What is a "targeted attack?"

Craig Schmugar over at McAfee has an interesting blog post today discussing what constitutes a “targeted attack” in the realm of cybersecurity.

So what does the word targeted in targeted attack really mean? One could argue that anyone hit with an attack that was sent to him or her specifically (as in: the email message containing the virus was sent to your address) was a victim of a targeted attack, but that definition is way too broad, as the vast majority of all attacks would then be considered targeted. I pondered the definition of targeted attacks for a bit, trying to think of a simple yet concrete definition. I landed on the work [sic] discrimination. For me the key aspect of any targeted attack is that it must discriminate, otherwise the attack is either random, or one of opportunity.

I agree, and it’s an important distinction. With plenty of money to be made and mischief to be caused without specific targeting, the effort of a targeted attack may indicate another agenda for the attacker. Schmugar lists a few:

• To keep a low profile for the malicious code (an effort to evade/delay malcode detection by flying under the radar)
• To keep a low profile for the entity behind the attack (an effort to evade prosecution)
• To minimize “casualties of war” (most attackers don’t really care if innocent bystanders get infected, but some small segment likely does).

• To capture specific data or to disrupt the work or life of a specific person or process
• To cause fear or provoke a reaction from a specific individual or group
• To make a political statement

Last week, I mentioned attacks that appear to be targeted (by Schmugar’s definition) at supporters of Tibet. That might be just a crime of opportunity (i.e., “If I send infected documents about Tibet to pro-Tibet activists, they’re likely to open them”), but it’s also possible that these attacks are politically motivated to disrupt the work of these groups.