Feeds

Chinese cyber-spook crew back in business, say security watchers

Who can tell the spies from the robbers?

Providing a secure and efficient Helpdesk

The widely feared Chinese cyber-espionage crew known as APT1 is back in business two month after a high profile report that lifted the lid off its activities, according to security researchers.

Cyber Squared has been tracking numerous Chinese cyber espionage threat groups within ThreatConnect.com and crowd-sourcing threat intelligence with nearly 400 global security researchers. All signs suggest that “Comment Crew" and other Chinese APT threat groups are still conducting exploitation operations. In fact, there has been little change detected within "Comment Crew" operations. They have not significantly retooled their traditional implant technologies or command and control capabilities, nor modified their target selection process.

All this is contrary to earlier expectations that public exposure might result in dissolution or at least a significant long-term decrease of "Comment Crew" activity. Some even expected to see a more general reduction in the the activity of other Chinese cyber espionage threat groups.

Two month ago security consultancy Mandiant released a high-profile report on APT1 but despite this exposure “Comment Crew” tactics, tools, and procedures remain almost the same - or so says a blog post by Cyber Squared explains.

"The 'Comment Crew's' current targeting strategy is using legacy capabilities, with slight modifications, keeping with what has been previously observed in targeting campaigns," said Rich Barger, chief intelligence officer at Cyber Squared and a former US Army intelligence analyst.

"This new activity directly corresponds with the upcoming NDIA MODSIM Aerospace and Defense industry conference (April 30 through May 2, 2013) and could serve as evidence of pre-operational staging or testing."

APT control hubs in almost every country worldwide

The Comment Crew are the most high profile example of groups in China that use tactics such as zero-day exploits and spear phishing to run cyber-espionage campaigns.

Technology organisations are among the most frequent targets of advanced cyber attacks, according to a separate study by threat mitigation vendor FireEye.

Nine in 10 (89 per cent) of APT attacks feature use of Chinese attack tools, developed and disseminated by Chinese hacker groups, using utilities such as Gh0st RAT.

Some 184 nations house communication hubs, or command and control (CnC) servers, with Asia and Eastern Europe accounting for the majority of activity, according to FireEye. This compares to servers in 130 countries recorded by the same report three years ago.

Command and Control servers are used heavily during the life cycle of an attack to maintain communication with an infected machine using callbacks, enabling attackers to download and modify malware to evade detection, extract data, or expand an attack within a target organisation.

FireEye said it has blocked more than 12 million callback attempts to botnet C&C servers in 184 countries from thousands of appliances during 2012. The Asian nations of China, Korea, India, Japan, and Hong Kong accounted for 24 percent of global callbacks. Eastern European countries of Russia, Poland, Romania, Ukraine, Kazhakstan, and Latvia accounted for 22 percent of phone home requests from compromised systems. An interactive CnC callback map can be found on FireEye's website here. FireEye's full C&C callback report, Advanced Cyber Attack Landscape can be found here (registration required).

Technology companies experienced the highest rate of callback activity associated with the next generation of cyber attacks. Technology companies are targeted for the theft of intellectual property, sabotage, or modification of source code to support further criminal initiatives.

The FireEye report follows a report from Verizon last week that concluded that state-sponsored cyber-espionage was responsible for one in five data breaches last year. Verizon researchers recorded more cyber-espionage incidents than ever before. However the vast majority of cyber attacks remain profit motivated.

Verizon researchers said the vast majority of espionage attacks it investigated - 96 per cent - were traced back to China. By contrast the majority of (55 per cent) of criminally motivated attacks were traced back to either the US or Eastern Europe. ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
Hackers thrash Bash Shellshock bug: World races to cover hole
Update your gear now to avoid early attacks hitting the web
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
prev story

Whitepapers

A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.