Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

6/21/2012
05:28 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

The Intersection Between Cyberespionage And Cybercrime

Chinese cyberspies and traditional cybercriminals are relying on some of the same malware tools -- and some cyberspies even appear to be moonlighting

Traditional cybercriminals increasingly are using the same hacking tools that cyberespionage attackers employ in order to maintain a stealthy foothold inside a victim organization so they can maximize their spoils and profits.

And in some rare cases, Chinese cyberespionage attackers appear to be moonlighting and dabbling in a little traditional financial cybercrime. This blurring of tools and missions can make it difficult for organizations to ascertain just what attackers are up to once they are discovered inside.

Richard Bejtlich, chief security officer for Mandiant, says prior to joining Mandiant one year ago, he had seen cases of both types of attackers using the same types of tools -- specifically, remote access Trojan tools (RAT) like Poison Ivy and Ghost, for instance. He also saw some hints of cyberspies engaging in traditional cybercriminal activities.

"As far as actors, I have seen some cases where someone in a Chinese-language forum was talking about an 0day he had just discovered and was going to be weaponizing into a tool. Then we would see activity shortly thereafter [with that being used] against a broad number of customers" in an APT-type attack, Bejtlich says.

One of the 20 cyberespionage groups Mandiant tracks, meanwhile, appears to have some ties to a mass-mailing phishing attack -- it uses similar techniques. "We have a suspicion that group did that activity themselves or had ties to a group that does mass mailing," Bejtlich says.

But Mandiant researchers say that, for the most part, Chinese spy hackers tend to snub traditional cybercrime. "Culturally, they don't want to have an association with criminals," Bejtlich says, and consider themselves patriotic hackers and professionals. "There's a movement in China against [hackers as criminals] right now," he says.

Greg Hoglund, CTO at ManTech CSI and founder of HBGary, says his team has seen APT-type attackers out of China also running botnets, selling phony pharmaceuticals, committing online banking fraud, and stealing online gaming accounts. "A couple of groups are not full-time government contractors who sit at a cubicle at the ministry attacking the U.S.," Hoglund says. The ManTech team was able to image a hard drive from a command-and-control server from one APT group and on it found stolen intellectual property plus custom tools for stealing credentials from a popular online game, he says.

"We saw a lot of stuff on the command-and-control server that had nothing to do with the defense industrial base. They were stealing online gaming databases from top MMOs for fraud on a daily basis. And here's a guy who also targeted the defense industrial base," Hoglund says. Another APT attacker tracked by ManTech CSI appeared to be conducting online banking fraud as well, he says.

Hoglund says his team's theory is that this type of moonlighting hacker is a sort of "cybermercenary" performing cyberespionage on behalf of China and also engaging in hacker activities "traditionally associated with e-crime," he says.

He says he once spotted an APT threat using a popular SQL injection attack tool as a method of lateral movement within the targeted victim organization. "This APT threat was using the same tool used across the entire hacker space for stealing data further across one of its targeted environments," Hoglund says.

Other security researchers don't buy the moonlighting theory of cyberespionage attackers, however. Dmitri Alperovitch, co-founder and CTO of CrowdStrike, says these are two separate types of attackers. "I vehemently disagree. I have seen no overlap between those actors," Alperovitch says. "I've never seen Chinese cyberespionage [actors] engage in financially motivated criminal activity or going after that activity. Their goal is always political espionage or access to IP, trade secrets, or compromising more people."

But Alperovitch does agree that traditional cybercriminals are using some of the same malware tools as the cyberespionage attackers. They both use RATs like Poison Ivy, he says, "but they are not necessarily the same actors."

[ Malware is just a small piece of the puzzle in advanced attacks, and traditional cybercriminals are also getting more 'persistent.' See APT-Type Attack A Moving Target. ]

Chinese attackers use criminal hacking tools sometimes, such as Zeus, in the first stage of exploitation, he says.

The underlying issue, of course, is that all attacks are not just about the malware. "Malware is interchangeable, and sometimes [cyberespionage attackers] use criminal malware -- that's not the main issue," Alperovitch says. "It's what are they after. How are they doing the human part of the operation?"

Hoglund says organizations shouldn't think of an infected machine as just a virus. "Think of it as access. If you have a botnet problem, it's an access problem: Somebody has access" to your network and data, he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Bprince
50%
50%
Bprince,
User Rank: Ninja
6/23/2012 | 2:46:02 PM
re: The Intersection Between Cyberespionage And Cybercrime
It shouldn't come as a surprise people are using the same tools. If it works, why re-invent the wheel? Also, I think that using criminals can in a way increase plausible deniability for an intelligence agency in the event something is traced back to the source of the attack. That person is easier to discredit if they are also stealing credit cards and a government can say 'this activity was tied to this malware campaign and not an effort by us to steal information.'
Brian Prince, InformationWeek/Dark Reading Comment Moderator-
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
IoT Vulnerability Disclosure Platform Launched
Dark Reading Staff 10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15270
PUBLISHED: 2020-10-22
Parse Server (npm package parse-server) broadcasts events to all clients without checking if the session token is valid. This allows clients with expired sessions to still receive subscription objects. It is not possible to create subscription objects with invalid session tokens. The issue is not pa...
CVE-2018-21266
PUBLISHED: 2020-10-22
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
CVE-2018-21267
PUBLISHED: 2020-10-22
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
CVE-2020-27673
PUBLISHED: 2020-10-22
An issue was discovered in the Linux kernel through 5.9.1, as used with Xen through 4.14.x. Guest OS users can cause a denial of service (host OS hang) via a high rate of events to dom0, aka CID-e99502f76271.
CVE-2020-27674
PUBLISHED: 2020-10-22
An issue was discovered in Xen through 4.14.x allowing x86 PV guest OS users to gain guest OS privileges by modifying kernel memory contents, because invalidation of TLB entries is mishandled during use of an INVLPG-like attack technique.