{
	"id": "34ba0140-0459-4534-af0e-0f3cfe6b7bbf",
	"created_at": "2026-04-06T00:18:03.408681Z",
	"updated_at": "2026-04-10T03:20:36.414459Z",
	"deleted_at": null,
	"sha1_hash": "bc1fcafbea5d213013ffb0aab4c9a0a49d7b14bd",
	"title": "Targeted Cyber Attacks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3401339,
	"plain_text": "Targeted Cyber Attacks\r\nBy SearchSecurity and Syngress\r\nPublished: 2014-12-16 · Archived: 2026-04-05 12:36:14 UTC\r\nThe following is an excerpt from the book Targeted Cyber Attacks by authors Aditya Sood\r\nand Richard Enbody and published by Syngress. This section from chapter three explains different attack models\r\nand vectors used to attack targets.\r\nInfecting the Target\r\nIn this chapter, we discuss about the most widely used mechanisms to initiate targeted attacks. This chapter not\r\nonly discusses the attack model, but also details the different vectors used to attack the targets. In the last chapter,\r\nwe covered the reconnaissance and information gathering tactics used by attackers to gain insight into the target\r\nenvironment and behavior. We continue from there and discuss how the attackers infect the targets directly or\r\nindirectly for compromise.\r\nWe classify the attacks used for infecting the target into two ways:\r\n1. Direct attacks, in which target network is exploited using vulnerabilities to gain access to potential critical\r\nsystems or to gain critical information that can be used to launch indirect attacks, for example, exploitation\r\nof web vulnerabilities.\r\n2. Indirect attacks, in which attackers use a number of layered attacks to accomplish the process of intrusion,\r\nfor example, spear phishing and waterholing attacks.\r\n3.1 Elements used in incursion\r\nIt is important to understand the nature of the components that are used to conduct successful targeted attacks. The\r\nmost widely used and effective components in targeted attacks are discussed below:\r\nhttps://www.techtarget.com/searchsecurity/feature/Targeted-Cyber-Attacks\r\nPage 1 of 13\n\nSocial engineering: Social engineering deals with the techniques of manipulating the user's psychology by\r\nexploiting trust. Social engineering often exploits a user's poor understanding of technology as users are\r\nunable to determine and fail to understand the attack patterns used in targeted attacks. Social engineering is\r\none of the predominant components of targeted attacks because it helps to initiate the attack vector.\r\nPhishing e-mails: The term phishing was first used in the Internet literature in 1996 by the hacker group\r\nwho stole America Online (AOL) accounts' credentials. Phishing is originated from Phreaking which is\r\nconsidered as the science of breaking into phone networks using social engineering. A phishing attack is\r\nalso based on the concept of social engineering in which users are tricked to open malicious attachments or\r\nembedded links in the e-mails. These e-mails are designed and generated to look legitimate and potentially\r\ntreated as baits or hooks to trap the targets (analogous to catch fishes in sea of Internet users). Phishing\r\nattacks are the most widely used attack vehicles in targeted attacks.\r\nVulnerabilities and exploits: Vulnerabilities in web sites and software components, both known and\r\nunknown, can be exploited as part of an attack. The most virulent exploits are based on zero-day\r\nvulnerabilities for which details are not publicly available. They are often a component of effective targeted\r\nattacks.\r\nAutomated frameworks: Automated frameworks are used in targeted attacks to ease the burden of\r\nexploitation from the attacker's side. The emergence of automated exploit kits has resulted in sophisticated\r\nand reliable exploitation of browsers. This is because a number of exploits are bundled together in one\r\nframework that fingerprints the browser for vulnerable component before serving the exploit. As a result,\r\nonly vulnerable browsers are exploited and framework does not react to browsers that are patched. In\r\ntargeted attacks, Remote Access Toolkits (RATs) are deployed on infected machines to ease data theft and\r\ncommand execution.\r\nAdvanced malware: Based on the nature of targeted attacks, advanced malware plays a crucial role in\r\nsuccessful campaigns. The idea behind designing advanced malware is to perform operations in a stealthy\r\nmanner and to go undetected for a long period so that the attack persists. Stealthy rootkits are designed for\r\nthese purposes as rootkits hide themselves under the radar where antivirus engines fail to detect them.\r\nHowever, less sophisticated malware has also been used in targeted attacks.\r\nPersistent campaigns: Attackers prefer to launch small campaigns in targeted attacks for a long duration of\r\ntime. The motive is to persist and to monitor the target over a period of time to collect high quality and\r\nhigh volumes of data at the same time. After discussing the elements of targeted attacks, the following\r\nsection talks about the different attack models used to conduct targeted attacks.\r\n3.2 Model A: Spear phishing attack: Malicious attachments\r\nSpear phishing attacks have been used for a long time. It is different from a generic phishing attack because spear\r\nphishing attack is targeted against a particular individual or organization. Traditional phishing attacks have been\r\nused to capture sensitive information from the end users by duping them with social engineering tactics or simply\r\nexploiting their naïve understanding of technology. Malware authors have used phishing attacks to spread\r\nmalware broadly across the Internet. In targeted attacks, spear phishing plays a very effective role. Figure 3.1\r\nshows a very generic model of spear phishing attack that is used in the wild.\r\nhttps://www.techtarget.com/searchsecurity/feature/Targeted-Cyber-Attacks\r\nPage 2 of 13\n\nAditya K Sood and Richard Enbody\r\nFigure 3.1: Spear phishing attack model use to launch targeted attacks.\r\nThe model can be explained as follows:\r\nThe attacker conducts spear phishing attack in which devious e-mails carrying exploit codes in the form of\r\nattachments are sent to the targets.\r\nTarget audiences believe those e-mails to be legitimate and open the attachment.\r\nThe exploit code executes the hidden payload and exploits vulnerability in an application component to\r\nexecute specific commands in the context of end-user system.\r\nOnce the exploit is successfully executed, malware is downloaded on the end-user system to compromise\r\nand infect it.\r\nThe malware further downloads a RAT to take complete control of the end-user system and to attack other\r\nsystems on the internal network to steal potential data.\r\nOnce the data is stolen, different channels or tunnels are used by malware to transmit the data to offshore\r\nservers managed by the attacker.\r\nA spear phishing attack was used against the RSA Corporation which is named as \"RSA Secure ID Breach.\" The\r\noverall damage of this attack is not determined, but it is assumed that attackers stole Secure ID product\r\ninformation and number of token seeds used by several companies (organizations) such as Bank of America,\r\nLockheed, JPMorgan Chase, Wells Fargo, and Citigroup. This indicates that RSA breach resulted in the\r\ncompromise of Secure IDs (authentication tokens) of a large set of users. As a result of this, the majority of the\r\ncompanies had to restate the authentication tokens and RSA agreed to pay the managing cost related to customer\r\nservice which was approximately 95 million dollars [1] as a whole. In RSA Attack, the attacker targeted two\r\nhttps://www.techtarget.com/searchsecurity/feature/Targeted-Cyber-Attacks\r\nPage 3 of 13\n\ndifferent batches of employees over a period of 2 days with a well-crafted phishing e-mail. The e-mail carried an\r\nXLS file containing exploit code of a then unknown vulnerability. Figure 3.2 shows how the phishing e-mail\r\ntargeting RSA looked like. There could be other variants, but this one was widely distributed. The attachment\r\ncarried a \"2011 Recruitment Plan.xls\" file embedded with an exploit code. The attachment carried an exploit code\r\nof a zero-day for Adobe Flash Player vulnerability which was later identified as CVE-2011-0609. Once the exploit\r\nwas successfully executed, the malware took control of internal servers. The attacker then used a RAT named as\r\nPoison Ivy [3] to take persistent control over the target servers. The stolen information was compressed and\r\nexfiltrated from the infected system using the FTP. The complete technical analysis of the exploit used in RSA\r\nbreach shows how strongly the vulnerability was exploited in the embedded SWF (Adobe file format) component\r\nin the XLS file [4].\r\nSyngress\r\nFigure 3.2: Targeted e-mail used in RSA spar phishing e-mail. Source: Wired.com [2].\r\n3.3 Model B: Spear phishing attack: Embedded malicious links\r\nIn the model discussed above, the attacker can alter the attack vector. Instead of sending malicious attachments,\r\nthe attacker embeds malicious links in the spear phishing e-mails for distribution to the target audience. On\r\nclicking the link, user's browser is directed to the malicious domain running a Browser Exploit Pack (BEP) [5].\r\nNext, the BEP fingerprints the browser details including different components such as plugins to detect any\r\nvulnerability, which can be exploited to download malware. This attack is known as a drive-by download attack in\r\nwhich target users are coerced to visit malicious domains through social engineering [6]. The attacker can create\r\ncustom malicious domains, thus avoiding the exploitation of legitimate web sites to host malware. The custom\r\nmalicious domains refer to the domains registered by attackers which are not well known and remain active for a\r\nshort period of time to avoid detection. This design is mostly used for broadly distributed infections rather than\r\ntargeted ones. However, modifications in the attack patterns used in drive-by download make the attack targeted in\r\nnature. The context of malware infection stays the same but the modus operandi varies.\r\nhttps://www.techtarget.com/searchsecurity/feature/Targeted-Cyber-Attacks\r\nPage 4 of 13\n\nSyngress\r\nTable 3.1 An Overview of Structure of E-mails Used in Targeted Attacks in Last Years\r\nTable 3.1 shows the different types of spear phishing e-mails with attachments that have been used in the last few\r\nyears to conduct targeted cyber attacks. The \"Targeted E-mail Theme\" shows the type of content used by attackers\r\nin the body of e-mail. The themes consist of various spheres of development including politics, social, economic,\r\nnuclear, etc. The model of waterholing attack discussed in the following section is a variant of drive-by download\r\nattack.\r\n3.4 Model C: Waterholing attack\r\nA waterholing attack [7] is a term coined by RSA researchers. In general terminology, waterholes are created to\r\nattract animals to hang out around a desired area so that hunting becomes easier. Waterholes are treated as traps\r\nhttps://www.techtarget.com/searchsecurity/feature/Targeted-Cyber-Attacks\r\nPage 5 of 13\n\nfor hunting animals. The same concept applies to Internet users (targeted users) in which specific web sites are\r\ninfected to create waterholes.\r\nWaterholing is not a new attack vector, but a variant of a drive-by download attack in which browsers are\r\nexploited against a specific vulnerability to download malware on the end-user systems. The primary difference\r\nbetween the traditional drive-by download and waterholing attack is in the manner the attack is initiated. In\r\nwaterholing, the attacker guesses or uses the stolen data (profiling users of the target organization) to determine\r\nthe known set of web sites which are visited by the employees of target organization. In case of waterholing, spear\r\nphishing is not used as a mode of engaging users, instead the knowledge of their surfing habits is used to plant the\r\nattack. Users are not coerced through e-mails or attachments to perform a specific action rather the attacker waits\r\nfor the user to visit legitimate web sites that are infected. Figure 3.3 presents a model of waterholing attack.\r\nThe model is explained as follows:\r\nThe attacker profiles the target users based on the Open Source Intelligence (OSINT) methods or stolen\r\ninformation to determine the Internet surfing habits of the users to find a set of web sites that are frequently\r\nvisited by them.\r\nOnce the attacker profiles the users, the next step is to detect vulnerabilities in those web sites (likely a\r\nsubset) and exploit them to inject malicious code. As a result, users visiting those web sites will get\r\ninfected with malware.\r\nThe attacker waits for the users to visit the infected web sites so that malware is installed onto their systems\r\nusing the drive-by download technique.\r\nOnce the browser is exploited and system is infected with malware, a RAT is downloaded onto the\r\ncompromised system. The RAT allows the attacker to administer the system and to attack other systems on\r\nthe internal network.\r\nOnce compromised, data is stolen and exfiltrated to some attacker controlled system on the Internet.\r\nhttps://www.techtarget.com/searchsecurity/feature/Targeted-Cyber-Attacks\r\nPage 6 of 13\n\nAditya K Sood and Richard Enbody\r\nFigure 3.3: Waterholing attack model.\r\nThe waterholing attack has been broadly deployed and a number of cases have been noticed in the last few years.\r\nThe Tibetan Alliance of Chicago [8] was hacked using waterholing to attack users visiting their web site.\r\nMalicious code was placed inside an iframe (an inline frame used to load HTML/JS content from third-party\r\nserver) that redirected a user's browser to a malicious domain serving a backdoor. The US Department of Labor\r\nwas compromised by a waterholing attack and was shut down for a long time [9]. VOHO [10] is yet another\r\ntargeted attack based on the concept of waterholing. VOHO name is coined by RSA and considered as an attack\r\ncampaign in which stolen FTP account credentials are used to implant malicious code on target web sites\r\nspecifically present in Washington DC and Massachusetts. The infections were triggered across multiple\r\norganizations including defense, technology, educational, and government. The attackers installed Ghost RAT\r\nTrojan on the compromised machines for further maneuvering the operations happening on the system. This attack\r\nshows how stolen information is used in the targeted attacks to initiate infections which ultimately results in\r\ncompromising the target systems.\r\n3.5 Model D: BYOD as infection carriers: USB\r\nUniversal Serial Bus (USB) devices such as thumb drives or portable hard disks are an excellent medium for\r\ncarrying infections from one place to another when critical systems are not connected to the Internet. Targeted\r\nattacks against critical infrastructure such as Industrial Control Systems (ICSs) are on rise and those installations\r\nare sometimes not directly connected to the Internet. Targeted attack known as Stuxnet had the capability to\r\nhttps://www.techtarget.com/searchsecurity/feature/Targeted-Cyber-Attacks\r\nPage 7 of 13\n\nspread through an infected USB device which could be plugged into critical systems for performing certain\r\noperations. ICS Computer Emergency Response Team (CERT) released a report detailing a number of cases that\r\nhave happened as a result of USB infection [11]. USB devices are infected to execute code in two different modes.\r\nFirst, an autorun.inf file calls the hidden malware present in the USB itself. Second, rogue link files (.lnk) are\r\ngenerated which are linked to the malicious code. When a user clicks the shortcut, malicious code is executed.\r\nIn an ICS environment, USB devices are used to backup configurations and provide updates to the computers\r\nrunning in a control network environment. Generally, to manage these control systems, an individual (third-party\r\nvendor or technician) is required, who manually performs operations on the critical systems. For that, a USB is\r\nused as a storage and backup device, but at the same time it acts as a carrier if infected with malware. This is a big\r\nproblem with Bring Your Own Device (BYOD) arrangements which could result in compromise of the complete\r\nnetwork when the device is plugged in and connected to the Internet. ICS-CERT reported an issue of the same\r\nkind where a third-party vendor used an infected USB to perform updates on the turbine control systems which\r\ngot infected and failed to start for 3 weeks resulting in a considerable business loss. Similarly, one of a New Jersey\r\ncompany's critical systems [12] were infected to take control of heating vaults and air-conditioning systems.\r\nCarelessness in handling USB devices can result in serious security compromises.\r\n3.6 Model E: Direct incursion: Network exploitation\r\nExploitation of vulnerabilities in the target network is a preferred mode of direct incursion. The information\r\ngained from this process can be used in conjunction with other indirect attacks. Attackers always look forward or\r\nkeep an eye on target's network infrastructure and try to detect exploitable vulnerabilities. As a result of successful\r\nexploitation, advanced malware is planted on the server side to gain complete control of the critical servers. This\r\nautomatically infects all the associated systems in the network.\r\nIn recent years, several firms have been hacked as a result of the targeted attacks which resulted in a substantial\r\nloss to the business of different organizations. One notorious targeted attack was launched against Bit9 [13,14].\r\nAttackers exploited the Internet facing web server of Bit9 and conducted a successful SQL injection that provided\r\naccess to the critical systems of Bit9. SQL injection is an attack technique in which unauthorized SQL statements\r\nare injected as input values to different parameters in the web applications to manipulate the backend database. In\r\naddition to data stealing, SQL injections are used to inject malicious iframes in the Internet facing vulnerable web\r\napplications. Due to insecure deployment of web applications (web server) in Bit9, SQL injection resulted in the\r\nexposure of Bit9 certificates which were stolen and used to sign malware, specifically the kernel mode drivers.\r\nSuch certificates are particularly useful because newer version of Windows requires signing of the kernel mode\r\ndrivers. The attackers planted advanced malware known as HiKit [15,16], a rootkit which is advanced and\r\npersistent in nature. The motive behind installation of HiKit was to infect other Bit9 systems in the network or\r\nBit9 customers (organizations). Once the systems were infected with HiKit, attackers deployed their own self-signed certificates and installed them into local trust stores pretending to be a Root CA. In addition, attackers also\r\nturned off the kernel driver signing process by altering the registry entries. This case shows that the exploitation of\r\nInternet facing web infrastructure could result in launching targeted attacks.\r\nA number of infection models used in targeted attacks have been discussed. Attacker can also tune some broad-based malware spreading mechanisms such as malvertisements and social network infections and use them in\r\ncollaboration with targeted attacks. Malvertisements are heavily used to fool users in believing that the content\r\nhttps://www.techtarget.com/searchsecurity/feature/Targeted-Cyber-Attacks\r\nPage 8 of 13\n\npresented by the server is legitimate and they execute malicious code from the third-party domain. The attackers\r\ncan also host malicious software such as fake Adobe Flash software on the infected domains to lure the victims to\r\ninstall malware. Social network infections result in chain infections which means, if one user in the network is\r\ninfected, it can result in spreading subsequent infections to the complete network easily. Since user base is so large\r\nin social networks such as Facebook, attackers are exploiting this fact at a large scale. However, these infection\r\nmechanisms are noisy in nature which means these tactics can be easily detectable by existing defenses. In order\r\nto use these tactics in the context of targeted attacks, the attackers have to take additional efforts to build stealthy\r\nmalware which can be spread under the radar without detection.\r\nIn this chapter, we have discussed about different strategies opted by attackers to engage target and initiate\r\ninfections. Spear phishing and waterholing models are heavily used in targeted attacks, thereby resulting in\r\nsuccessful infections. In majority of these models, social engineering plays a vital role in initiating the infection\r\nprocess. Overall, the infection models presented in this chapter provide a launchpad for the attackers to\r\ncompromise the target systems.\r\nAbout the authors:\r\nAditya K Sood (Ph.D) is a senior security researcher and consultant. Dr. Sood has research interests in malware\r\nautomation and analysis, application security, secure software design and cybercrime. He has worked on a\r\nnumber of projects pertaining to penetration testing specializing in product/appliance security, networks, mobile\r\nand web applications while serving Fortune 500 clients for IOActive, KPMG and others. He is also a founder of\r\nSecNiche Security Labs, an independent web portal for sharing research with security community. He has\r\nauthored several papers for various magazines and journals including IEEE, Elsevier, CrossTalk, ISACA, Virus\r\nBulletin, Usenix and others. His work has been featured in several media outlets including Associated Press, Fox\r\nNews, Guardian, Business Insider, CBC and others. He has been an active speaker at industry conferences and\r\npresented at DEFCON, HackInTheBox, BlackHat Arsenal, RSA, Virus Bulletin, OWASP and many others. Dr.\r\nSood obtained his Ph.D from Michigan State University in Computer Sciences.\r\nDr. Richard Enbody is an Associate Professor in the Department of Computer Science and Engineering. He joined\r\nthe faculty in 1987 after earning his Ph.D. in Computer Science from the University of Minnesota. Richard\r\nreceived his B.A. in Mathematics from Carleton College in Northfield, Minnesota in 1976, and spent six years\r\nteaching high school mathematics in Vermont and New Hampshire. Richard has published research in a variety of\r\nareas, but mostly in computer security and computer architecture. He holds two nanotechnology patents from his\r\ncollaboration with Physicists. Together with Bill Punch he published a textbook using Python in CS1: The\r\nPractice of Computing Using Python (Addison-Wesley, 2010), now in its second edition. When not teaching,\r\nRichard plays hockey, squash, canoes, as well as a host of family activities.\r\nNext Steps\r\nGain insight into preventing phishing attacks, defending against watering hole attacks and ensuring USB security.\r\nDig Deeper on Threats and vulnerabilities\r\nhttps://www.techtarget.com/searchsecurity/feature/Targeted-Cyber-Attacks\r\nPage 9 of 13\n\nWhat is the WannaCry ransomware attack?\r\nhttps://www.techtarget.com/searchsecurity/feature/Targeted-Cyber-Attacks\r\nPage 10 of 13\n\nBy: Alexander Gillis\r\nhttps://www.techtarget.com/searchsecurity/feature/Targeted-Cyber-Attacks\r\nPage 11 of 13\n\nWhat is a watering hole attack?\r\nBy: Mary Shacklett\r\nPegasus malware\r\nhttps://www.techtarget.com/searchsecurity/feature/Targeted-Cyber-Attacks\r\nPage 12 of 13\n\nBy: Andrew Zola\r\nblended threat\r\nBy: Kinza Yasar\r\nSource: https://www.techtarget.com/searchsecurity/feature/Targeted-Cyber-Attacks\r\nhttps://www.techtarget.com/searchsecurity/feature/Targeted-Cyber-Attacks\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.techtarget.com/searchsecurity/feature/Targeted-Cyber-Attacks"
	],
	"report_names": [
		"Targeted-Cyber-Attacks"
	],
	"threat_actors": [],
	"ts_created_at": 1775434683,
	"ts_updated_at": 1775791236,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bc1fcafbea5d213013ffb0aab4c9a0a49d7b14bd.pdf",
		"text": "https://archive.orkl.eu/bc1fcafbea5d213013ffb0aab4c9a0a49d7b14bd.txt",
		"img": "https://archive.orkl.eu/bc1fcafbea5d213013ffb0aab4c9a0a49d7b14bd.jpg"
	}
}