Attacks/Breaches
8/2/2012
12:21 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Scope Of APTs More Widespread Than Thought

Researcher uncovers hundreds of different custom malware families used by cyberspies -- and discovers an Asian security company conducting cyberespionage

Turns out cyberespionage malware and activity is far more prolific than imagined: A renowned researcher has discovered some 200 different families of custom malware used to spy and steal intellectual property, with hundreds of attackers in just two groups out of Shanghai and Beijing.

Click here for more of Dark Reading's Black Hat articles.

"There are so many families of malware. Based on my knowledge of public reports, I had a feeling there was a certain amount of activity ... If I had to guess how many families were out there, [it was] a few dozen," says Joe Stewart, director of malware research at Dell Secureworks. "But, no, I kept discovering one after another ... They were all different, but basically do the same thing."

Stewart also unearthed a private security firm located in Asian -- not in China -- that is waging a targeted attack against another country's military operations, as well as spying on U.S. and European companies and its own country's journalists. He declined to provide details on the firm or its country of origin, but confirmed it's based in a nation that's friendly with the U.S.

"They are selling a range of services, including ethical hacking classes," he says. "Their own government is using their services."

The company has its own malware, and is using spear-phishing and backdoors in its cyberespionage operations.

Stewart says he's unsure whether this type of spying activity under the guise of a legitimate company is just the tip of the iceberg. "There are plenty of examples of companies who paid a hacker to spy," he says. This one is different, however, he says.

"They've got lots of domains registered, lots of malware," he says. "I worry that we will start to see a legitimization of this activity because governments are admitting to doing it," he says.

Dell Secureworks' team also found more than 1,100 domain names registered by APT-type groups for hosting malware command-and-control or phishing, and around 20,000 subdomains under that for command-and-control malware resolution. And the Htran tool used by Chinese APTs is still widely employed by attackers.

Complicating things further is that attribution can be tricky. While China conducts the majority of advanced persistent threat-type campaigns, attackers from other nations have been spotted posing as Chinese attackers to throw off researchers and investigators.

"It's very easy to jump to conclusions when it comes to attribution. You can copy digital fingerprints to appear like China," for example, says Roel Schouwenberg, senior researcher for global research and analysis at Kaspersky Lab.

Even more worrisome are the emerging hacking communities in Brazil and the Middle East getting into the act as well. "There's a very active hacking community in the Middle East -- Turkey -- and in Brazil, just like you're seeing with China," says Greg Hoglund, CTO at ManTech CSI and founder of HBGary, now a division of ManTech. "They grow up on e-crime, cut their teeth on it. They are skilled at hacking and run scams on the side."

And according to recent research conducted by HBGary, the number of Chinese cyberespionage groups has actually declined -- most likely due to consolidation. "The number of APT groups is going down, not up," Hoglund wrote in a blog post last week on HBGary's link-analysis on APT groups out of China.

"Our link analysis reveals surprising, non-obvious connections between APT groups. The group list is being consolidated, not expanded. In numerous cases, what appear to be different groups are actually the same, " Hoglund said. "We have also seen other trends such as overlap between nation-state and e-Crime attacks – Chinese hackers committing both crimes. It would be easier to say 'The Chinese Are Coming!' and leave it at that."

[ Chinese cyberspies and traditional cybercriminals are relying on some of the same malware tools -- and some cyberspies even appear to be moonlighting. See The Intersection Between Cyberespionage and Cybercrime. ]

Dell Secureworks' Stewart says, overall, the APT malware he's seeing isn't necessarily advanced. "But the whole operation and how they are approaching it is advanced, with spear-phishing and the types of exploits they have access to. That's very advanced stuff," he says.

His team earlier this year also found a widespread APT campaign targeting Japans several government ministries, universities, news media, trade organizations, and industrial equipment manufacturers, were in the bull's eye.

But there's plenty more out there, security experts say. "There's a lot of cyberespionage happening internationally. This is not going to go away," Kaspersky's Schouwenberg says.

Dell Secureworks' Stewart plans to continue hunting down APT attackers. "We will see how many more we can find in the next six to 12 months and how they react to being outed," he says.

Said HBGary's Hoglund: "One thing is very clear about Chinese hackers: they have a long history. Many of the hackers know each other, have social links, potentially trade malware and tools, etc. As we have expanded our threat intelligence around Chinese APT, it has become very clear that it’s not about number of groups. Chinese APT is an emulsion of largely similar intentions, tools, and backstories."

The full report by Dell Secureworks' Stewart is available here.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6117
Published: 2014-07-11
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

CVE-2014-0174
Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

CVE-2014-3485
Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

CVE-2014-3499
Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

CVE-2014-3503
Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.