Feeds

Chinese cyber-spook crew back in business, say security watchers

Who can tell the spies from the robbers?

The Power of One eBook: Top reasons to choose HP BladeSystem

The widely feared Chinese cyber-espionage crew known as APT1 is back in business two month after a high profile report that lifted the lid off its activities, according to security researchers.

Cyber Squared has been tracking numerous Chinese cyber espionage threat groups within ThreatConnect.com and crowd-sourcing threat intelligence with nearly 400 global security researchers. All signs suggest that “Comment Crew" and other Chinese APT threat groups are still conducting exploitation operations. In fact, there has been little change detected within "Comment Crew" operations. They have not significantly retooled their traditional implant technologies or command and control capabilities, nor modified their target selection process.

All this is contrary to earlier expectations that public exposure might result in dissolution or at least a significant long-term decrease of "Comment Crew" activity. Some even expected to see a more general reduction in the the activity of other Chinese cyber espionage threat groups.

Two month ago security consultancy Mandiant released a high-profile report on APT1 but despite this exposure “Comment Crew” tactics, tools, and procedures remain almost the same - or so says a blog post by Cyber Squared explains.

"The 'Comment Crew's' current targeting strategy is using legacy capabilities, with slight modifications, keeping with what has been previously observed in targeting campaigns," said Rich Barger, chief intelligence officer at Cyber Squared and a former US Army intelligence analyst.

"This new activity directly corresponds with the upcoming NDIA MODSIM Aerospace and Defense industry conference (April 30 through May 2, 2013) and could serve as evidence of pre-operational staging or testing."

APT control hubs in almost every country worldwide

The Comment Crew are the most high profile example of groups in China that use tactics such as zero-day exploits and spear phishing to run cyber-espionage campaigns.

Technology organisations are among the most frequent targets of advanced cyber attacks, according to a separate study by threat mitigation vendor FireEye.

Nine in 10 (89 per cent) of APT attacks feature use of Chinese attack tools, developed and disseminated by Chinese hacker groups, using utilities such as Gh0st RAT.

Some 184 nations house communication hubs, or command and control (CnC) servers, with Asia and Eastern Europe accounting for the majority of activity, according to FireEye. This compares to servers in 130 countries recorded by the same report three years ago.

Command and Control servers are used heavily during the life cycle of an attack to maintain communication with an infected machine using callbacks, enabling attackers to download and modify malware to evade detection, extract data, or expand an attack within a target organisation.

FireEye said it has blocked more than 12 million callback attempts to botnet C&C servers in 184 countries from thousands of appliances during 2012. The Asian nations of China, Korea, India, Japan, and Hong Kong accounted for 24 percent of global callbacks. Eastern European countries of Russia, Poland, Romania, Ukraine, Kazhakstan, and Latvia accounted for 22 percent of phone home requests from compromised systems. An interactive CnC callback map can be found on FireEye's website here. FireEye's full C&C callback report, Advanced Cyber Attack Landscape can be found here (registration required).

Technology companies experienced the highest rate of callback activity associated with the next generation of cyber attacks. Technology companies are targeted for the theft of intellectual property, sabotage, or modification of source code to support further criminal initiatives.

The FireEye report follows a report from Verizon last week that concluded that state-sponsored cyber-espionage was responsible for one in five data breaches last year. Verizon researchers recorded more cyber-espionage incidents than ever before. However the vast majority of cyber attacks remain profit motivated.

Verizon researchers said the vast majority of espionage attacks it investigated - 96 per cent - were traced back to China. By contrast the majority of (55 per cent) of criminally motivated attacks were traced back to either the US or Eastern Europe. ®

Designing a Defense for Mobile Applications

More from The Register

next story
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
Putin: Crack Tor for me and I'll make you a MILLIONAIRE
Russian Interior Ministry offers big pile o' roubles for busting pro-privacy browser
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.