APTs Growing on Global Basis

Monday, August 6, 2012 @ 04:08 PM gHale


Turns out cyber espionage is out there more than you would think.

One security researcher found 200 different families of custom malware used to spy and steal intellectual property via an advanced persistent threat (APT).

RELATED STORIES
BIOS Susceptible to Attacks
BIOS Malware Almost Invisible
New Morto Worm More Potent
Chem Co. Halts USB Stick Attack

“There are so many families of malware. Based on my knowledge of public reports, I had a feeling there was a certain amount of activity … If I had to guess how many families were out there, [it was] a few dozen,” said Joe Stewart, director of malware research at Dell Secureworks. “But, no, I kept discovering one after another … They were all different, but basically do the same thing.”

Stewart also unearthed a private security firm located a firm in Asia, but not China, waging a targeted attack against another country’s military operations, as well as spying on U.S. and European companies and its own country’s journalists. He declined to provide details on the firm or its country of origin, but confirmed it is in a nation friendly with the U.S.

“They are selling a range of services, including ethical hacking classes,” he said. “Their own government is using their services.”

The company has its own malware, and is using spear-phishing and backdoors in its cyber espionage operations.

Stewart said he is not sure whether this type of spying activity under the guise of a legitimate company is just the tip of the iceberg. “There are plenty of examples of companies who paid a hacker to spy,” he said.

In addition, Dell Secureworks’ team found more than 1,100 domain names registered by APT-type groups for hosting malware command-and-control or phishing, and around 20,000 subdomains under that for command-and-control malware resolution. The team also found the Htran tool used by Chinese APTs still sees a wide amount of use by attackers.

Complicating things further is you really don’t know who is attacking. While China is the popular country to say is attacking, attackers from other nations often pose as Chinese attackers to throw off researchers and investigators.

“It’s very easy to jump to conclusions when it comes to attribution. You can copy digital fingerprints to appear like China,” said Roel Schouwenberg, senior researcher for global research and analysis at Kaspersky Lab.

Even more worrisome are the emerging hacking communities in Brazil and the Middle East getting into the act as well.

According to research conducted by HBGary, the number of Chinese cyber espionage groups has actually declined — most likely due to consolidation.



Leave a Reply

You must be logged in to post a comment.