Feeds

Chinese cyber-spook crew back in business, say security watchers

Who can tell the spies from the robbers?

High performance access to file storage

The widely feared Chinese cyber-espionage crew known as APT1 is back in business two month after a high profile report that lifted the lid off its activities, according to security researchers.

Cyber Squared has been tracking numerous Chinese cyber espionage threat groups within ThreatConnect.com and crowd-sourcing threat intelligence with nearly 400 global security researchers. All signs suggest that “Comment Crew" and other Chinese APT threat groups are still conducting exploitation operations. In fact, there has been little change detected within "Comment Crew" operations. They have not significantly retooled their traditional implant technologies or command and control capabilities, nor modified their target selection process.

All this is contrary to earlier expectations that public exposure might result in dissolution or at least a significant long-term decrease of "Comment Crew" activity. Some even expected to see a more general reduction in the the activity of other Chinese cyber espionage threat groups.

Two month ago security consultancy Mandiant released a high-profile report on APT1 but despite this exposure “Comment Crew” tactics, tools, and procedures remain almost the same - or so says a blog post by Cyber Squared explains.

"The 'Comment Crew's' current targeting strategy is using legacy capabilities, with slight modifications, keeping with what has been previously observed in targeting campaigns," said Rich Barger, chief intelligence officer at Cyber Squared and a former US Army intelligence analyst.

"This new activity directly corresponds with the upcoming NDIA MODSIM Aerospace and Defense industry conference (April 30 through May 2, 2013) and could serve as evidence of pre-operational staging or testing."

APT control hubs in almost every country worldwide

The Comment Crew are the most high profile example of groups in China that use tactics such as zero-day exploits and spear phishing to run cyber-espionage campaigns.

Technology organisations are among the most frequent targets of advanced cyber attacks, according to a separate study by threat mitigation vendor FireEye.

Nine in 10 (89 per cent) of APT attacks feature use of Chinese attack tools, developed and disseminated by Chinese hacker groups, using utilities such as Gh0st RAT.

Some 184 nations house communication hubs, or command and control (CnC) servers, with Asia and Eastern Europe accounting for the majority of activity, according to FireEye. This compares to servers in 130 countries recorded by the same report three years ago.

Command and Control servers are used heavily during the life cycle of an attack to maintain communication with an infected machine using callbacks, enabling attackers to download and modify malware to evade detection, extract data, or expand an attack within a target organisation.

FireEye said it has blocked more than 12 million callback attempts to botnet C&C servers in 184 countries from thousands of appliances during 2012. The Asian nations of China, Korea, India, Japan, and Hong Kong accounted for 24 percent of global callbacks. Eastern European countries of Russia, Poland, Romania, Ukraine, Kazhakstan, and Latvia accounted for 22 percent of phone home requests from compromised systems. An interactive CnC callback map can be found on FireEye's website here. FireEye's full C&C callback report, Advanced Cyber Attack Landscape can be found here (registration required).

Technology companies experienced the highest rate of callback activity associated with the next generation of cyber attacks. Technology companies are targeted for the theft of intellectual property, sabotage, or modification of source code to support further criminal initiatives.

The FireEye report follows a report from Verizon last week that concluded that state-sponsored cyber-espionage was responsible for one in five data breaches last year. Verizon researchers recorded more cyber-espionage incidents than ever before. However the vast majority of cyber attacks remain profit motivated.

Verizon researchers said the vast majority of espionage attacks it investigated - 96 per cent - were traced back to China. By contrast the majority of (55 per cent) of criminally motivated attacks were traced back to either the US or Eastern Europe. ®

High performance access to file storage

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
German space centre endures cyber attack
Chinese code retrieved but NSA hack not ruled out
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.