In 2016 we’ve seen some amazing targeted threat events – election disruption, major financial fraud, more zero-days, new groups uncovered, etc.  Information security tends towards “firefighting” mode; always concerned with the latest or newest.  However, too easily we fall into “recency bias” where we falsely give most recent events the greatest weight in our mental model.  So, to break that – I take time each year to look back over to the threats we saw earlier to correct my perspective.  The most interesting items I find are those which challenge and break assumptions causing me to reevaluate my models.  They’re the events which surprise and impress seasoned analysts.

This year I saw items fall into three categories:

  • Victimology & Intent – While targeted threats continue to conduct traditional espionage activities against both government and industry, both their victimology and intent are shifting slightly to better align with a changing motivation.
  • Capabilities – Adversaries continue to value effective over all else to support their operations (this year macros and increasing evasion techniques)
  • Duller Objects” – I call them the “dull objects” because they’re not shiny and don’t usually get much attention.  Yet, they can pose as much a threat as any shiny object and act as bellwethers.

Victimology & Intent

US Industry Victims

bluehat_shifting_victimsIn September 2015, the US and China agreed that neither would “conduct or knowingly support theft of intellectual property.” Fireeye reported in “Redline Drawn” that there has been a significant draw down of US-targeted operations since at least 2014.  But, while there has been a decline, they could not solely attribute it to the agreement.  Similarly, Symantec reported that in 2016 a notable threat group previously operating heavily against US targets, Buckeye, ceased US operations and shifted strongly towards Hong Kong.

What we learned: While no public smoking gun exists that the US-China agreement had a direct effect on US victims, there is a clear shift in operations according to Fireeye and Symantec.  This illustrates that even after the long-standing “China hacking US” narrative driving a majority of targeted threat protection investment – things can shift.

Swift Attacks

swift_attack_slideIn February 2016 an adversary leveraged access into the Bangladesh Central Bank to defraud other banks of $81M – attempting fraudulent transactions over $1B.  Symantec correlated the attack to the Lazarus group based in the DPRK via malware analysis and similarity to that used to attack Sony Pictures.  SWIFT is the backbone of the global financial network, supporting over 6 billion messages/year between over 200 countries and territories.  However, thanks to a small typo by the adversary in the name of the non-profit supposedly benefiting from the transactions, an analyst caught the error and found the fraud allowing SWIFT and the banks to unravel the operation.  Later, analysts discovered further fraudulent activity possibly implying that either more than one group is active in the network or the Lazarus group had deeper or wider access than initially thought.

What we learned: If we trust Symantec’s analysis and attribution to the Lazarus Group, it presents a significant event using state-enabled cyber actors to conduct global financial fraud.  This could cause other financially struggling states to look to their cyber capabilities to enable financial fraud and increases the scope of victimology for some groups which fit this profile.



Probably the biggest security story this year – and by far the biggest targeted threat ever in the public dialog: hacks into the Democratic National Committee (DNC), Democratic Congressional Campaign Commission (DCCC), World Anti-Doping Agency (WADA), and many others during a tumultuous year involving the US presidential election and the 2016 Olympics in Rio de Janeiro.

Traditionally, targeted threat activities like STRONTIUM exploit victims to gather intelligence and use it quietly avoiding all attention.  They rarely use the intelligence publicly.  In this case, they posted (at least some of) the intelligence publicly in large dumps.  However, this is not the first example of such activity.  Previous examples of this type of activity include dumping Sony Pictures emails and the Syrian Electronic Army (SEA) dumping Forbes’ databases.

This, alongside other activity including intrusions into state election offices made headlines and potentially affected US elections.

What we learned: STRONTIUM reinforced that the value of intelligence is not what you collect, but how you use it.  Like the Sony email dump, this likely points to a trend over time of dumping intelligence and not hording it.  Especially in cases where the greatest harm will come ultimately from disruption.  This will further reinforce the relationship between cyber activities and traditional information operations.  Read more about STRONTIUM.


Macros – Macros Everywhere


Relegated by many to the past – macros came back this year with a vengeance.  Reported by both Microsoft and Trend Micro, macro threats rose significantly during 2016.

This was not limited to commodity threats (such as ransomware) but also adopted by targeted threats as well.

Luckily, Office 2016 included new techniques for administrators and defenders to block macro attacks.

What we learned: I always teach my students, “what was old will be new again” in the threat landscape.  It is critical that professionals study the threats of old because they, or some variant, will likely return.  However, often our hubris tends to dismiss the threat because they’re not as “cool” as the newer techniques.  But, as we know – adversaries care less about newer techniques then they care about effectiveness.


evasion_slideAnti-forensics and sandbox evasion are not new.  However, as the security industry has matured and caused the life-cycle of many threats to shorten – malware authors are increasingly using sandbox evasion throughout their entire kill chain.  Because network defense has had to increasingly rely on automated techniques (such as dynamic malware detonation) to protect networks because of the failure of static signatures – malicious capabilities naturally respond to the defensive environment to disrupt automated techniques.  Lastly, security researchers are increasing effective at discovering and uncovering operations and pose an equal harm to malicious activity.

For targeted threats, this includes not only the long-term Trojan or backdoor, but the entire operations chain through the first stage.  It is now common to encounter JavaScript reconnaissance profiling the victim with some back-end logic determining whether they’re “worthy” of receiving the dropper or later stages.  This victim profiling include the locale of the host, domain affiliation, hostname, etc.  Further techniques include just-in-time decryption and modularization to prevent the full capability from being captured.

What we learned: This reinforces our understanding that adversaries will always react to the security environment.  Elements which harm their operations, such as security researchers or automated analytics, will always be countered over time.

The “Duller Objects”



PLATINUM is a fascinating activity.  Their operations are like a text-book for targeted threat: zero-day usage, long-term persistence, novel DLL injection, time-limited operations to prevent discovery, anti-forensics techniques, political targeting, etc.

What we learned: Not only did we learn some fascinating new techniques about targeted threats to bolster our defenses, PLATINUM also taught us that a threat operating since at least 2009 can still be newly discovered in 2016.  This means that there are likely many more targeted threats operating than cataloged by threat intelligence analysts.

Targeted Threat As A Service

paytoplay_slide What if you’re an actor with little-to-no native capability?  Yet, you need intelligence collected from digital targets?  You go and buy it.  2016 saw some of the most advanced targeted threats as a service emerge.  Citizen Lab uncovered and documented an amazing history of targeting and exploitation against a human rights activists in the Middle East.  Particularly, this exploitation caused one of the largest security patches to Apple’s iOS using three separate vulnerabilities.  The group responsible is NSO Group from Israel.

Of course, this is not new – we’ve previously known about FinFisher and HackingTeam.  Their commercial hacking services target a range of victims.  Their hording of zero-days is also a target for others and a vulnerability for all – as seen in the HackingTeam dump.

What we learned: It is amazing how little coverage of these threats exist – yet the companies have public facing profiles and usually disclose their activities on their website.  More concerning, lesser capable states tend to be those with the worst human rights records and so use this commercial technology to gather intelligence on activists and others.  If we care about protecting the most vulnerable using our capabilities, these services would receive greater attention by the community.