected machines and where in the world they were.
Click the image to read John Markoff's article
The release of the paper was synchronized with the New York Times article. University of Cambridge released a related research paper at the same time as well. The Cambridge paper goes all the way to point the finger directly at the Chinese Government. Most other parties, us included, have not done such direct accusations without concrete proof of government involment.
For a reason or another, infowar-monitor.net has been down all day. So we've made a mirror of the research papers available here:
More resources: Here's a video that we posted earlier about targeted attacks:
And here are selected blog posts on the topic:
- Several examples of what the attack documents looked like
- The mystery of Sergeant "nbsstt"
- How we found the PDF generator used in some of these attacks
On 29/03/09 At 02:21 PM