Feeds

Sinkholes reveal more Chinese-hacked biz - and piggybacking crims

It's not just state-backed spies using snoop-ware armies

The Essential Guide to IT Transformation

On the trail of the Comment Crew

The sinkholing approach allowed Dell SecureWorks CTU to identify several organisations under active attack by the so-called Chinese Comment Crew (also known as the Shanghai Group or APT1), a group of hackers exposed by a highly publicised report by computer security incident response firm Mandiant last week.

APT1 - believed to be a unit in China's People's Liberation Army and based in a nondescript multi-storey block in the suburbs of Shanghai - has targeted at least 141 organisations within 20 industries in the US and other English-speaking countries since 2006, according to Mandiant. China dismissed the allegations but Dell SecureWorks reckons the biz's findings are "broadly accurate".

According to the latest research from Dell SecureWorks, organisations targeted by the Comment Crew include an American university with a military research programme as well as plenty of other corporations. Dell SecureWorks will not name the targets of the cyber-attacks, only the industries they operate within.

In late 2012, Dell SecureWorks researchers took control of a domain used by the Comment Crew following the address's expiration. Subsequent analysis of the network traffic sent to the domain from malware-controlled computers revealed that machines in a large US university were phoning home to the domain using SSL encryption as the result of infection by a then unknown malware pathogen.

Dell SecureWorks researchers got in touch with the university's security team and passed on their research data. The university supplied DNS logs, which enabled Dell's researchers to link the malign activity to other malware deployed by Comment Crew.

A university seemed an odd target for the Shanghai-based e-spies. Why would APT1 ransack PCs belonging to students and professors? However after examining the data to the command server, and looking closer into the university's work, Dell SecureWorks researchers were able to conclude that the intended target of the campaign was the institution's warfare research laboratory.

Other victims of the same campaign identified by Dell SecureWorks, partly using data supplied by the university, included a US defence contractor, an American energy firm, and an international IT corporation.

Dell SecureWorks would never have discovered the university was a target without sinkholing, according to Cutler, who added that "sinkhole data shows successful compromises".

The security firm released its latest research into cyber-espionage attacks at the RSA conference in San Francisco on Wednesday.

Counterstrike

Dell SecureWorks began its sinkholing operation in 2011 with the successful takeover of a set of domains used to direct software nasties RegSubsDat and Enfal. It has taken down multiple botnets and alert numerous victims in the months since, releasing its previous findings in reports titled The Sin Digoo Affair in February 2012 and The Mirage Campaign last September.

At times, Dell SecureWorks reanimated botnets that had been inactive for months, finding victims who had remained infected for months in the process. Its security researchers took control of domains that were used in ongoing assaults and development of new types of malware. The biz utilised this intelligence to offer its customers defences against previously unknown malware threats.

Figures from a confirmed infiltration of the New York Times suggest that antivirus defences are poor at detecting cyber-espionage threats. Only one of the 45 malware samples thrown against the NYT over a four-month period was detected and blocked by its antivirus provider Symantec.

Stewart agreed that "commodity" antivirus was not particularly effective in dealing with APT invasions but argued that organisations are far from defenceless in the face of state-sponsored spies.

Intelligence-driven security procedures that include deep packet inspection, app whitelisting and sandboxing for links and attachments in incoming email can be effective. "You need to maintain a high alert and watch everything," Stewart concluded, adding that greater collaboration and information sharing was also important. ®

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Tor attack nodes RIPPED MASKS off users for 6 MONTHS
Traffic confirmation attack bared users' privates - but to whom?
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
Russia to SAP, Apple: Hand over source code to prove you're not spies
And they'd get away with it too, if weren't for that meddling Snowden
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Maximize storage efficiency across the enterprise
The HP StoreOnce backup solution offers highly flexible, centrally managed, and highly efficient data protection for any enterprise.