northeastern university seal
EXPLORE NORTHEASTERN

Thwarting Cyber-espionage

man in white shirt standing outside facing camera with arms folded

ECE & Khoury College Associate Professor Engin Kirda is developing advanced malware detection software to analyze and protect against the growing number of targeted cyberattacks.

When it comes to Internet attacks, hackers have tra­di­tion­ally taken a blanket approach, sending out mal­ware to large, random groups of people and hoping that some­thing would stick. But in recent years, the stan­dard oper­ating pro­ce­dure has shifted.

“In the past we used to see these oppor­tunistic attacks where people get ran­domly attacked on the Internet,” said North­eastern pro­fessor Engin Kirda, a cyber­se­cu­rity expert who holds joint appoint­ments in the Khoury College of Computer Sci­ences and the Depart­ment of Elec­trical and Com­puter Engi­neering. “But lately we’ve seen orga­ni­za­tions and some­times even coun­tries specif­i­cally tar­geting an orga­ni­za­tion with the aim of indus­trial espionage.”

In ground­breaking new research to be pre­sented at the top-​​tier USENIXSecu­rity con­fer­ence this month, Kirda and his col­lab­o­ra­tors at the Max Plank Insti­tute in Ger­many and the Uni­ver­sity of Sin­ga­pore ana­lyzed what they called tar­geted, sophis­ti­cated attacks via email against a non­govern­mental orga­ni­za­tion in China called the World Uyghur Con­gress. The WUC rep­re­sents a large ethnic minority in China and was the victim of sev­eral sus­pected tar­geted attacks over the course of sev­eral years.

What they found was that “the lan­guage and sub­ject matter of mali­cious emails were intri­cately tai­lored to appear familiar, normal, or friendly,” in which the sender was imper­son­ating someone else to lure the recip­ient into opening an attach­ment or URL. As Kirda put it, “all hall­marks of social engineering.”

“People started talking about this five, six years ago, but we didn’t see a lot of evi­dence of tar­geted attacks,” said Kirda, who directs Northeastern’s Insti­tute for Infor­ma­tion Assur­ance. “Now we’re seeing it a lot. So people know these things are hap­pening but in terms of sci­en­tific results, there wasn’t much out there because it’s dif­fi­cult to get the data.”

For their study, the NGO offered to share data directly with the researchers: Two vol­un­teers from the com­pany offered up more than 1,000 sus­pi­cious emails that were also sent to a total of more than 700 unique email addresses, including top offi­cials at the orga­ni­za­tion as well as jour­nal­ists, politi­cians, aca­d­e­mics, and employees of other NGOs.

In the new research, the team used soft­ware devel­oped at Last­line—a secu­rity com­pany Kirda co-founded—as well as other tech­niques to iden­tify some key fea­tures of the WUC attacks. They found that social engi­neering was crit­ical to the attackers’ ability to gain access to vic­tims’ accounts; the sus­pi­cious emails were sent from com­pro­mised accounts within the com­pany or sported email addresses that dif­fered from friendly addresses by a single char­acter or two. Most of the mes­sages sent to WUC and others were in the Uyghur lan­guage, and about a quarter were in English.

They also dis­cov­ered that the vec­tors through which the mal­ware was deliv­ered were most often attached doc­u­ments, rather than ZIP files or EXE files, which were recently reported as the most common vec­tors by recent cyberes­pi­onage reports. In addi­tion, the mal­ware that was deliv­ered to the vic­tims was found to be quite sim­ilar to that used in other recent tar­geted attacks, rather than rep­re­senting so-​​called “zero-​​day mal­ware,” which is mal­ware that has never been observed before.

Kirda noted that stan­dard mal­ware detec­tion soft­ware is insuf­fi­cient for detecting tar­geted attacks because it looks at the sus­pi­cious doc­u­ments as static enti­ties after they’ve per­formed the attack. As a case in point, the research team ana­lyzed the entire body of existing mal­ware detec­tion soft­ware for its ability to detect the mali­cious attach­ments in the email corpus from WUC. No single soft­ware detected all of the mal­ware used in the tar­geted attacks and some mal­ware evaded all of the soft­ware ana­lyzed. Since tar­geted attacks uti­lize sophis­ti­cated mal­ware that can adapt to its envi­ron­ment, more sophis­ti­cated detec­tion tech­niques must be used instead, Kirda said.

In an effort to address that problem, his team at Last­line devel­oped soft­ware that is able to ana­lyze mal­ware “on the fly”—to observe it in action and see if it behaves sus­pi­ciously. While more research must be done to broaden the scope, the cur­rent work rep­re­sents an impor­tant first step in ana­lyzing the new wave of tar­geted attacks taking place around the globe.

Under­standing such attacks, Kirda said, is crit­ical to devel­oping soft­ware capable of pro­tecting against them. Last­line develops tech­nology to defend against today’s eva­sive and advanced cyberthreats.

“It’s very impor­tant for high-​​tech uni­ver­si­ties like North­eastern to have spin-​​offs because you get the return on invest­ment and you get to see how the real world actu­ally works,” Kirda said. “We get data from the com­pany that we can use in our research.”

Related Faculty: Engin Kirda

Related Departments:Electrical & Computer Engineering