Sinkholes reveal more Chinese-hacked biz - and piggybacking crims
It's not just state-backed spies using snoop-ware armies
On the trail of the Comment Crew
The sinkholing approach allowed Dell SecureWorks CTU to identify several organisations under active attack by the so-called Chinese Comment Crew (also known as the Shanghai Group or APT1), a group of hackers exposed by a highly publicised report by computer security incident response firm Mandiant last week.
APT1 - believed to be a unit in China's People's Liberation Army and based in a nondescript multi-storey block in the suburbs of Shanghai - has targeted at least 141 organisations within 20 industries in the US and other English-speaking countries since 2006, according to Mandiant. China dismissed the allegations but Dell SecureWorks reckons the biz's findings are "broadly accurate".
According to the latest research from Dell SecureWorks, organisations targeted by the Comment Crew include an American university with a military research programme as well as plenty of other corporations. Dell SecureWorks will not name the targets of the cyber-attacks, only the industries they operate within.
In late 2012, Dell SecureWorks researchers took control of a domain used by the Comment Crew following the address's expiration. Subsequent analysis of the network traffic sent to the domain from malware-controlled computers revealed that machines in a large US university were phoning home to the domain using SSL encryption as the result of infection by a then unknown malware pathogen.
Dell SecureWorks researchers got in touch with the university's security team and passed on their research data. The university supplied DNS logs, which enabled Dell's researchers to link the malign activity to other malware deployed by Comment Crew.
A university seemed an odd target for the Shanghai-based e-spies. Why would APT1 ransack PCs belonging to students and professors? However after examining the data to the command server, and looking closer into the university's work, Dell SecureWorks researchers were able to conclude that the intended target of the campaign was the institution's warfare research laboratory.
Other victims of the same campaign identified by Dell SecureWorks, partly using data supplied by the university, included a US defence contractor, an American energy firm, and an international IT corporation.
Dell SecureWorks would never have discovered the university was a target without sinkholing, according to Cutler, who added that "sinkhole data shows successful compromises".
The security firm released its latest research into cyber-espionage attacks at the RSA conference in San Francisco on Wednesday.
Dell SecureWorks began its sinkholing operation in 2011 with the successful takeover of a set of domains used to direct software nasties RegSubsDat and Enfal. It has taken down multiple botnets and alert numerous victims in the months since, releasing its previous findings in reports titled The Sin Digoo Affair in February 2012 and The Mirage Campaign last September.
At times, Dell SecureWorks reanimated botnets that had been inactive for months, finding victims who had remained infected for months in the process. Its security researchers took control of domains that were used in ongoing assaults and development of new types of malware. The biz utilised this intelligence to offer its customers defences against previously unknown malware threats.
Figures from a confirmed infiltration of the New York Times suggest that antivirus defences are poor at detecting cyber-espionage threats. Only one of the 45 malware samples thrown against the NYT over a four-month period was detected and blocked by its antivirus provider Symantec.
Stewart agreed that "commodity" antivirus was not particularly effective in dealing with APT invasions but argued that organisations are far from defenceless in the face of state-sponsored spies.
Intelligence-driven security procedures that include deep packet inspection, app whitelisting and sandboxing for links and attachments in incoming email can be effective. "You need to maintain a high alert and watch everything," Stewart concluded, adding that greater collaboration and information sharing was also important. ®
Sponsored: Customer Identity and Access Management