Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

12:42 PM
Connect Directly

Profiling The Cybercriminal And The Cyberspy

Insight into key characteristics, behaviors of cybercrime versus cyberespionage attackers can help -- but the threats aren't just from China and Eastern Europe

First in an occasional series on knowing the attacker.

Chinese hackers operate more as big-box, thrifty enterprises with bargain-basement mini-botnets and commodity malware. Eastern European hackers run higher-end operations with bulletproof hosting and custom-built malware. Chinese hackers hide in plain sight, but try to maintain a foothold in their victims' organizations. Eastern European hackers stage camouflaged, commando-type raids to grab and run off with valuable financial information.

Those are some of the telltale characteristics of two of the main types of attackers businesses and public-sector organizations face today -- and the types of threats studied most by security researchers. Increasingly, there has been a shift toward getting to know the enemy behind the malware, mainly as a way to put up better defenses from these inevitable attacks. But like most things, the more you know, the more you realize what you don't know.

Enterprises and government agencies today tend to worry more about Chinese cyberespionage attacks than the financial credential- and account-stealing activities of attackers out of the Eastern European region, says Tom Kellermann, vice president of cybersecurity at Trend Micro, which last week published a report comparing the M.O.s of East Asian and Eastern European attackers.

But Eastern Europe poses just as much of a threat, he says, and these attackers are typically more sophisticated overall, employing custom-built, complex malware, and running their operations out of bulletproof hosting providers and advanced botnets. Plus, they steal credentials that can quickly be monetized. "If I was CEO of a corporation, I'd rather deal with East Asia than Eastern Europe because the Eastern European hacker crew comes in like commandos targeting your house in the suburbs, knowing everything about that house and going in and out, and [before you know it], you're done and you may not know you're done," he says.

China, Russia, the Ukraine, and other Eastern European nations, indeed, have mostly been under the spotlight as the origin of most cyberthreats. But what about hackers in Brazil? North Korea? The Middle East?

"It's not just the Chinese; it's not just the Russians. There are a lot of other countries with robust criminal [enterprises and] modulation and automation of attack code," Kellermann says.

Focusing only on Chinese or Russian hackers misses the bigger threat picture, experts say. South America and the Middle East, for example, are hotbeds of activity -- Brazil in financial cybercrime, and the Middle East in hacktivism.

[ Researcher uncovers hundreds of different custom malware families used by cyberspies -- and discovers an Asian security company conducting cyberespionage. See Scope Of APTs More Widespread Than Thought. ]

Jeffrey Carr, CEO of Taia Global, says the security industry needs to cast a wider net in its research. "We don't see the other countries [hacking] -- not because they are so good at it, but because we are looking at the same threat intelligence over and over and the same bad guys over and over," Carr says. "We are all watching the same publicly available data ... and it feeds on itself."

Carr attributes some of that on what he believes are the financial incentives to focus on China, for example. "The U.S.-China Economic and Security Review Commission is an expensive commission funded solely for finding threats from China," for example, he notes. "There's also money to be made in selling threat intelligence to the U.S. government if it involves China."

Part of the problem is that threat intelligence can't always keep up with attacks, security experts say. "Threat intelligence is way behind most of these capabilities," says Greg Hoglund, CTO at ManTech CSI and founder of HBGary, now a division of ManTech.

Knowing more about who's hacking you can help you shore up your defenses, security experts say. And the bottom line is that most attacks today against U.S. targets come out of China and Eastern Europe, so any intelligence about what type of data they're after and how they operate can help, experts say.

Trend Micro's profile of East Asian versus Eastern European attackers is spot-on, security experts say. Their different styles and methods are basically a function of the types of attacks they are waging -- as well as the defenses they are facing: "[The] target environments are different: Banking fraud detection and prevention systems are typically much more sophisticated than your typical enterprise security infrastructure. Cybercrime malware tends to be much more sophisticated in regard to how it works, how it steals credentials, how it prevents detection, and how it remains resident on the infected host. But they also have a cycle-based attack methodology that involves constant churn of attack malware/infrastructure and domains," says Alex Cox, principal security researcher for RSA FirstWatch Threat Research.

Cox says Chinese APT actors opt for a "modular" attack model where they gain a foothold inside and then download additional tools as they need it. "They typically use malware with wide availability to begin with, and ramp up sophistication as defenders get better at discovering their intrusions," Cox says. "The end game is different for the two groups: Cybercrime is a cycle of compromise, steal data, recompromise, etc. APT is to establish a foothold, remain inside a network, continually steal data."

Eastern European attackers use more complex malware because they are after different things, notes Joe Stewart, director of malware research for Dell SecureWorks. "Eastern Europeans tend to be more stealthy at the system level, with low-level code, [such as] using rootkits," Stewart says. "They are doing clever things to inject processes to evade detection by antivirus ... and to maintain a large botnet."

The Chinese, meanwhile, try to be stealthy by not appearing stealthy. "In the more targeted attack ... the more techniques you use that are stealthy, the more systems you're going to trigger on a very paranoid network," Stewart says. "The Chinese use packers only about 5 percent of the time, ballpark. Unpacked malware is not as suspicious and fairly small. They try to be minimal and do a small number of things."

Their main engine is the person behind the keyboard on the other end of the attack, who, once inside, is able to quietly do his work manually, Stewart says.

But regardless of the differences, both Asian and Eastern European hackers are dangerous in their own way, he says.

While Eastern European attackers prefer custom-built malware and their own botnet infrastructures, East Asian hackers opt mostly for off-the-shelf malware and mass-hosting ISPs, according to Trend Micro's Kellermann. There's also a more professional, "gun-for-hire" model in Eastern Europe, while Asian hackers are part of a mass-hacking population often led by government or other institutions -- more like "foot soldiers," he wrote in his report (PDF).

In Eastern Europe, hackers can leverage their individual reputations to make more money, whereas East Asian hackers are more associated with the organization that employs them, Kellermann says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-16
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...
PUBLISHED: 2021-04-16
jose-node-cjs-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...
PUBLISHED: 2021-04-16
Portofino is an open source web development framework. Portofino before version 5.2.1 did not properly verify the signature of JSON Web Tokens. This allows forging a valid JWT. The issue will be patched in the upcoming 5.2.1 release.
PUBLISHED: 2021-04-16
a12n-server is an npm package which aims to provide a simple authentication system. A new HAL-Form was added to allow editing users in version 0.18.0. This feature should only have been accessible to admins. Unfortunately, privileges were incorrectly checked allowing any logged in user to make this ...
PUBLISHED: 2021-04-16
jose-browser-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDec...