Researcher follows RSA hacking trail to China

Botnet expert spent months tracking malware's command-and-control servers in Beijing, Shanghai

Malware used in the attack against RSA Security earlier this year was controlled from China, a well-known botnet researcher said Wednesday.

Joe Stewart, director of malware research for Dell SecureWorks, traced the command-and-control (C&C) servers used to oversee the RSA attack to networks in Beijing and Shanghai.

"This gives us the where, but not the who," said Stewart when asked whether his work had come up with clues about the attack's architects.

In mid-March, RSA confirmed that it had been targeted by hackers who had breached its network defenses and stole proprietary information. Although RSA has never detailed what was stolen, it has admitted that information related to the company's SecurID two-factor authentication products was part of the haul.

The attack was expensive for RSA, which in a recent earnings report said it had spent $66 million to replace customers' SecurID tokens.

The attackers gained access to RSA's network by convincing a small number of the company's employees to open malware-infected Excel spreadsheets. The spreadsheets included an exploit for a then-unpatched vulnerability in Adobe's Flash Player.

Later attacks on the defense contractor Lockheed reportedly utilized information obtained in the RSA hack.

In his months-long project, Stewart uncovered the location of the malware's command servers by using error messages displayed by a popular tool called "HTran," which Chinese hackers often bundle with their code. HTran bounces traffic between multiple IP addresses to mask the real identity of the order-giving servers, making it appear, for instance, that the C&C servers are in the U.S. when they are not.

Those error messages came from debugging code left in HTran, a mistake by the malware's eventual users, who Stewart believes were not the attack code's writers. "They weren't completely familiar with the tool, and they didn't know that it would reveal the locations [of the C&C servers]," said Stewart.

"Occasionally you get this kind of opportunity," said Stewart of the glitch that led him to the Chinese ISPs. "They make mistakes, too."

In fact, said Stewart, the more than 60 malware families he's found that were custom-made for RSA-style attacks are not all that sophisticated, and certainly don't live up to the "advanced" part of the buzz phrase "advanced persistent threat" (APT) that's been bandied about this year.

"APT malware is actually less sophisticated than general malware the public sees," said Stewart. "What tends to be advanced is the persistence of these threats and the social engineering techniques they use [to infect PCs]."

But pinning down those responsible is nearly impossible without the assistance of Chinese telecommunications companies, including the government-owned China Unicom, said Stewart. The telecom companies could identify the owners of the IP addresses that belong to the C&C servers.

Stewart isn't the first to point a finger at China.

Many experts have said that the attacks against RSA and later, Lockheed, were probably conducted by a state-sponsored or state-run group, and have added that the most likely backer was China because of the firms targeted and the fact that the data stolen had value only to a government.

Google has also blamed China for attacks against its own network and the email accounts of some of its Gmail users. The Chinese government has repeatedly denied all allegations of sponsoring or conducting attacks.

But on Tuesday, security company McAfee added fuel to the flames by publishing research on a massive cyber espionage campaign that hacked at scores of U.S. and foreign government agencies, defense contractors and international organizations to plant malware that in some cases hid on networks for years. Although McAfee said just one hacking group was responsible and likely acted on the behalf of a government, it declined to name names.

Stewart's sleuthing, however, made clear that someone in China has been stealing U.S. and Western secrets.

Also yesterday, SecureWorks released signatures that companies and organizations can use to detect similar traffic to see if they, too, were infiltrated. "These fingerprints have a limited shelf life," said Stewart, implying that the attackers would quickly correct their HTran error. "We hope that every institution potentially impacted by APT activity will make haste to search out signs of this activity for themselves before the window of opportunity closes."

Stewart's analysis is available on the SecureWorks' website.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer , on Google+ or subscribe to Gregg's RSS feed . His e-mail address is .

See more articles by Gregg Keizer .

Read more about security in Computerworld's Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags Dellrsa securitysecurityMalware and Vulnerabilities

More about Adobe SystemsAppleAPTDellDell ComputerExcelGoogleMcAfee AustraliaMicrosoftRSASecureWorksTopicUnicom

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place