Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

8/2/2012
12:21 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Scope Of APTs More Widespread Than Thought

Researcher uncovers hundreds of different custom malware families used by cyberspies -- and discovers an Asian security company conducting cyberespionage

Turns out cyberespionage malware and activity is far more prolific than imagined: A renowned researcher has discovered some 200 different families of custom malware used to spy and steal intellectual property, with hundreds of attackers in just two groups out of Shanghai and Beijing.

Click here for more of Dark Reading's Black Hat articles.

"There are so many families of malware. Based on my knowledge of public reports, I had a feeling there was a certain amount of activity ... If I had to guess how many families were out there, [it was] a few dozen," says Joe Stewart, director of malware research at Dell Secureworks. "But, no, I kept discovering one after another ... They were all different, but basically do the same thing."

Stewart also unearthed a private security firm located in Asian -- not in China -- that is waging a targeted attack against another country's military operations, as well as spying on U.S. and European companies and its own country's journalists. He declined to provide details on the firm or its country of origin, but confirmed it's based in a nation that's friendly with the U.S.

"They are selling a range of services, including ethical hacking classes," he says. "Their own government is using their services."

The company has its own malware, and is using spear-phishing and backdoors in its cyberespionage operations.

Stewart says he's unsure whether this type of spying activity under the guise of a legitimate company is just the tip of the iceberg. "There are plenty of examples of companies who paid a hacker to spy," he says. This one is different, however, he says.

"They've got lots of domains registered, lots of malware," he says. "I worry that we will start to see a legitimization of this activity because governments are admitting to doing it," he says.

Dell Secureworks' team also found more than 1,100 domain names registered by APT-type groups for hosting malware command-and-control or phishing, and around 20,000 subdomains under that for command-and-control malware resolution. And the Htran tool used by Chinese APTs is still widely employed by attackers.

Complicating things further is that attribution can be tricky. While China conducts the majority of advanced persistent threat-type campaigns, attackers from other nations have been spotted posing as Chinese attackers to throw off researchers and investigators.

"It's very easy to jump to conclusions when it comes to attribution. You can copy digital fingerprints to appear like China," for example, says Roel Schouwenberg, senior researcher for global research and analysis at Kaspersky Lab.

Even more worrisome are the emerging hacking communities in Brazil and the Middle East getting into the act as well. "There's a very active hacking community in the Middle East -- Turkey -- and in Brazil, just like you're seeing with China," says Greg Hoglund, CTO at ManTech CSI and founder of HBGary, now a division of ManTech. "They grow up on e-crime, cut their teeth on it. They are skilled at hacking and run scams on the side."

And according to recent research conducted by HBGary, the number of Chinese cyberespionage groups has actually declined -- most likely due to consolidation. "The number of APT groups is going down, not up," Hoglund wrote in a blog post last week on HBGary's link-analysis on APT groups out of China.

"Our link analysis reveals surprising, non-obvious connections between APT groups. The group list is being consolidated, not expanded. In numerous cases, what appear to be different groups are actually the same, " Hoglund said. "We have also seen other trends such as overlap between nation-state and e-Crime attacks – Chinese hackers committing both crimes. It would be easier to say 'The Chinese Are Coming!' and leave it at that."

[ Chinese cyberspies and traditional cybercriminals are relying on some of the same malware tools -- and some cyberspies even appear to be moonlighting. See The Intersection Between Cyberespionage and Cybercrime. ]

Dell Secureworks' Stewart says, overall, the APT malware he's seeing isn't necessarily advanced. "But the whole operation and how they are approaching it is advanced, with spear-phishing and the types of exploits they have access to. That's very advanced stuff," he says.

His team earlier this year also found a widespread APT campaign targeting Japans several government ministries, universities, news media, trade organizations, and industrial equipment manufacturers, were in the bull's eye.

But there's plenty more out there, security experts say. "There's a lot of cyberespionage happening internationally. This is not going to go away," Kaspersky's Schouwenberg says.

Dell Secureworks' Stewart plans to continue hunting down APT attackers. "We will see how many more we can find in the next six to 12 months and how they react to being outed," he says.

Said HBGary's Hoglund: "One thing is very clear about Chinese hackers: they have a long history. Many of the hackers know each other, have social links, potentially trade malware and tools, etc. As we have expanded our threat intelligence around Chinese APT, it has become very clear that it’s not about number of groups. Chinese APT is an emulsion of largely similar intentions, tools, and backstories."

The full report by Dell Secureworks' Stewart is available here.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
MITRE Releases 2019 List of Top 25 Software Weaknesses
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2019
Preventing PTSD and Burnout for Cybersecurity Professionals
Craig Hinkley, CEO, WhiteHat Security,  9/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-14821
PUBLISHED: 2019-09-19
An out-of-bounds access issue was found in the Linux kernel, all versions through 5.3, in the way Linux kernel's KVM hypervisor implements the Coalesced MMIO write operation. It operates on an MMIO ring buffer 'struct kvm_coalesced_mmio' object, wherein write indices 'ring->first' and 'ring->l...
CVE-2019-15032
PUBLISHED: 2019-09-19
Pydio 6.0.8 mishandles error reporting when a directory allows unauthenticated uploads, and the remote-upload option is used with the http://localhost:22 URL. The attacker can obtain sensitive information such as the name of the user who created that directory and other internal server information.
CVE-2019-15033
PUBLISHED: 2019-09-19
Pydio 6.0.8 allows Authenticated SSRF during a Remote Link Feature download. An attacker can specify an intranet address in the file parameter to index.php, when sending a file to a remote server, as demonstrated by the file=http%3A%2F%2F192.168.1.2 substring.
CVE-2019-16412
PUBLISHED: 2019-09-19
In goform/setSysTools on Tenda N301 wireless routers, attackers can trigger a device crash via a zero wanMTU value. (Prohibition of this zero value is only enforced within the GUI.)
CVE-2019-16510
PUBLISHED: 2019-09-19
libIEC61850 through 1.3.3 has a use-after-free in MmsServer_waitReady in mms/iso_mms/server/mms_server.c, as demonstrated by server_example_goose.