Attacks/Breaches
6/21/2012
05:28 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

The Intersection Between Cyberespionage And Cybercrime

Chinese cyberspies and traditional cybercriminals are relying on some of the same malware tools -- and some cyberspies even appear to be moonlighting

Traditional cybercriminals increasingly are using the same hacking tools that cyberespionage attackers employ in order to maintain a stealthy foothold inside a victim organization so they can maximize their spoils and profits.

And in some rare cases, Chinese cyberespionage attackers appear to be moonlighting and dabbling in a little traditional financial cybercrime. This blurring of tools and missions can make it difficult for organizations to ascertain just what attackers are up to once they are discovered inside.

Richard Bejtlich, chief security officer for Mandiant, says prior to joining Mandiant one year ago, he had seen cases of both types of attackers using the same types of tools -- specifically, remote access Trojan tools (RAT) like Poison Ivy and Ghost, for instance. He also saw some hints of cyberspies engaging in traditional cybercriminal activities.

"As far as actors, I have seen some cases where someone in a Chinese-language forum was talking about an 0day he had just discovered and was going to be weaponizing into a tool. Then we would see activity shortly thereafter [with that being used] against a broad number of customers" in an APT-type attack, Bejtlich says.

One of the 20 cyberespionage groups Mandiant tracks, meanwhile, appears to have some ties to a mass-mailing phishing attack -- it uses similar techniques. "We have a suspicion that group did that activity themselves or had ties to a group that does mass mailing," Bejtlich says.

But Mandiant researchers say that, for the most part, Chinese spy hackers tend to snub traditional cybercrime. "Culturally, they don't want to have an association with criminals," Bejtlich says, and consider themselves patriotic hackers and professionals. "There's a movement in China against [hackers as criminals] right now," he says.

Greg Hoglund, CTO at ManTech CSI and founder of HBGary, says his team has seen APT-type attackers out of China also running botnets, selling phony pharmaceuticals, committing online banking fraud, and stealing online gaming accounts. "A couple of groups are not full-time government contractors who sit at a cubicle at the ministry attacking the U.S.," Hoglund says. The ManTech team was able to image a hard drive from a command-and-control server from one APT group and on it found stolen intellectual property plus custom tools for stealing credentials from a popular online game, he says.

"We saw a lot of stuff on the command-and-control server that had nothing to do with the defense industrial base. They were stealing online gaming databases from top MMOs for fraud on a daily basis. And here's a guy who also targeted the defense industrial base," Hoglund says. Another APT attacker tracked by ManTech CSI appeared to be conducting online banking fraud as well, he says.

Hoglund says his team's theory is that this type of moonlighting hacker is a sort of "cybermercenary" performing cyberespionage on behalf of China and also engaging in hacker activities "traditionally associated with e-crime," he says.

He says he once spotted an APT threat using a popular SQL injection attack tool as a method of lateral movement within the targeted victim organization. "This APT threat was using the same tool used across the entire hacker space for stealing data further across one of its targeted environments," Hoglund says.

Other security researchers don't buy the moonlighting theory of cyberespionage attackers, however. Dmitri Alperovitch, co-founder and CTO of CrowdStrike, says these are two separate types of attackers. "I vehemently disagree. I have seen no overlap between those actors," Alperovitch says. "I've never seen Chinese cyberespionage [actors] engage in financially motivated criminal activity or going after that activity. Their goal is always political espionage or access to IP, trade secrets, or compromising more people."

But Alperovitch does agree that traditional cybercriminals are using some of the same malware tools as the cyberespionage attackers. They both use RATs like Poison Ivy, he says, "but they are not necessarily the same actors."

[ Malware is just a small piece of the puzzle in advanced attacks, and traditional cybercriminals are also getting more 'persistent.' See APT-Type Attack A Moving Target. ]

Chinese attackers use criminal hacking tools sometimes, such as Zeus, in the first stage of exploitation, he says.

The underlying issue, of course, is that all attacks are not just about the malware. "Malware is interchangeable, and sometimes [cyberespionage attackers] use criminal malware -- that's not the main issue," Alperovitch says. "It's what are they after. How are they doing the human part of the operation?"

Hoglund says organizations shouldn't think of an infected machine as just a virus. "Think of it as access. If you have a botnet problem, it's an access problem: Somebody has access" to your network and data, he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Bprince
50%
50%
Bprince,
User Rank: Ninja
6/23/2012 | 2:46:02 PM
re: The Intersection Between Cyberespionage And Cybercrime
It shouldn't come as a surprise people are using the same tools. If it works, why re-invent the wheel? Also, I think that using criminals can in a way increase plausible deniability for an intelligence agency in the event something is traced back to the source of the attack. That person is easier to discredit if they are also stealing credit cards and a government can say 'this activity was tied to this malware campaign and not an effort by us to steal information.'
Brian Prince, InformationWeek/Dark Reading Comment Moderator-
Printers: The Weak Link in Enterprise Security
Kelly Sheridan, Associate Editor, Dark Reading,  10/16/2017
20 Questions to Ask Yourself before Giving a Security Conference Talk
Joshua Goldfarb, Co-founder & Chief Product Officer, IDDRA,  10/16/2017
Why Security Leaders Can't Afford to Be Just 'Left-Brained'
Bill Bradley, SVP, Cyber Engineering and Technical Services, CenturyLink,  10/17/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.