Feeds

Chinese cyber-spook crew back in business, say security watchers

Who can tell the spies from the robbers?

Secure remote control for conventional and virtual desktops

The widely feared Chinese cyber-espionage crew known as APT1 is back in business two month after a high profile report that lifted the lid off its activities, according to security researchers.

Cyber Squared has been tracking numerous Chinese cyber espionage threat groups within ThreatConnect.com and crowd-sourcing threat intelligence with nearly 400 global security researchers. All signs suggest that “Comment Crew" and other Chinese APT threat groups are still conducting exploitation operations. In fact, there has been little change detected within "Comment Crew" operations. They have not significantly retooled their traditional implant technologies or command and control capabilities, nor modified their target selection process.

All this is contrary to earlier expectations that public exposure might result in dissolution or at least a significant long-term decrease of "Comment Crew" activity. Some even expected to see a more general reduction in the the activity of other Chinese cyber espionage threat groups.

Two month ago security consultancy Mandiant released a high-profile report on APT1 but despite this exposure “Comment Crew” tactics, tools, and procedures remain almost the same - or so says a blog post by Cyber Squared explains.

"The 'Comment Crew's' current targeting strategy is using legacy capabilities, with slight modifications, keeping with what has been previously observed in targeting campaigns," said Rich Barger, chief intelligence officer at Cyber Squared and a former US Army intelligence analyst.

"This new activity directly corresponds with the upcoming NDIA MODSIM Aerospace and Defense industry conference (April 30 through May 2, 2013) and could serve as evidence of pre-operational staging or testing."

APT control hubs in almost every country worldwide

The Comment Crew are the most high profile example of groups in China that use tactics such as zero-day exploits and spear phishing to run cyber-espionage campaigns.

Technology organisations are among the most frequent targets of advanced cyber attacks, according to a separate study by threat mitigation vendor FireEye.

Nine in 10 (89 per cent) of APT attacks feature use of Chinese attack tools, developed and disseminated by Chinese hacker groups, using utilities such as Gh0st RAT.

Some 184 nations house communication hubs, or command and control (CnC) servers, with Asia and Eastern Europe accounting for the majority of activity, according to FireEye. This compares to servers in 130 countries recorded by the same report three years ago.

Command and Control servers are used heavily during the life cycle of an attack to maintain communication with an infected machine using callbacks, enabling attackers to download and modify malware to evade detection, extract data, or expand an attack within a target organisation.

FireEye said it has blocked more than 12 million callback attempts to botnet C&C servers in 184 countries from thousands of appliances during 2012. The Asian nations of China, Korea, India, Japan, and Hong Kong accounted for 24 percent of global callbacks. Eastern European countries of Russia, Poland, Romania, Ukraine, Kazhakstan, and Latvia accounted for 22 percent of phone home requests from compromised systems. An interactive CnC callback map can be found on FireEye's website here. FireEye's full C&C callback report, Advanced Cyber Attack Landscape can be found here (registration required).

Technology companies experienced the highest rate of callback activity associated with the next generation of cyber attacks. Technology companies are targeted for the theft of intellectual property, sabotage, or modification of source code to support further criminal initiatives.

The FireEye report follows a report from Verizon last week that concluded that state-sponsored cyber-espionage was responsible for one in five data breaches last year. Verizon researchers recorded more cyber-espionage incidents than ever before. However the vast majority of cyber attacks remain profit motivated.

Verizon researchers said the vast majority of espionage attacks it investigated - 96 per cent - were traced back to China. By contrast the majority of (55 per cent) of criminally motivated attacks were traced back to either the US or Eastern Europe. ®

New hybrid storage solutions

More from The Register

next story
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
Google recommends pronounceable passwords
Super Chrome goes into battle with Mr Mxyzptlk
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
'Speargun' program is fantasy, says cable operator
We just might notice if you cut our cables
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Reddit wipes clean leaked celeb nudie pics, tells users to zip it
Now we've had all THAT TRAFFIC, we 'deplore' this theft
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.