APTs and the Moriarty of Cybercrime

Researchers have analyzed 11 apparently distinct APT campaigns, and have come to the conclusion that they are not as distinct as previously thought
Researchers have analyzed 11 apparently distinct APT campaigns, and have come to the conclusion that they are not as distinct as previously thought

In May this year, FireEye reported on an APT campaign it dubbed the Sunshop campaign – a typical water hole operation that first compromised strategic websites and then diverted visitors to a malicious site serving multiple exploits. A week later it discovered other related attacks. When it analyzed the underlying infrastructure it found, according to a new report, unexpected commonalities. "The Sunshop campaign utilized resources shared across a number of other APT campaigns not initially tied to Sunshop."

Looking further, it found that "11 different APT campaigns used the same malware tools, the same elements of code, binaries with the same timestamps, and signed binaries with the same digital certificates." In short, it "identified a shared development and logistics operation used to support a number of different APT actors engaged in distinctive but overlapping campaigns."

The mission of this quartermaster, suggests FireEye, is to "supply and maintain malware tools and weapons to support cyber espionage. This digital quartermaster also might be a cyber arms dealer of sorts, a common supplier of tools used to conduct attacks and establish footholds in targeted systems."

Key to this conclusion has been the location of what FireEye describes as a shared malware builder-tool. Builder tools are developed by specialist coders who might not be specialist hackers; they provide the tools to be build the malware that facilitates hacking. "This separation of tasks is more efficient and supports a faster tempo of offensive operations," says FireEye. "A typical builder provides a graphical user interface that enables a threat actor to configure elements such as the location of the CnC server."

It is further evidence of the industrialization of cybercrime. “Like traditional conflict,” said FireEye CEO David DeWalt, "cyber warfare will continually evolve and change through innovation. Not surprisingly, attackers are adopting an industrialized approach. The best hope for those playing defense is a community-based approach that not only monitors advances in cyber attacks, but also propagates information to help mitigate the new threats.”

But the task ahead was described baldly by former Israeli prime minister Ehud Barak at a security conference hosted by Deutshe Telekom in Bonn, Monday (reported by Reuters). "We ain't seen nothing yet," said former Israeli prime minister Ehud Barak. "The offense is light years ahead of defense and that is likely to remain so."

It is noticeable that FireEye makes no suggestion that this quartermaster might be state-sponsored, although that is a question that will undoubtedly be asked. What it does say, however, is, "The tools appear to be written in Chinese, and the testing infrastructure appears to all be configured with the native Chinese language character set, and the dialogues and menu options in the builder tool are in Chinese."

When Infosecurity specifically asked that question, Ned Moran (a senior researcher at FireEye and one of the authors of the report) replied, "We do agree that the scale and intensity of clusters/campaigns suggest that they are well resourced. These resources include the presence of the quartermaster that we document in the report. However, we do not have enough evidence to support the claim that the quartermaster is state-sponsored. We must leave that judgement to the reader."

Other anti-malware companies have seen similar suggestions of malware cooperation and industrialization. "Our own research on APTs carries us to the same conclusion," Luis Corrons, technical director at PandaLabs told Infosecurity. "We are talking about very specific type of attacks, and the number of actors involved in them is really limited (compared to regular cybercrime), and thus it makes sense that the same actor(s) reuse some of their technology to develop new attacks, without risking being identified."

Kaspersky Lab has come to a similar conclusion, pointing out that it demonstrated the links between Stuxnet and Duqu long ago. However, David Emm, a senior security researcher at Kaspersky, suspects that cooperation is natural rather than sinister. "I think in general the ‘organisation’ is less formal and is more analogous to the common use of platforms and applications in the legitimate economy," he told Infosecurity. "For example, many different types of company may use the same sales management system – because it suits all their needs – but this doesn’t necessarily imply any organisational link between them."

What’s hot on Infosecurity Magazine?