12 Groups Carry Out Most APT Attacks12 Groups Carry Out Most APT Attacks
Security consultants and the feds are tracking a dozen groups--all out of China--responsible for advanced threats.
December 20, 2011
Concerned with the amount of U.S. intellectual property being stolen from corporate networks, a group of security professionals sat down and compared notes on the various groups they tracked. They came up with an approximate tally of attackers targeting the intellectual property of U.S. and multinational companies: An even dozen, and all thought to be Chinese.
High-tech firms, oil companies, and defense contractors have all fallen prey to the 12 teams out to steal trade secrets and sensitive or classified information. While attempting to identify and count the groups behind the attacks may seem like an academic exercise, it's not, says Jon Ramsey, executive director of Dell Secureworks' counter threat unit.
"In the general scheme of things, knowing who your enemy is, is enlightening," he says.
One group, for example, is called the Comment Crew by Dell Secureworks because of its signature tactic of embedding command-and-control information in the comments of Web pages. "Understanding that, if you wanted to deal with the major attack from this one group, you can strip all comments out of the HTML pages as they come into your Web proxy," Ramsey says. "That is a pretty effective technique to deal with this one group."
Moreover, knowing whether an attacker is part of the advanced persistent threat (APT)--the term coined by the defense industry for attackers that don't go away--can determine whether a company calls in help. When a company suspects that a persistent attacker has set up shop inside their network, kicking them back out again is not easy, Richard Bejtlich, chief security officer for security consulting firm Mandiant, said in a recent interview.
Various attributes can be used to classify attackers into groups, including their tools and techniques, the characteristics of their infrastructure, and their targets. Mandiant, for example, keeps dossiers on the 12 groups it tracks, and when called in by a client, compares and gathers network intelligence with what it knows about the usual suspects. The company can analyze an incident under investigation and match it to various groups' modes of operation, including their tools, the passwords, the encryption used, their command-and-control infrastructure, and their targets.
Read the rest of this article on Dark Reading.
Read our report on how to guard your systems from a SQL attack. Download the report now. (Free registration required.)
Read more about:2011
About the Author(s)
You May Also Like
Modern Supply Chain Security: Integrated, Interconnected, and Context-DrivenNov 06, 2023
How to Combat the Latest Cloud Security ThreatsNov 06, 2023
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingNov 01, 2023
SecOps & DevSecOps in the CloudNov 06, 2023
What's In Your Cloud?Nov 30, 2023