Feeds

Sinkholes reveal more Chinese-hacked biz - and piggybacking crims

It's not just state-backed spies using snoop-ware armies

SANS - Survey on application security programs

On the trail of the Comment Crew

The sinkholing approach allowed Dell SecureWorks CTU to identify several organisations under active attack by the so-called Chinese Comment Crew (also known as the Shanghai Group or APT1), a group of hackers exposed by a highly publicised report by computer security incident response firm Mandiant last week.

APT1 - believed to be a unit in China's People's Liberation Army and based in a nondescript multi-storey block in the suburbs of Shanghai - has targeted at least 141 organisations within 20 industries in the US and other English-speaking countries since 2006, according to Mandiant. China dismissed the allegations but Dell SecureWorks reckons the biz's findings are "broadly accurate".

According to the latest research from Dell SecureWorks, organisations targeted by the Comment Crew include an American university with a military research programme as well as plenty of other corporations. Dell SecureWorks will not name the targets of the cyber-attacks, only the industries they operate within.

In late 2012, Dell SecureWorks researchers took control of a domain used by the Comment Crew following the address's expiration. Subsequent analysis of the network traffic sent to the domain from malware-controlled computers revealed that machines in a large US university were phoning home to the domain using SSL encryption as the result of infection by a then unknown malware pathogen.

Dell SecureWorks researchers got in touch with the university's security team and passed on their research data. The university supplied DNS logs, which enabled Dell's researchers to link the malign activity to other malware deployed by Comment Crew.

A university seemed an odd target for the Shanghai-based e-spies. Why would APT1 ransack PCs belonging to students and professors? However after examining the data to the command server, and looking closer into the university's work, Dell SecureWorks researchers were able to conclude that the intended target of the campaign was the institution's warfare research laboratory.

Other victims of the same campaign identified by Dell SecureWorks, partly using data supplied by the university, included a US defence contractor, an American energy firm, and an international IT corporation.

Dell SecureWorks would never have discovered the university was a target without sinkholing, according to Cutler, who added that "sinkhole data shows successful compromises".

The security firm released its latest research into cyber-espionage attacks at the RSA conference in San Francisco on Wednesday.

Counterstrike

Dell SecureWorks began its sinkholing operation in 2011 with the successful takeover of a set of domains used to direct software nasties RegSubsDat and Enfal. It has taken down multiple botnets and alert numerous victims in the months since, releasing its previous findings in reports titled The Sin Digoo Affair in February 2012 and The Mirage Campaign last September.

At times, Dell SecureWorks reanimated botnets that had been inactive for months, finding victims who had remained infected for months in the process. Its security researchers took control of domains that were used in ongoing assaults and development of new types of malware. The biz utilised this intelligence to offer its customers defences against previously unknown malware threats.

Figures from a confirmed infiltration of the New York Times suggest that antivirus defences are poor at detecting cyber-espionage threats. Only one of the 45 malware samples thrown against the NYT over a four-month period was detected and blocked by its antivirus provider Symantec.

Stewart agreed that "commodity" antivirus was not particularly effective in dealing with APT invasions but argued that organisations are far from defenceless in the face of state-sponsored spies.

Intelligence-driven security procedures that include deep packet inspection, app whitelisting and sandboxing for links and attachments in incoming email can be effective. "You need to maintain a high alert and watch everything," Stewart concluded, adding that greater collaboration and information sharing was also important. ®

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
prev story

Whitepapers

Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.