Feeds

APT1, that scary cyber-Cold War gang: Not even China's best

More B-team than elite team, say security experts

Beginner's guide to SSL certificates

Shanghai hackers APT1 - outed this month in a high-profile report that linked them to the Chinese military - may not be China's top cyber-espionage team despite its moniker. Security experts say the team is more prolific than leet.

The gang, believed to carrying out orders from state officials, was accused of siphoning hundreds of terabytes of sensitive data from computers at scores of US corporations. China's government has denied any involvement.

Jaime Blasco, labs director at security tools firm AlienVault, described APT1, aka Comment Crew, as one of the more successful hacking group based on the number of targets attacked - but not necessarily on the skill level of its members.

"APT1 is one of the less sophisticated groups," Blasco said. "They commonly reuse the same infrastructure for years and their tools are more or less easy to detect. The techniques they use to gain access to the victims are more based on social engineering and most of the times they don't use zero-days exploits to gain access."

Several teams are said to be much more sophisticated, not least because they make extensive use of zero-day security vulnerabilities in Adobe PDF, Flash, Internet Explorer, Microsoft Office and Java to compromise systems: they often roam across domain names, IP addresses and network infrastructures, making them harder to pin down using previous intelligence.

"Their malware and tools has been built to avoid detection and to hide their presence and remain in the networks for years giving access to the compromised companies at any moment," Blasco said.

Confusingly, there isn't general agreement among security researchers on how to designate or name APT (advanced persistent threat) groups. Crews tend to be named after their computer espionage campaigns: "As an example you have groups like, Nitro, Aurora, ElderWood, Sykipot, Comment Crew (APT1), NightDragon, FlowerLday, Luckycat, Pitty Panda," according to Blasco.

Google and other high-tech firms were hit by malware in an attack dubbed Operation Aurora in 2009. Google went public with details of the assault in early 2010, blaming the Elderwood Crew or Beijing Group, another group of hackers allegedly affiliated with the Chinese state's People's Liberation Army (PLA). The group has also been linked to attacks against Tibetan activists. Sykipot is associated with the high-profile attacks against RSA Security and linked to the NightDragon attacks.

Joe Stewart, director of malware research at Dell SecureWorks CTU, broadly agreed with Blasco's assessment, but said that the skill level of Comment Crew's peeps varied.

"The Comment Crew are, in general, not terribly sophisticated," Stewart told El Reg. "But there are some people in there who are quite skilled not just in the malware they create but in their ability to hide their tracks. You are always going to get some junior members in any hacking or security group who are less skilled."

'Russian crims are milking this attention on China'

Industry experts such as Mandiant - which produced the high-profile dossier on APT1 this month - and Cyber Squared and others reckoned there are anywhere between a handful and 20 groups in China alone as well as a dozen more state-sponsored hacking crews in other countries.

Stewart explained that Dell SecureWork's research suggested that the Shanghai group was one of two main APT hacking crews based in China; the other main unit is apparently clustered around an ISP in Beijing. In addition, there are four or five anomalous groups, according to Stewart.

"The number of APTs groups is hard to define," he said. "When you look closely there are more or more links between different sub-sets that make us think that several are part of the same group."

Policy documents from the Obama administration, published last week, blamed Russia in addition to China for some cyber-espionage. Other spying activities - such as the Red October attack against former Soviet countries and, in particular, the Flame attack against Iran and other countries in the Middle East - don't fit the PLA-affiliated Chinese hackers narrative. US media reports claim Flame came from the same joint US-Israel operation codenamed Olympic Games that created Stuxnet.

"There is a small amount of APT activity coming out of different countries but none is on the same scale as China," Stewart told El Reg.

A minority of security researchers reckon the focus on China as the primary source of APT attacks, which commonly feature a combination of spear-phishing and custom malware, is dangerous.

"Now that everyone's obsessed with China, the Russian underground can continue 'milking' its favourite cash cow, the US," said cybercrime researcher Dancho Danchev. "Anything launched by eastern European cyber-criminals can be described as an APT these days. It's just that go after the dollar, not the intellectual propery," he added. ®

Beginner's guide to SSL certificates

More from The Register

next story
Knock Knock tool makes a joke of Mac AV
Yes, we know Macs 'don't get viruses', but when they do this code'll spot 'em
Shellshock over SMTP attacks mean you can now ignore your email
'But boss, the Internet Storm Centre says it's dangerous for me to reply to you'
Why weasel words might not work for Whisper
CEO suspends editor but privacy questions remain
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
China is ALREADY spying on Apple iCloud users, claims watchdog
Attack harvests users' info at iPhone 6 launch
NOT OK GOOGLE: Android images can conceal code
It's been fixed, but hordes won't have applied the upgrade
prev story

Whitepapers

Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
How to simplify SSL certificate management
Simple steps to take control of SSL certificates across the enterprise, and recommendations centralizing certificate management throughout their lifecycle.