It seems attacks are maturing. Instead of wide-scale mass penetrations, attackers appear to be going for targeted and specific penetrations. This is backed up by several sources. Sophos' 2005 Report, Message Labs 2005 Report⁽¹⁾ and a warning from holy_father, author of the Hacker Defender rootkit.

There are several advantages to a targeted hack:

• The intrusion is less obvious. Attack detection is pretty poor, especially amoung home users, there is less chance of the attack being noticed.
• The results are more manageable. Attackers don't need a million credit card numbers when several hundred will do.
• General information about the attack is less useful. Sharing information about the attack with the wider community is less useful. This is most obvious with signature based products such as IDS and anti-virus, which are less likely to get a sample of the attack to create a signature, and the resulting signature is too specific.

Both Sophos and MessageLabs reports indicate that these sorts of attacks are on the risk. While, holy_father's tool indicates how easy it is to make anti-virus researchers run a loosing signature creation race. Given the large number of variations of existing malware; Netsky, Sober and Bagle in particular, just creating signatures for each variant seems silly. The old whitelist vs blacklist debate. Hacker Defender's premium solutions demonstrate this, you pay for a customised rootkit, thus on the off chance it is detected the resulting signature is only effective against the one customised version.

This isn't a new type of attack. Skilled attackers generally use a very targeted attack. This indicated that the threat's attack methods are maturing and getting better as a general trend. Pretty scary. This also means that threat monitoring with services such as DSHIELD and Snort become less useful, so we know even less about potential threats.

I have believed for a while, that there is too much of a focus on script kiddie attacks, mostly because they are visible. There is no public research into skilled threats. The little there is, is mostly sensationalised e.g. Titan Rain.

¹If anyone can find me a copy of the actual report I would be most grateful.

Back in August, Time magazine ran a story about , an ex-Navy and now ex-Sandia National Laboratories security analyst, Shawn Carpenter who was snooping on a group of Chinese hackers which had been infiltrating American federal system from as early as 2003. They appear to be professionals:

Carpenter had never seen hackers work so quickly, with such a sense of purpose. They would commandeer a hidden section of a hard drive, zip up as many files as possible and immediately transmit the data to way stations in South Korea, Hong Kong or Taiwan before sending them to mainland China. They always made a silent escape, wiping their electronic fingerprints clean and leaving behind an almost undetectable beacon allowing them to re-enter the machine at will. An entire attack took 10 to 30 minutes.

The story appears to have re-broken. Allan Paller from the SANS institute seems to be echoing Carpenters words:

"These attacks come from someone with intense discipline. No other organization could do this if they were not a military organization," Paller said. The perpetrators "were in and out with no keystroke errors and left no fingerprints, and created a backdoor in less than 30 minutes. How can this be done by anyone other than a military organization?"

In addition to intrusions at Lockheed Martin and Sandia mentioned in Carpenter's interview, Paller claims flight planning software from the US military's Redstone Arsenal were stolen.

Bruce Schneier who also wrote about this in August claims to know people involved who confirm that the attacks are "very well organised."