Attacks/Breaches
8/2/2012
12:21 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%
Repost This

Scope Of APTs More Widespread Than Thought

Researcher uncovers hundreds of different custom malware families used by cyberspies -- and discovers an Asian security company conducting cyberespionage

Turns out cyberespionage malware and activity is far more prolific than imagined: A renowned researcher has discovered some 200 different families of custom malware used to spy and steal intellectual property, with hundreds of attackers in just two groups out of Shanghai and Beijing.

Click here for more of Dark Reading's Black Hat articles.

"There are so many families of malware. Based on my knowledge of public reports, I had a feeling there was a certain amount of activity ... If I had to guess how many families were out there, [it was] a few dozen," says Joe Stewart, director of malware research at Dell Secureworks. "But, no, I kept discovering one after another ... They were all different, but basically do the same thing."

Stewart also unearthed a private security firm located in Asian -- not in China -- that is waging a targeted attack against another country's military operations, as well as spying on U.S. and European companies and its own country's journalists. He declined to provide details on the firm or its country of origin, but confirmed it's based in a nation that's friendly with the U.S.

"They are selling a range of services, including ethical hacking classes," he says. "Their own government is using their services."

The company has its own malware, and is using spear-phishing and backdoors in its cyberespionage operations.

Stewart says he's unsure whether this type of spying activity under the guise of a legitimate company is just the tip of the iceberg. "There are plenty of examples of companies who paid a hacker to spy," he says. This one is different, however, he says.

"They've got lots of domains registered, lots of malware," he says. "I worry that we will start to see a legitimization of this activity because governments are admitting to doing it," he says.

Dell Secureworks' team also found more than 1,100 domain names registered by APT-type groups for hosting malware command-and-control or phishing, and around 20,000 subdomains under that for command-and-control malware resolution. And the Htran tool used by Chinese APTs is still widely employed by attackers.

Complicating things further is that attribution can be tricky. While China conducts the majority of advanced persistent threat-type campaigns, attackers from other nations have been spotted posing as Chinese attackers to throw off researchers and investigators.

"It's very easy to jump to conclusions when it comes to attribution. You can copy digital fingerprints to appear like China," for example, says Roel Schouwenberg, senior researcher for global research and analysis at Kaspersky Lab.

Even more worrisome are the emerging hacking communities in Brazil and the Middle East getting into the act as well. "There's a very active hacking community in the Middle East -- Turkey -- and in Brazil, just like you're seeing with China," says Greg Hoglund, CTO at ManTech CSI and founder of HBGary, now a division of ManTech. "They grow up on e-crime, cut their teeth on it. They are skilled at hacking and run scams on the side."

And according to recent research conducted by HBGary, the number of Chinese cyberespionage groups has actually declined -- most likely due to consolidation. "The number of APT groups is going down, not up," Hoglund wrote in a blog post last week on HBGary's link-analysis on APT groups out of China.

"Our link analysis reveals surprising, non-obvious connections between APT groups. The group list is being consolidated, not expanded. In numerous cases, what appear to be different groups are actually the same, " Hoglund said. "We have also seen other trends such as overlap between nation-state and e-Crime attacks – Chinese hackers committing both crimes. It would be easier to say 'The Chinese Are Coming!' and leave it at that."

[ Chinese cyberspies and traditional cybercriminals are relying on some of the same malware tools -- and some cyberspies even appear to be moonlighting. See The Intersection Between Cyberespionage and Cybercrime. ]

Dell Secureworks' Stewart says, overall, the APT malware he's seeing isn't necessarily advanced. "But the whole operation and how they are approaching it is advanced, with spear-phishing and the types of exploits they have access to. That's very advanced stuff," he says.

His team earlier this year also found a widespread APT campaign targeting Japans several government ministries, universities, news media, trade organizations, and industrial equipment manufacturers, were in the bull's eye.

But there's plenty more out there, security experts say. "There's a lot of cyberespionage happening internationally. This is not going to go away," Kaspersky's Schouwenberg says.

Dell Secureworks' Stewart plans to continue hunting down APT attackers. "We will see how many more we can find in the next six to 12 months and how they react to being outed," he says.

Said HBGary's Hoglund: "One thing is very clear about Chinese hackers: they have a long history. Many of the hackers know each other, have social links, potentially trade malware and tools, etc. As we have expanded our threat intelligence around Chinese APT, it has become very clear that it’s not about number of groups. Chinese APT is an emulsion of largely similar intentions, tools, and backstories."

The full report by Dell Secureworks' Stewart is available here.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-3946
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

CVE-2012-5723
Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

CVE-2013-6738
Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before 1.2.0.0-CSI-SCALA-IF0003 allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

CVE-2014-2391
Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

CVE-2014-2392
Published: 2014-04-24
The E-Mail autoconfiguration feature in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 places a password in a GET request, which allows remote attackers to obtain sensitive information by reading (1) web-server access logs, (2) web-server Referer log...

Best of the Web