By Linda Rosencrance, TechNewsDaily Contributor

At the end of each year, Moscow-based Kaspersky Lab checks their predictions twice to see if cyber activity was more naughty than nice. Credit: igor.stevanovic/

December is "prediction season" in the cybersecurity industry. Every

major anti-virus software maker and digital-security provider issues its

own forecasts of what computer users face in the coming year.

So far this month, the predictions for 2013 look a lot like those for 2012: more Android malware, increased cyberattacks by nation-states and greater activity by "hacktivist" groups such as Anonymous.

However, a few companies go back and check their own predictions at the end of the year to see what they got right — and wrong. One company that does so is Moscow-based Kaspersky Lab, one of the top five anti-virus companies in the world.

"In 2011, we really saw a number of things rising up: hacktivism; big database breaches;

attacks against Androids; attacks against Macs; data espionage became

daily business in 2011," said Roel Schouwenberg, senior researcher at

Kaspersky's Boston-area office. “When we look at 2012, we saw a further

evolution of all these new trends."

Kaspersky made the following predictions for 2012:

  • Hacktivist

  • A higher rate of "advanced persistent threat" attacks, or state-sponsored espionage efforts

  • More incidents of cyberwarfare involving customized, state-sponsored malware

  • Attacks on software and game developers such as Adobe, Microsoft, Oracle and Sony

  • More aggressive actions from law-enforcement agencies against cybercriminals

  • An increasing rate in the growth of threats to the Android mobile platform

  • Successful attacks on Apple's Mac OS X computer platform

Let's examine five of the top security incidents that shaped 2012 and

check the accuracy of the Kaspersky researchers in light of those


1. More Mac OS X Malware

Security experts had anticipated an outbreak of malware targeting Mac OS X for years; 2012 was when it finally happened. The bug that did it, called the Flashback or Flashfake Trojan, first appeared near the end of 2011, but didn't reach its peak rate of infection until March of 2012. Flashback infected more than 700,000 Macs around the world, the largest known Mac OS X infection to date.


"In 2011, we predicted that we would see more Mac malware attacks," said Kaspersky Lab's Costin Raiu and David Emm in a blog posting. "We just never expected it would be this dramatic."

Why did Flashback wreak such havoc? One reason was a well-documented Java vulnerability, which Apple took a

long time to patch even after it had been publicly disclosed. The

Flashback authors took advantage of Apple's delay to incorporate the

Java exploit into their otherwise unremarkable creation.

The second reason was the general lack of awareness among Mac users about security. Proper anti-virus software would have stopped Flashback's attack, yet most Mac users felt they didn't need it.

Flashback wasn't the only successful attack on Mac OS X systems in

2012. There were multiple espionage-related attacks on Macs used by

Tibetan dissidents and exiles. Some of the attacks used corrupted files

purporting to come straight from the Dalai Lama, Tibet's exiled leader.

TOP 5: Ways to Protect Yourself Online

"The espionage angle may be a bigger factor for Mac right now than

regular consumer malware," Schouwenberg said. "For general cybercrime,

most criminals go after Windows because that's what they know. That's

what's easiest for them."

"But when it comes to these targeted attacks, the attackers go after

whichever machines the targets are using. So if the targets are using

Macs, they'll go after Macs."

Schouwenberg said in terms of the proportion of available systems

infected, Flashback was the most successful malware outbreak of the


"When you look at relative market share, the Flashback malware in terms

of prevalence was the size of [the infamous Windows worm] Conficker,"

he said. "This was an absolutely huge event in the Apple world. When

you extrapolate [the number of Macs infected] to Windows numbers, that's

about 10 million."

2. Cyberweapons: Flame

Cyberwarfare is a term that often gets hyped up, especially when a politician or general is speaking.

In fact, the Stuxnet worm,

which crippled an Iranian uranium-enrichment facility in the summer of

2010, was for nearly two years the only known cyberweapon that had

destroyed anything. That changed this past spring, when a series of cyberattacks destroyed

computer systems at oil facilities in Iran, as well as in the offices of

the Iranian oil ministry.

Wiper, the malware thought to be responsible for the attacks, was never

found, although certain tell-tale signs indicated it was similar to

Stuxnet and its cousin Duqu. During the investigation in May, however, researchers from Kaspersky,

the Iranian computer emergency response team MAHER and the CrySyS Lab at

Budapest University in Hungary discovered something else — possibly the

most sophisticated piece of malware ever seen. Kaspersky's team called

it "Flame."

The size, age and sophistication of Flame were startling. It was 20

megabytes in size, as large as a complex smartphone game, while most

malware is only a few dozen kilobytes in size. Flame contained a dozen different modules that could be added and

subtracted according to the task at hand, which made it extremely

versatile as spyware.

It could map out networks, index files, record audio and video, log

keystrokes, take screenshots and archive emails and instant messages.

When its job was done, it would destroy all signs of itself on any

32-bit Windows PC, and sometimes the host system as well.

ANALYSIS: The Biggest Threat to Your Online Security Is YOU!

Yet despite its size, Flame was at least five years old at the time of

its discovery — an enormous amount of time for a piece of malware to be

"in the wild."

As Raiu said in a press release,

Flame was "an example of a complex malicious program that could exist

undetected for an extended amount of time while collecting massive

amounts of data and sensitive information from its victims."

A couple of weeks after its discovery, Dutch researchers found that

Flame's creators had pulled off a mathematical breakthrough.

Using unknown techniques, Flame's creators had created a nearly-impossible cryptologic collisionthat

allowed Flame to present itself as a signed, genuine Windows update

package direct from Microsoft. No anti-virus software could have stopped



In August, Kaspersky researchers found a highly sophisticated Trojan in the Middle East, this time spying on Lebanese banks.

Like ordinary criminal banking Trojans, this new malware, which Kaspersky researchers dubbed "Gauss," stole online-banking credentials to break into accounts. Yet Gauss didn't steal any money — just information.

In their year-end review, Raiu and Emmer said Gauss added a "new

dimension to nation-state cyber-campaigns," even if it was nowhere as

sophisticated as Flame.

"It appears there is a strong cyber component to the existing

geopolitical tensions — perhaps bigger than anyone expected," they added.


That would prove to be an understatement. Later in August, Shamoon, a

piece of especially destructive, yet simple, malware, made its world debut.

Named after a piece of text embedded deep in its code, Shamoon launched

an attack against the state-owned Saudi Arabian oil company Saudi

Aramco and destroyed data on more than 30,000 computers.  

Shamoon was crude but effective. It searched an infected system for

certain files, sent a list of those files to a remote server, and then

methodically deleted key parts of the installed Windows system,

rendering the infected machine useless.

"You have the hacktivist movement claiming credit for that attack, which may or may not be the case," Schouwenberg said.

"Shamoon wasn't really that sophisticated, but when you look at the

relevance of the incidence, it's extremely, extremely important,"

Schouwenberg added, "especially when you consider the fact that Saudi

Aramco announced just recently that they strongly believe that Shamoon's

real target was to mess with the oil production rather than just

sabotaging the machines in the corporate network."

Kaspersky researchers said many details about Shamoon were still

unknown, such as how the malware infected Saudi Aramco's systems in the

first place, or who was behind the malware.

Some observers suspect Iran created and used Shamoon as an attempt to

cripple Saudi Arabia's oil production, which would cause oil prices to

rise, benefiting cash-strapped Iran.

3. Exponential Growth in Android Malware

During 2011, there was an explosion in the number of malicious threats against the Android platform. It was obvious that the trend would go on.

Kaspersky, as well as most of its competitors, accurately predicted

that the number of threats for Android would continue to grow at an

alarming rate in 2012.

"We predicted we would see an explosion in Android malware and that's

what we saw," Schouwenberg said. "There is a huge amount of Android

malware these days, although not anywhere near the amount of Windows

malware that we see. But it's grown very dramatically."

How dramatically?

"The number of samples we received continued to grow and peaked in June

2012, when we identified almost 7,000 malicious Android programs," Raiu

and Emmer wrote. "Overall, in 2012, we identified more than 35,000

malicious Android programs, which is about six times more than in 2011."

So why is there so much Android malware, and so little malware targeting its competition, Apple's iOS?

It's because iOS is locked down tight.

Apple oversees every part of the hardware and software development, and

strictly controls which apps can be installed on iOS devices.

Android, however, is a free-for-all. Dozens of manufacturers make

hundreds of Android devices, and the operating system is a little

different on each one. Manufacturers and cellular carriers refuse to update Android in a timely manner, resulting in security holes that are left unpatched for months or years.

"Off-road" app markets flourish, especially in China where access to

the official Google Play store is restricted. Google has belatedly

tightened security in both Android itself and in the Google Play store,

yet its efforts have a long way to go before they can match Apple's.

Still, the tighter security in the latest versions of Android may be

having an effect. Kaspersky's own figures show that while the number of

new Android threats continued to grow in the second half of 2012, the

rate of growth began to slow.

4. Advanced Persistent Threats Go Quiet

Advanced persistent threat hackers, i.e. cyberspies, were certainly

active in 2012, yet didn't have the spectacular successes they'd had in

previous years. Perhaps the most visible attack on Western targets was the discovery in

September 2012 that two pieces of malware had been signed using a valid Adobe code-signing certificate. Apparently, someone, somehow, had broken into an Adobe server and stolen authentication certificates.

"This discovery belongs to the same chain of extremely targeted attacks

performed by sophisticated threat actors commonly described as APT,"

wrote Raiu and Emmer. "The fact that a high profile company like Adobe

was compromised in this way redefines the boundaries and possibilities

that are becoming available for these high-level attackers."

5. Data Breach After Data Breach

One thing that Kaspersky failed to anticipate in 2012 was the seemingly

unending parade of huge data breaches involving companies and

organizations with inadequate security. In early June, the business-networking website LinkedIn had 6.4 million passwords stolen. The passwords were encrypted, but in a very simple way that meant most could easily be deciphered.

A day later, online-dating service eHarmony suffered a similar breach, losing 1.5 million passwords, also poorly encrypted.

In July, struggling Web giant Yahoo was embarrassed by a data breach that revealed 450,000 passwordshad

been stored without any encryption at all. It wasn't entirely Yahoo's

fault, since the database was acquired with the 2010 purchase of another

company, but it was also evident that no one had bothered to check.

Worst of all was the revelation in late October that vital personally identifiable information on 3.8 million adult residents of South Carolina, plus 1.9 million dependents and 700,000 businesses, had been stolen from the state tax agency.

Entire tax records, containing names, addresses, dates of birth and,

worst of all, Social Security numbers, were all stored unencrypted.

Virtually the entire state population of 4.7 million people was put at

grave risk of identity theft.

Weeks after the breach was revealed, the state government was blaming

the federal IRS for not providing strong security guidelines, and was

itself being criticized by security experts for not revealing enough

about what had happened.

Looking Back, and Forward

"There isn't too much that was shocking news over 2012, just these

up-and-coming things 2011 that really established themselves in

2012," Schouwenberg said. "But we also saw some examples of new

nation-state like Flame and Gauss. But from my personal

point of view, the most significant event of the year was Shamoon."

As for 2013, "we expect the next year to be packed with high-profile

attacks on consumers, businesses and governments alike, and to see the

first signs of notable attacks against the critical industrial

infrastructure," Raiu said in a company press release. "The most notable

trends of 2013 will be new examples of cyberwarfare operations,

increasing targeted attacks on businesses and new, sophisticated mobile


  • 8 Security Basics the Experts Want You to Know

  • How to Defend Yourself Against Home Invasion

  • 10 Best Anti-Virus Products

Copyright 2012 TechNewsDaily, a TechMediaNetwork company. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.