In this research, Dell SecureWorks first describes how it identified three abandoned malware C&C domains. It registered the names to itself and started to analyze the traffic from the still-infected computers attempting to report back to their command servers. In such circumstances the researchers can locate the infected computers by their IP address, but do not at this stage know the specific malware infection, not the the location of the hackers who control the command server. This type of research involves analyzing the traffic content looking for clues or a fingerprint that will identify either.
Two of these three command servers received a higher than expected number of calls. This and other clues in the traffic content led Dell to conclude that the malware was not likely to be related to APT activity. The third was different. “The small number of victims,” reports Dell, “the types of victims we saw sending phone home requests, and the details, in the WHOIS data for the domain, all fit the profile of that of a targeted attack.” Dell was subsequently able to reach out to victims and provide “all relevant data so they could remove the infection.”
This same process was then used on a domain that had been used and abandoned by the Comment Group of hackers. Analyzing the traffic, Dell concluded that it involved malware that it named Busesel, and that the target was a specific university’s laboratory that undertakes military research. After contacting the university, and with help from data provided by the university, Dell “identified several more victims related to this malware and the Comment Group. These victims include a U.S. defense contractor, a U.S.-based energy company, and an international information technology company.”
At no point in the paper does Dell mention ‘China’ specifically – just the ‘Comment Group’, a prolific APT hacking group that is generally believed to be based in China. In a separate conversation with Infosecurity, however, the paper’s authors, Joe Stewart and Silas Cutler, explained why researchers are so certain that despite IP address obfuscation they are able to trace the source back to its origins in China.
It involves the software hackers use to hide their tracks, htran. Htran is a connection bouncer, designed to redirect TCP traffic destined for one host to an alternate host, and used by hackers to disguise their location. Back in 2011 Dell discovered how it will, under certain circumstances, provide clues to the originating IP address. In 2011 it used this discovery to demonstrate that the source of the RSA breach was indeed in China: “Every hidden IP address observed in the HTran error messages captured during our survey is located on just a few different networks in the People's Republic of China (PRC).” This same process has been used to track Comment Group APT hackers back to China.
Nevertheless, Stewart and Cutler declined to say it was specifically the Chinese military behind the hacks. “We know the precise location of the attacking computers,” they told Infosecurity, “but we don’t know the people at the keyboards nor their specific motivation.”