Scope Of APTs More Widespread Than Thought

Researcher uncovers hundreds of different custom malware families used by cyberspies -- and discovers an Asian security company conducting cyberespionage

Dark Reading logo in a gray background | Dark Reading

Turns out cyberespionage malware and activity is far more prolific than imagined: A renowned researcher has discovered some 200 different families of custom malware used to spy and steal intellectual property, with hundreds of attackers in just two groups out of Shanghai and Beijing.

"There are so many families of malware. Based on my knowledge of public reports, I had a feeling there was a certain amount of activity ... If I had to guess how many families were out there, [it was] a few dozen," says Joe Stewart, director of malware research at Dell Secureworks. "But, no, I kept discovering one after another ... They were all different, but basically do the same thing."

Stewart also unearthed a private security firm located in Asian -- not in China -- that is waging a targeted attack against another country's military operations, as well as spying on U.S. and European companies and its own country's journalists. He declined to provide details on the firm or its country of origin, but confirmed it's based in a nation that's friendly with the U.S.

"They are selling a range of services, including ethical hacking classes," he says. "Their own government is using their services."

The company has its own malware, and is using spear-phishing and backdoors in its cyberespionage operations.

Stewart says he's unsure whether this type of spying activity under the guise of a legitimate company is just the tip of the iceberg. "There are plenty of examples of companies who paid a hacker to spy," he says. This one is different, however, he says.

"They've got lots of domains registered, lots of malware," he says. "I worry that we will start to see a legitimization of this activity because governments are admitting to doing it," he says.

Dell Secureworks' team also found more than 1,100 domain names registered by APT-type groups for hosting malware command-and-control or phishing, and around 20,000 subdomains under that for command-and-control malware resolution. And the Htran tool used by Chinese APTs is still widely employed by attackers.

Complicating things further is that attribution can be tricky. While China conducts the majority of advanced persistent threat-type campaigns, attackers from other nations have been spotted posing as Chinese attackers to throw off researchers and investigators.

"It's very easy to jump to conclusions when it comes to attribution. You can copy digital fingerprints to appear like China," for example, says Roel Schouwenberg, senior researcher for global research and analysis at Kaspersky Lab.

Even more worrisome are the emerging hacking communities in Brazil and the Middle East getting into the act as well. "There's a very active hacking community in the Middle East -- Turkey -- and in Brazil, just like you're seeing with China," says Greg Hoglund, CTO at ManTech CSI and founder of HBGary, now a division of ManTech. "They grow up on e-crime, cut their teeth on it. They are skilled at hacking and run scams on the side."

And according to recent research conducted by HBGary, the number of Chinese cyberespionage groups has actually declined -- most likely due to consolidation. "The number of APT groups is going down, not up," Hoglund wrote in a blog post last week on HBGary's link-analysis on APT groups out of China.

"Our link analysis reveals surprising, non-obvious connections between APT groups. The group list is being consolidated, not expanded. In numerous cases, what appear to be different groups are actually the same, " Hoglund said. "We have also seen other trends such as overlap between nation-state and e-Crime attacks – Chinese hackers committing both crimes. It would be easier to say 'The Chinese Are Coming!' and leave it at that."

[ Chinese cyberspies and traditional cybercriminals are relying on some of the same malware tools -- and some cyberspies even appear to be moonlighting. See The Intersection Between Cyberespionage and Cybercrime. ]

Dell Secureworks' Stewart says, overall, the APT malware he's seeing isn't necessarily advanced. "But the whole operation and how they are approaching it is advanced, with spear-phishing and the types of exploits they have access to. That's very advanced stuff," he says.

His team earlier this year also found a widespread APT campaign targeting Japans several government ministries, universities, news media, trade organizations, and industrial equipment manufacturers, were in the bull's eye.

But there's plenty more out there, security experts say. "There's a lot of cyberespionage happening internationally. This is not going to go away," Kaspersky's Schouwenberg says.

Dell Secureworks' Stewart plans to continue hunting down APT attackers. "We will see how many more we can find in the next six to 12 months and how they react to being outed," he says.

Said HBGary's Hoglund: "One thing is very clear about Chinese hackers: they have a long history. Many of the hackers know each other, have social links, potentially trade malware and tools, etc. As we have expanded our threat intelligence around Chinese APT, it has become very clear that it’s not about number of groups. Chinese APT is an emulsion of largely similar intentions, tools, and backstories."

The full report by Dell Secureworks' Stewart is available here.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Read more about:

Black Hat News

About the Author

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights