Feeds

APT1, that scary cyber-Cold War gang: Not even China's best

More B-team than elite team, say security experts

Reducing security risks from open source software

Shanghai hackers APT1 - outed this month in a high-profile report that linked them to the Chinese military - may not be China's top cyber-espionage team despite its moniker. Security experts say the team is more prolific than leet.

The gang, believed to carrying out orders from state officials, was accused of siphoning hundreds of terabytes of sensitive data from computers at scores of US corporations. China's government has denied any involvement.

Jaime Blasco, labs director at security tools firm AlienVault, described APT1, aka Comment Crew, as one of the more successful hacking group based on the number of targets attacked - but not necessarily on the skill level of its members.

"APT1 is one of the less sophisticated groups," Blasco said. "They commonly reuse the same infrastructure for years and their tools are more or less easy to detect. The techniques they use to gain access to the victims are more based on social engineering and most of the times they don't use zero-days exploits to gain access."

Several teams are said to be much more sophisticated, not least because they make extensive use of zero-day security vulnerabilities in Adobe PDF, Flash, Internet Explorer, Microsoft Office and Java to compromise systems: they often roam across domain names, IP addresses and network infrastructures, making them harder to pin down using previous intelligence.

"Their malware and tools has been built to avoid detection and to hide their presence and remain in the networks for years giving access to the compromised companies at any moment," Blasco said.

Confusingly, there isn't general agreement among security researchers on how to designate or name APT (advanced persistent threat) groups. Crews tend to be named after their computer espionage campaigns: "As an example you have groups like, Nitro, Aurora, ElderWood, Sykipot, Comment Crew (APT1), NightDragon, FlowerLday, Luckycat, Pitty Panda," according to Blasco.

Google and other high-tech firms were hit by malware in an attack dubbed Operation Aurora in 2009. Google went public with details of the assault in early 2010, blaming the Elderwood Crew or Beijing Group, another group of hackers allegedly affiliated with the Chinese state's People's Liberation Army (PLA). The group has also been linked to attacks against Tibetan activists. Sykipot is associated with the high-profile attacks against RSA Security and linked to the NightDragon attacks.

Joe Stewart, director of malware research at Dell SecureWorks CTU, broadly agreed with Blasco's assessment, but said that the skill level of Comment Crew's peeps varied.

"The Comment Crew are, in general, not terribly sophisticated," Stewart told El Reg. "But there are some people in there who are quite skilled not just in the malware they create but in their ability to hide their tracks. You are always going to get some junior members in any hacking or security group who are less skilled."

'Russian crims are milking this attention on China'

Industry experts such as Mandiant - which produced the high-profile dossier on APT1 this month - and Cyber Squared and others reckoned there are anywhere between a handful and 20 groups in China alone as well as a dozen more state-sponsored hacking crews in other countries.

Stewart explained that Dell SecureWork's research suggested that the Shanghai group was one of two main APT hacking crews based in China; the other main unit is apparently clustered around an ISP in Beijing. In addition, there are four or five anomalous groups, according to Stewart.

"The number of APTs groups is hard to define," he said. "When you look closely there are more or more links between different sub-sets that make us think that several are part of the same group."

Policy documents from the Obama administration, published last week, blamed Russia in addition to China for some cyber-espionage. Other spying activities - such as the Red October attack against former Soviet countries and, in particular, the Flame attack against Iran and other countries in the Middle East - don't fit the PLA-affiliated Chinese hackers narrative. US media reports claim Flame came from the same joint US-Israel operation codenamed Olympic Games that created Stuxnet.

"There is a small amount of APT activity coming out of different countries but none is on the same scale as China," Stewart told El Reg.

A minority of security researchers reckon the focus on China as the primary source of APT attacks, which commonly feature a combination of spear-phishing and custom malware, is dangerous.

"Now that everyone's obsessed with China, the Russian underground can continue 'milking' its favourite cash cow, the US," said cybercrime researcher Dancho Danchev. "Anything launched by eastern European cyber-criminals can be described as an APT these days. It's just that go after the dollar, not the intellectual propery," he added. ®

Mobile application security vulnerability report

More from The Register

next story
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Microsoft: You NEED bad passwords and should re-use them a lot
Dirty QWERTY a perfect P@ssword1 for garbage websites
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
NUDE SNAPS AGENCY: NSA bods love 'showing off your saucy selfies'
Swapping other people's sexts is a fringe benefit, says Snowden
L33t haxxors compete to p0wn popular home routers
EFF-endorsed SOHOpelessly Broken challenge will air routers' dirty zero day laundry
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
British data cops: We need greater powers and more money
You want data butt kicking, we need bigger boots - ICO
Crooks fling banking Trojan at Japanese smut site fans
Wait - they're doing online banking with an unpatched Windows PC?
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Mobile application security vulnerability report
The alarming realities regarding the sheer number of applications vulnerable to attack, and the most common and easily addressable vulnerability errors.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.