Feeds

Sinkholes reveal more Chinese-hacked biz - and piggybacking crims

It's not just state-backed spies using snoop-ware armies

High performance access to file storage

On the trail of the Comment Crew

The sinkholing approach allowed Dell SecureWorks CTU to identify several organisations under active attack by the so-called Chinese Comment Crew (also known as the Shanghai Group or APT1), a group of hackers exposed by a highly publicised report by computer security incident response firm Mandiant last week.

APT1 - believed to be a unit in China's People's Liberation Army and based in a nondescript multi-storey block in the suburbs of Shanghai - has targeted at least 141 organisations within 20 industries in the US and other English-speaking countries since 2006, according to Mandiant. China dismissed the allegations but Dell SecureWorks reckons the biz's findings are "broadly accurate".

According to the latest research from Dell SecureWorks, organisations targeted by the Comment Crew include an American university with a military research programme as well as plenty of other corporations. Dell SecureWorks will not name the targets of the cyber-attacks, only the industries they operate within.

In late 2012, Dell SecureWorks researchers took control of a domain used by the Comment Crew following the address's expiration. Subsequent analysis of the network traffic sent to the domain from malware-controlled computers revealed that machines in a large US university were phoning home to the domain using SSL encryption as the result of infection by a then unknown malware pathogen.

Dell SecureWorks researchers got in touch with the university's security team and passed on their research data. The university supplied DNS logs, which enabled Dell's researchers to link the malign activity to other malware deployed by Comment Crew.

A university seemed an odd target for the Shanghai-based e-spies. Why would APT1 ransack PCs belonging to students and professors? However after examining the data to the command server, and looking closer into the university's work, Dell SecureWorks researchers were able to conclude that the intended target of the campaign was the institution's warfare research laboratory.

Other victims of the same campaign identified by Dell SecureWorks, partly using data supplied by the university, included a US defence contractor, an American energy firm, and an international IT corporation.

Dell SecureWorks would never have discovered the university was a target without sinkholing, according to Cutler, who added that "sinkhole data shows successful compromises".

The security firm released its latest research into cyber-espionage attacks at the RSA conference in San Francisco on Wednesday.

Counterstrike

Dell SecureWorks began its sinkholing operation in 2011 with the successful takeover of a set of domains used to direct software nasties RegSubsDat and Enfal. It has taken down multiple botnets and alert numerous victims in the months since, releasing its previous findings in reports titled The Sin Digoo Affair in February 2012 and The Mirage Campaign last September.

At times, Dell SecureWorks reanimated botnets that had been inactive for months, finding victims who had remained infected for months in the process. Its security researchers took control of domains that were used in ongoing assaults and development of new types of malware. The biz utilised this intelligence to offer its customers defences against previously unknown malware threats.

Figures from a confirmed infiltration of the New York Times suggest that antivirus defences are poor at detecting cyber-espionage threats. Only one of the 45 malware samples thrown against the NYT over a four-month period was detected and blocked by its antivirus provider Symantec.

Stewart agreed that "commodity" antivirus was not particularly effective in dealing with APT invasions but argued that organisations are far from defenceless in the face of state-sponsored spies.

Intelligence-driven security procedures that include deep packet inspection, app whitelisting and sandboxing for links and attachments in incoming email can be effective. "You need to maintain a high alert and watch everything," Stewart concluded, adding that greater collaboration and information sharing was also important. ®

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
OpenSSL Heartbleed: Bloody nose for open-source bleeding hearts
Bloke behind the cockup says not enough people are helping crucial crypto project
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Experian subsidiary faces MEGA-PROBE for 'selling consumer data to fraudster'
US attorneys general roll up sleeves, snap on gloves
prev story

Whitepapers

Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.