Report: Weaponized PDFs on the Rise

The form of malware is targeting mostly the United States and Britain.

Security experts have reported a substantial increase in the number of weaponized PDFs being sent largely to recipients in the United States and Britain—most of which seem to be originating in Russia.

Through all of 2018, network security company SonicWall discovered more than 47,000 new attack variants within PDF files. But in March 2019 alone, 73,000 PDF-based attacks were discovered, according to a report released Thursday.

SonicWall’s President and CEO, Bill Conner, told Nextgov the company saw a rise in threats originating in PDFs in December and January—but by March—“It was just like, ‘Woah!’ It was really off the charts,” he said. Conner added that many of the threats “are emanating from Russia.”

Conner said that in March, the company’s “Real-Time Deep Memory Inspection” technology identified more than 83,000 “never-before-seen or identified” malicious events. Of those, 67,000 were PDFs linked to scammers and more than 5,500 were PDFs with direct links to other malware. PDF is the acronym used to refer to Portable Document Format. The file format was developed in the 1990s to maintain the aesthetic of an original document’s text and images that can be viewed across many programs and computer systems.

“I don’t want to be the alarmist here, but clearly, our businesses and governments run on PDFs today,” Conner said.

Many traditional security controls cannot yet identify or mitigate links hidden inside PDF files. Conner said the new threats are predominantly fraud, scam or phishing-style documents that look realistic now, but they could evolve into something even more dangerous in the future.

“Think of it as a spam email. It looks legit, right, so you go to click on it and you might be infected immediately or you might be infected later when it detonates. It’s very sophisticated in terms of that capability,” Conner said. “And just because they are using that exploit to target fraud today, doesn’t mean that that exploit can’t be used for other purposes later.”

Conner said he made multiple recent trips to London and Washington to speak about the risks with government officials from the United Kingdom and the United States. He said both countries are being targeted, but the threats from Russia are predominantly directed at the U.S., with lesser of an extent pointed toward the U.K.

“They’ve have certainly been receptive to hearing and seeing the information,” he said.