Feeds

APT1, that scary cyber-Cold War gang: Not even China's best

More B-team than elite team, say security experts

SANS - Survey on application security programs

Shanghai hackers APT1 - outed this month in a high-profile report that linked them to the Chinese military - may not be China's top cyber-espionage team despite its moniker. Security experts say the team is more prolific than leet.

The gang, believed to carrying out orders from state officials, was accused of siphoning hundreds of terabytes of sensitive data from computers at scores of US corporations. China's government has denied any involvement.

Jaime Blasco, labs director at security tools firm AlienVault, described APT1, aka Comment Crew, as one of the more successful hacking group based on the number of targets attacked - but not necessarily on the skill level of its members.

"APT1 is one of the less sophisticated groups," Blasco said. "They commonly reuse the same infrastructure for years and their tools are more or less easy to detect. The techniques they use to gain access to the victims are more based on social engineering and most of the times they don't use zero-days exploits to gain access."

Several teams are said to be much more sophisticated, not least because they make extensive use of zero-day security vulnerabilities in Adobe PDF, Flash, Internet Explorer, Microsoft Office and Java to compromise systems: they often roam across domain names, IP addresses and network infrastructures, making them harder to pin down using previous intelligence.

"Their malware and tools has been built to avoid detection and to hide their presence and remain in the networks for years giving access to the compromised companies at any moment," Blasco said.

Confusingly, there isn't general agreement among security researchers on how to designate or name APT (advanced persistent threat) groups. Crews tend to be named after their computer espionage campaigns: "As an example you have groups like, Nitro, Aurora, ElderWood, Sykipot, Comment Crew (APT1), NightDragon, FlowerLday, Luckycat, Pitty Panda," according to Blasco.

Google and other high-tech firms were hit by malware in an attack dubbed Operation Aurora in 2009. Google went public with details of the assault in early 2010, blaming the Elderwood Crew or Beijing Group, another group of hackers allegedly affiliated with the Chinese state's People's Liberation Army (PLA). The group has also been linked to attacks against Tibetan activists. Sykipot is associated with the high-profile attacks against RSA Security and linked to the NightDragon attacks.

Joe Stewart, director of malware research at Dell SecureWorks CTU, broadly agreed with Blasco's assessment, but said that the skill level of Comment Crew's peeps varied.

"The Comment Crew are, in general, not terribly sophisticated," Stewart told El Reg. "But there are some people in there who are quite skilled not just in the malware they create but in their ability to hide their tracks. You are always going to get some junior members in any hacking or security group who are less skilled."

'Russian crims are milking this attention on China'

Industry experts such as Mandiant - which produced the high-profile dossier on APT1 this month - and Cyber Squared and others reckoned there are anywhere between a handful and 20 groups in China alone as well as a dozen more state-sponsored hacking crews in other countries.

Stewart explained that Dell SecureWork's research suggested that the Shanghai group was one of two main APT hacking crews based in China; the other main unit is apparently clustered around an ISP in Beijing. In addition, there are four or five anomalous groups, according to Stewart.

"The number of APTs groups is hard to define," he said. "When you look closely there are more or more links between different sub-sets that make us think that several are part of the same group."

Policy documents from the Obama administration, published last week, blamed Russia in addition to China for some cyber-espionage. Other spying activities - such as the Red October attack against former Soviet countries and, in particular, the Flame attack against Iran and other countries in the Middle East - don't fit the PLA-affiliated Chinese hackers narrative. US media reports claim Flame came from the same joint US-Israel operation codenamed Olympic Games that created Stuxnet.

"There is a small amount of APT activity coming out of different countries but none is on the same scale as China," Stewart told El Reg.

A minority of security researchers reckon the focus on China as the primary source of APT attacks, which commonly feature a combination of spear-phishing and custom malware, is dangerous.

"Now that everyone's obsessed with China, the Russian underground can continue 'milking' its favourite cash cow, the US," said cybercrime researcher Dancho Danchev. "Anything launched by eastern European cyber-criminals can be described as an APT these days. It's just that go after the dollar, not the intellectual propery," he added. ®

Combat fraud and increase customer satisfaction

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
NSA denies it knew about and USED Heartbleed encryption flaw for TWO YEARS
Agency forgets it exists to protect communications, not just spy on them
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.