And in some rare cases, Chinese cyberespionage attackers appear to be moonlighting and dabbling in a little traditional financial cybercrime. This blurring of tools and missions can make it difficult for organizations to ascertain just what attackers are up to once they are discovered inside.
Richard Bejtlich, chief security officer for Mandiant, says prior to joining Mandiant one year ago, he had seen cases of both types of attackers using the same types of tools -- specifically, remote access Trojan tools (RAT) like Poison Ivy and Ghost, for instance. He also saw some hints of cyberspies engaging in traditional cybercriminal activities.
"As far as actors, I have seen some cases where someone in a Chinese-language forum was talking about an 0day he had just discovered and was going to be weaponizing into a tool. Then we would see activity shortly thereafter [with that being used] against a broad number of customers" in an APT-type attack, Bejtlich says.
One of the 20 cyberespionage groups Mandiant tracks, meanwhile, appears to have some ties to a mass-mailing phishing attack -- it uses similar techniques. "We have a suspicion that group did that activity themselves or had ties to a group that does mass mailing," Bejtlich says.
But Mandiant researchers say that, for the most part, Chinese spy hackers tend to snub traditional cybercrime. "Culturally, they don't want to have an association with criminals," Bejtlich says, and consider themselves patriotic hackers and professionals. "There's a movement in China against [hackers as criminals] right now," he says.
Greg Hoglund, CTO at ManTech CSI and founder of HBGary, says his team has seen APT-type attackers out of China also running botnets, selling phony pharmaceuticals, committing online banking fraud, and stealing online gaming accounts. "A couple of groups are not full-time government contractors who sit at a cubicle at the ministry attacking the U.S.," Hoglund says. The ManTech team was able to image a hard drive from a command-and-control server from one APT group and on it found stolen intellectual property plus custom tools for stealing credentials from a popular online game, he says.
"We saw a lot of stuff on the command-and-control server that had nothing to do with the defense industrial base. They were stealing online gaming databases from top MMOs for fraud on a daily basis. And here's a guy who also targeted the defense industrial base," Hoglund says. Another APT attacker tracked by ManTech CSI appeared to be conducting online banking fraud as well, he says.
Hoglund says his team's theory is that this type of moonlighting hacker is a sort of "cybermercenary" performing cyberespionage on behalf of China and also engaging in hacker activities "traditionally associated with e-crime," he says.
He says he once spotted an APT threat using a popular SQL injection attack tool as a method of lateral movement within the targeted victim organization. "This APT threat was using the same tool used across the entire hacker space for stealing data further across one of its targeted environments," Hoglund says.
Other security researchers don't buy the moonlighting theory of cyberespionage attackers, however. Dmitri Alperovitch, co-founder and CTO of CrowdStrike, says these are two separate types of attackers. "I vehemently disagree. I have seen no overlap between those actors," Alperovitch says. "I've never seen Chinese cyberespionage [actors] engage in financially motivated criminal activity or going after that activity. Their goal is always political espionage or access to IP, trade secrets, or compromising more people."
But Alperovitch does agree that traditional cybercriminals are using some of the same malware tools as the cyberespionage attackers. They both use RATs like Poison Ivy, he says, "but they are not necessarily the same actors."
[ Malware is just a small piece of the puzzle in advanced attacks, and traditional cybercriminals are also getting more 'persistent.' See APT-Type Attack A Moving Target. ]
Chinese attackers use criminal hacking tools sometimes, such as Zeus, in the first stage of exploitation, he says.
The underlying issue, of course, is that all attacks are not just about the malware. "Malware is interchangeable, and sometimes [cyberespionage attackers] use criminal malware -- that's not the main issue," Alperovitch says. "It's what are they after. How are they doing the human part of the operation?"
Hoglund says organizations shouldn't think of an infected machine as just a virus. "Think of it as access. If you have a botnet problem, it's an access problem: Somebody has access" to your network and data, he says.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.