Attacks/Breaches
6/21/2012
05:28 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

The Intersection Between Cyberespionage And Cybercrime

Chinese cyberspies and traditional cybercriminals are relying on some of the same malware tools -- and some cyberspies even appear to be moonlighting

Traditional cybercriminals increasingly are using the same hacking tools that cyberespionage attackers employ in order to maintain a stealthy foothold inside a victim organization so they can maximize their spoils and profits.

And in some rare cases, Chinese cyberespionage attackers appear to be moonlighting and dabbling in a little traditional financial cybercrime. This blurring of tools and missions can make it difficult for organizations to ascertain just what attackers are up to once they are discovered inside.

Richard Bejtlich, chief security officer for Mandiant, says prior to joining Mandiant one year ago, he had seen cases of both types of attackers using the same types of tools -- specifically, remote access Trojan tools (RAT) like Poison Ivy and Ghost, for instance. He also saw some hints of cyberspies engaging in traditional cybercriminal activities.

"As far as actors, I have seen some cases where someone in a Chinese-language forum was talking about an 0day he had just discovered and was going to be weaponizing into a tool. Then we would see activity shortly thereafter [with that being used] against a broad number of customers" in an APT-type attack, Bejtlich says.

One of the 20 cyberespionage groups Mandiant tracks, meanwhile, appears to have some ties to a mass-mailing phishing attack -- it uses similar techniques. "We have a suspicion that group did that activity themselves or had ties to a group that does mass mailing," Bejtlich says.

But Mandiant researchers say that, for the most part, Chinese spy hackers tend to snub traditional cybercrime. "Culturally, they don't want to have an association with criminals," Bejtlich says, and consider themselves patriotic hackers and professionals. "There's a movement in China against [hackers as criminals] right now," he says.

Greg Hoglund, CTO at ManTech CSI and founder of HBGary, says his team has seen APT-type attackers out of China also running botnets, selling phony pharmaceuticals, committing online banking fraud, and stealing online gaming accounts. "A couple of groups are not full-time government contractors who sit at a cubicle at the ministry attacking the U.S.," Hoglund says. The ManTech team was able to image a hard drive from a command-and-control server from one APT group and on it found stolen intellectual property plus custom tools for stealing credentials from a popular online game, he says.

"We saw a lot of stuff on the command-and-control server that had nothing to do with the defense industrial base. They were stealing online gaming databases from top MMOs for fraud on a daily basis. And here's a guy who also targeted the defense industrial base," Hoglund says. Another APT attacker tracked by ManTech CSI appeared to be conducting online banking fraud as well, he says.

Hoglund says his team's theory is that this type of moonlighting hacker is a sort of "cybermercenary" performing cyberespionage on behalf of China and also engaging in hacker activities "traditionally associated with e-crime," he says.

He says he once spotted an APT threat using a popular SQL injection attack tool as a method of lateral movement within the targeted victim organization. "This APT threat was using the same tool used across the entire hacker space for stealing data further across one of its targeted environments," Hoglund says.

Other security researchers don't buy the moonlighting theory of cyberespionage attackers, however. Dmitri Alperovitch, co-founder and CTO of CrowdStrike, says these are two separate types of attackers. "I vehemently disagree. I have seen no overlap between those actors," Alperovitch says. "I've never seen Chinese cyberespionage [actors] engage in financially motivated criminal activity or going after that activity. Their goal is always political espionage or access to IP, trade secrets, or compromising more people."

But Alperovitch does agree that traditional cybercriminals are using some of the same malware tools as the cyberespionage attackers. They both use RATs like Poison Ivy, he says, "but they are not necessarily the same actors."

[ Malware is just a small piece of the puzzle in advanced attacks, and traditional cybercriminals are also getting more 'persistent.' See APT-Type Attack A Moving Target. ]

Chinese attackers use criminal hacking tools sometimes, such as Zeus, in the first stage of exploitation, he says.

The underlying issue, of course, is that all attacks are not just about the malware. "Malware is interchangeable, and sometimes [cyberespionage attackers] use criminal malware -- that's not the main issue," Alperovitch says. "It's what are they after. How are they doing the human part of the operation?"

Hoglund says organizations shouldn't think of an infected machine as just a virus. "Think of it as access. If you have a botnet problem, it's an access problem: Somebody has access" to your network and data, he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Bprince
50%
50%
Bprince,
User Rank: Ninja
6/23/2012 | 2:46:02 PM
re: The Intersection Between Cyberespionage And Cybercrime
It shouldn't come as a surprise people are using the same tools. If it works, why re-invent the wheel? Also, I think that using criminals can in a way increase plausible deniability for an intelligence agency in the event something is traced back to the source of the attack. That person is easier to discredit if they are also stealing credit cards and a government can say 'this activity was tied to this malware campaign and not an effort by us to steal information.'
Brian Prince, InformationWeek/Dark Reading Comment Moderator-
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.