Attacks/Breaches
3/1/2012
02:09 PM
Connect Directly
RSS
E-Mail
50%
50%

Cyber Criminal By Day, Cyber Spy By Night?

New research shows link between espionage malware, Black Hat SEO, and RSA attackers.

Anonymous: 10 Facts About The Hacktivist Group
Anonymous: 10 Facts About The Hacktivist Group
(click image for larger view and for slideshow)
New research appears to raise questions over the conventional wisdom that pure nation-state cyberspies rarely dabble in traditional financial cybercrime. Dell SecureWorks Wednesday shared details of a complex study it conducted of two families of espionage malware that have infected government ministry computers in Vietnam, Brunei, Myanmar, Europe, and at an embassy in China.

Joe Stewart, director of malware research for SecureWorks counter threat unit research team, and his team dug into the domains shared by these malware families, which appear to have been registered by an individual whose physical address they traced to a P.O. box in the fictional location of "Sin Digoo," California.

The domains were registered under the names of "Tawyna Grilth" and "Eric Charles" with a specific Hotmail address during 2004 and 2011. Malware samples using the Tawyna Grilth domains are tied to advanced persistent threat (APT) activity, according to SecureWorks. But the researchers also found that "Tawnya's" domain hosted a Black Hat search engine optimization service.

[ See our complete RSA 2012 Security Conference coverage, live from San Francisco.]

"I can't see the same person as a spy by night and an SEO [attacker] by day. But could the two worlds combine?" Stewart says.

Stewart says since the same person registered these domains over the years, he or she could possibly have been freelancing for a nation-state organization or dabbling in Black Hat SEO on the side. But there was indeed a connection.

"He's got domains used for espionage. That's not to say he's the one hacking into those governments and companies. But he seems to have registered those domains," Stewart says. The researchers found that the attacker had also written an attack tool, but they can't prove he's using it or providing it to others.

Just how the cyberespionage and Black Hat SEO activities are related or not is unclear, he says. "We can only speculate from there."

Read the rest of this article on Dark Reading.

The right forensic tools in the right hands are just a start. The new Digital Detectives issue of Dark Reading shows you how to better apply the lessons they teach. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-5467
Published: 2014-08-29
Monitoring Agent for UNIX Logs 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP09, and 6.2.3 through FP04 and Monitoring Server (ms) and Shared Libraries (ax) 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP08, 6.2.3 through FP01, and 6.3.0 through FP01 in IBM Tivoli Monitoring (ITM)...

CVE-2014-0600
Published: 2014-08-29
FileUploadServlet in the Administration service in Novell GroupWise 2014 before SP1 allows remote attackers to read or write to arbitrary files via the poLibMaintenanceFileSave parameter, aka ZDI-CAN-2287.

CVE-2014-0888
Published: 2014-08-29
IBM Worklight Foundation 5.x and 6.x before 6.2.0.0, as used in Worklight and Mobile Foundation, allows remote authenticated users to bypass the application-authenticity feature via unspecified vectors.

CVE-2014-0897
Published: 2014-08-29
The Configuration Patterns component in IBM Flex System Manager (FSM) 1.2.0.x, 1.2.1.x, 1.3.0.x, and 1.3.1.x uses a weak algorithm in an encryption step during Chassis Management Module (CMM) account creation, which makes it easier for remote authenticated users to defeat cryptographic protection me...

CVE-2014-3024
Published: 2014-08-29
Cross-site request forgery (CSRF) vulnerability in IBM Maximo Asset Management 7.1 through 7.1.1.12 and 7.5 through 7.5.0.6 and Maximo Asset Management 7.5.0 through 7.5.0.3 and 7.5.1 through 7.5.1.2 for SmartCloud Control Desk allows remote authenticated users to hijack the authentication of arbitr...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.