Feeds

APT1, that scary cyber-Cold War gang: Not even China's best

More B-team than elite team, say security experts

5 things you didn’t know about cloud backup

Shanghai hackers APT1 - outed this month in a high-profile report that linked them to the Chinese military - may not be China's top cyber-espionage team despite its moniker. Security experts say the team is more prolific than leet.

The gang, believed to carrying out orders from state officials, was accused of siphoning hundreds of terabytes of sensitive data from computers at scores of US corporations. China's government has denied any involvement.

Jaime Blasco, labs director at security tools firm AlienVault, described APT1, aka Comment Crew, as one of the more successful hacking group based on the number of targets attacked - but not necessarily on the skill level of its members.

"APT1 is one of the less sophisticated groups," Blasco said. "They commonly reuse the same infrastructure for years and their tools are more or less easy to detect. The techniques they use to gain access to the victims are more based on social engineering and most of the times they don't use zero-days exploits to gain access."

Several teams are said to be much more sophisticated, not least because they make extensive use of zero-day security vulnerabilities in Adobe PDF, Flash, Internet Explorer, Microsoft Office and Java to compromise systems: they often roam across domain names, IP addresses and network infrastructures, making them harder to pin down using previous intelligence.

"Their malware and tools has been built to avoid detection and to hide their presence and remain in the networks for years giving access to the compromised companies at any moment," Blasco said.

Confusingly, there isn't general agreement among security researchers on how to designate or name APT (advanced persistent threat) groups. Crews tend to be named after their computer espionage campaigns: "As an example you have groups like, Nitro, Aurora, ElderWood, Sykipot, Comment Crew (APT1), NightDragon, FlowerLday, Luckycat, Pitty Panda," according to Blasco.

Google and other high-tech firms were hit by malware in an attack dubbed Operation Aurora in 2009. Google went public with details of the assault in early 2010, blaming the Elderwood Crew or Beijing Group, another group of hackers allegedly affiliated with the Chinese state's People's Liberation Army (PLA). The group has also been linked to attacks against Tibetan activists. Sykipot is associated with the high-profile attacks against RSA Security and linked to the NightDragon attacks.

Joe Stewart, director of malware research at Dell SecureWorks CTU, broadly agreed with Blasco's assessment, but said that the skill level of Comment Crew's peeps varied.

"The Comment Crew are, in general, not terribly sophisticated," Stewart told El Reg. "But there are some people in there who are quite skilled not just in the malware they create but in their ability to hide their tracks. You are always going to get some junior members in any hacking or security group who are less skilled."

'Russian crims are milking this attention on China'

Industry experts such as Mandiant - which produced the high-profile dossier on APT1 this month - and Cyber Squared and others reckoned there are anywhere between a handful and 20 groups in China alone as well as a dozen more state-sponsored hacking crews in other countries.

Stewart explained that Dell SecureWork's research suggested that the Shanghai group was one of two main APT hacking crews based in China; the other main unit is apparently clustered around an ISP in Beijing. In addition, there are four or five anomalous groups, according to Stewart.

"The number of APTs groups is hard to define," he said. "When you look closely there are more or more links between different sub-sets that make us think that several are part of the same group."

Policy documents from the Obama administration, published last week, blamed Russia in addition to China for some cyber-espionage. Other spying activities - such as the Red October attack against former Soviet countries and, in particular, the Flame attack against Iran and other countries in the Middle East - don't fit the PLA-affiliated Chinese hackers narrative. US media reports claim Flame came from the same joint US-Israel operation codenamed Olympic Games that created Stuxnet.

"There is a small amount of APT activity coming out of different countries but none is on the same scale as China," Stewart told El Reg.

A minority of security researchers reckon the focus on China as the primary source of APT attacks, which commonly feature a combination of spear-phishing and custom malware, is dangerous.

"Now that everyone's obsessed with China, the Russian underground can continue 'milking' its favourite cash cow, the US," said cybercrime researcher Dancho Danchev. "Anything launched by eastern European cyber-criminals can be described as an APT these days. It's just that go after the dollar, not the intellectual propery," he added. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
Ice cream headache as black hat hacks sack Dairy Queen
I scream, you scream, we all scream 'DATA BREACH'!
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
JLaw, Kate Upton exposed in celeb nude pics hack
100 women victimised as Apple iCloud accounts reportedly popped
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
Three quarters of South Korea popped in online gaming raids
Records used to plunder game items, sold off to low lifes
Oz fed police in PDF redaction SNAFU
Give us your metadata, we'll publish your data
prev story

Whitepapers

Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Advanced data protection for your virtualized environments
Find a natural fit for optimizing protection for the often resource-constrained data protection process found in virtual environments.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.