There's no question that the malware used in the 10% of targeted attacks has become more sophisticated, and will continue as long as the attacks are profitable and low-risk.
Speaking to IT Security Guru, Kaspersky Lab senior security researcher David Emm said that profit is certainly the main motive behind malware development and the level of complexity of any attack is proportionate to the aims of the attacker and the means they need to employ to achieve their goals.
In the week where the major threat actor The Mask was announced, Emm said that there will be a steady increase in the number of targeted attacks. "It may be that some of those currently engaged in mass attacks will switch to the development of malware for use in targeted attacks, he said.
He said that while the time and effort required to launch a targeted attack not only involves gathering intelligence about the company and its staff, but also may require the development and testing of bespoke software used against only one victim and make use of one or more zero-day exploits.
It also makes use of heavy code obfuscation to make analysis harder and the implementation of rootkits (or bootkits - a rootkit installed before the operating system itself loads) to hide the activities of the malware, it had "already started to see the emergence of cyber-mercenaries - 'guns for hire' who can develop code for a black market in targeted attacks".
Asked if there are campaigns going on now that we will know about in 1-2 years' time, Emm said that this isentirely possible as often, the roots of the attack reach back in time from the point at which they become known and are analysed and reported.
"This was the case with Stuxnet – the more we analysed it, the further back we had to place its date of origin," he said. "One of the problems with a targeted attack is that it may use custom software modules that are tailored for one specific attack or campaign. Since there are few victims (in some cases, only one), they generate very little 'noise' and may leave little, if any, evidence of their presence."
Dan Raywood is editor of IT Security Guru.