Profiling The Cybercriminal And The Cyberspy

Insight into key characteristics, behaviors of cybercrime versus cyberespionage attackers can help -- but the threats aren't just from China and Eastern Europe

First in an occasional series on knowing the attacker.

Chinese hackers operate more as big-box, thrifty enterprises with bargain-basement mini-botnets and commodity malware. Eastern European hackers run higher-end operations with bulletproof hosting and custom-built malware. Chinese hackers hide in plain sight, but try to maintain a foothold in their victims' organizations. Eastern European hackers stage camouflaged, commando-type raids to grab and run off with valuable financial information.

Those are some of the telltale characteristics of two of the main types of attackers businesses and public-sector organizations face today -- and the types of threats studied most by security researchers. Increasingly, there has been a shift toward getting to know the enemy behind the malware, mainly as a way to put up better defenses from these inevitable attacks. But like most things, the more you know, the more you realize what you don't know.

Enterprises and government agencies today tend to worry more about Chinese cyberespionage attacks than the financial credential- and account-stealing activities of attackers out of the Eastern European region, says Tom Kellermann, vice president of cybersecurity at Trend Micro, which last week published a report comparing the M.O.s of East Asian and Eastern European attackers.

But Eastern Europe poses just as much of a threat, he says, and these attackers are typically more sophisticated overall, employing custom-built, complex malware, and running their operations out of bulletproof hosting providers and advanced botnets. Plus, they steal credentials that can quickly be monetized. "If I was CEO of a corporation, I'd rather deal with East Asia than Eastern Europe because the Eastern European hacker crew comes in like commandos targeting your house in the suburbs, knowing everything about that house and going in and out, and [before you know it], you're done and you may not know you're done," he says.

China, Russia, the Ukraine, and other Eastern European nations, indeed, have mostly been under the spotlight as the origin of most cyberthreats. But what about hackers in Brazil? North Korea? The Middle East?

"It's not just the Chinese; it's not just the Russians. There are a lot of other countries with robust criminal [enterprises and] modulation and automation of attack code," Kellermann says.

Focusing only on Chinese or Russian hackers misses the bigger threat picture, experts say. South America and the Middle East, for example, are hotbeds of activity -- Brazil in financial cybercrime, and the Middle East in hacktivism.

[ Researcher uncovers hundreds of different custom malware families used by cyberspies -- and discovers an Asian security company conducting cyberespionage. See Scope Of APTs More Widespread Than Thought. ]

Jeffrey Carr, CEO of Taia Global, says the security industry needs to cast a wider net in its research. "We don't see the other countries [hacking] -- not because they are so good at it, but because we are looking at the same threat intelligence over and over and the same bad guys over and over," Carr says. "We are all watching the same publicly available data ... and it feeds on itself."

Carr attributes some of that on what he believes are the financial incentives to focus on China, for example. "The U.S.-China Economic and Security Review Commission is an expensive commission funded solely for finding threats from China," for example, he notes. "There's also money to be made in selling threat intelligence to the U.S. government if it involves China."

Part of the problem is that threat intelligence can't always keep up with attacks, security experts say. "Threat intelligence is way behind most of these capabilities," says Greg Hoglund, CTO at ManTech CSI and founder of HBGary, now a division of ManTech.

Knowing more about who's hacking you can help you shore up your defenses, security experts say. And the bottom line is that most attacks today against U.S. targets come out of China and Eastern Europe, so any intelligence about what type of data they're after and how they operate can help, experts say.

Trend Micro's profile of East Asian versus Eastern European attackers is spot-on, security experts say. Their different styles and methods are basically a function of the types of attacks they are waging -- as well as the defenses they are facing: "[The] target environments are different: Banking fraud detection and prevention systems are typically much more sophisticated than your typical enterprise security infrastructure. Cybercrime malware tends to be much more sophisticated in regard to how it works, how it steals credentials, how it prevents detection, and how it remains resident on the infected host. But they also have a cycle-based attack methodology that involves constant churn of attack malware/infrastructure and domains," says Alex Cox, principal security researcher for RSA FirstWatch Threat Research.

Cox says Chinese APT actors opt for a "modular" attack model where they gain a foothold inside and then download additional tools as they need it. "They typically use malware with wide availability to begin with, and ramp up sophistication as defenders get better at discovering their intrusions," Cox says. "The end game is different for the two groups: Cybercrime is a cycle of compromise, steal data, recompromise, etc. APT is to establish a foothold, remain inside a network, continually steal data."

Eastern European attackers use more complex malware because they are after different things, notes Joe Stewart, director of malware research for Dell SecureWorks. "Eastern Europeans tend to be more stealthy at the system level, with low-level code, [such as] using rootkits," Stewart says. "They are doing clever things to inject processes to evade detection by antivirus ... and to maintain a large botnet."

The Chinese, meanwhile, try to be stealthy by not appearing stealthy. "In the more targeted attack ... the more techniques you use that are stealthy, the more systems you're going to trigger on a very paranoid network," Stewart says. "The Chinese use packers only about 5 percent of the time, ballpark. Unpacked malware is not as suspicious and fairly small. They try to be minimal and do a small number of things."

Their main engine is the person behind the keyboard on the other end of the attack, who, once inside, is able to quietly do his work manually, Stewart says.

But regardless of the differences, both Asian and Eastern European hackers are dangerous in their own way, he says.

While Eastern European attackers prefer custom-built malware and their own botnet infrastructures, East Asian hackers opt mostly for off-the-shelf malware and mass-hosting ISPs, according to Trend Micro's Kellermann. There's also a more professional, "gun-for-hire" model in Eastern Europe, while Asian hackers are part of a mass-hacking population often led by government or other institutions -- more like "foot soldiers," he wrote in his report (PDF).

In Eastern Europe, hackers can leverage their individual reputations to make more money, whereas East Asian hackers are more associated with the organization that employs them, Kellermann says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights