This figure represents NR4, a mass-scale attack campaign identified by TRIAGE. We do not know the ultimate goal of the attackers behind this campaign, but we do know that they were targeting diplomatic and government organizations. In this NR4 campaign, 848 attacks were made on 16 different days, over a 3 months period. The attacks all originated from accounts on a popular free webmail service. All attacks came from one of three different sender aliases. Multiple email subject lines were used in the targeted attacks, all of potential interest to the recipients, with the majority being about current political issues. Almost all targeted recipients were put in BCC field of the email.
The first wave of attacks began 4/28/2011 from a single email alias. Four organizations were targeted in this first series of attacks. One of these organizations saw the CEO as well as media and sales people targeted. Over the course of the attack campaign the CEO was targeted 34 times.
On 5/13/2011 a new email account began sending email to targets. It was from this account that the majority of the attacks occurred. This aliases continued attacks on the four previous organizations but added dozens of additional organizations. One organization first targeted in this attack wave was targeted 450 times. A total of 23 people in the organization were targeted, with the main focus being on researchers within the organization.
The final attack wave started 6/30/2011 and ended 19 days later. While attacking a number of organizations already part of the campaign, it also targeted 5 new organizations.
By 7/19/2011 the NR4 targeted campaign came to an end. During the 3 months of this campaign hundreds of emails, in English and in Chinese (used against Chinese speaking targets) arrived in targeted users mailboxes. While the content of the email was constantly being changed, each email contained an attached PDF or RAR file with the same exploit that would infect users once the attachment was opened. Interestingly, we also found that the three attackers involved in this NR4 campaign have been using the same C&C servers for controlling compromised machines and exfiltrating data.