Black Hat: Cyber-espionage operations vast yet highly focused, researcher claims

LAS VEGAS -- Cyber-espionage operations across the Internet are extensive yet highly targeted, says a malware researcher speaking this week at the Black Hat Conference in Las Vegas. And it's not just governments targeting other governments or trying to steal corporate secrets -- private security companies also are involved in these break-ins even while claiming to offer "ethical hacking services."

BLACK HAT DEMO: Google Bouncer can be beaten

SLIDESHOW: Security industry all-stars

In today's cyber-espionage, "there are hundreds of tiny little botnets," says Joe Stewart, research director at Dell SecureWorks. These command-and-control systems do one thing -- compromise targeted networks of business and government in order to learn about important information worth stealing, and then swipe it.

Unlike other types of cybercrime botnets, such as those used to perform financial theft or generate spam via many compromised machines, cyber-espionage botnets seem to be aimed only to hit certain valued targets -- such as the Japanese Ministry of Finance, which recently disclosed a data breach.

There is widespread targeting of Japan, notes Stewart in his paper released Wednesday titled "Chasing APT, " which pinpoints 200 unique families of custom malware used in cyber-espionage campaigns that many refer to as "advanced persistent threats." In fact, says Stewart, the code called "HTran" that Dell SecureWorks believes was employed by Chinese attackers in the infamous attack against RSA last year is still in use, and has been linked to attacks against entities in Japan.

Stewart says he thinks two of the largest groups involved in cyber-espionage that "share a large infrastructure" are coming out of China. But China is hardly alone, as the U.S. and Israel are also being tied to the Flame virus for cyber-espionage. And there's also the growing sense that it's not just "government-backed actors" conducting cyber-espionage.

"As it becomes increasingly revealed that more and more governments are involved in cyber-espionage and cyber-sabotage, it has the effect of legitimizing this type of activity for certain private companies," says Stewart in his "Chasing APT" report. "Other research we have conducted has uncovered a sizable cyber-espionage operation carried out by a private computer security company in an Asian country (not China) against a foreign military, presumably on behalf of the government of the country in which that company resides. This type of outsourcing of offensive hacking to contractors is to be expected given that the market demand for such skills often precludes governments from possessing that talent for very long -- however, we have discovered the scope of that company's operations also extend to using backdoors and spear-phishing to spy on companies in the U.S. and Europe, and even journalists in the same country. Ironically, this same company offers ethical hacking courses as part of their services lineup."

Dell SecureWorks isn't naming this company, but in the "Chasing APT" paper Stewart points out that "companies found to engage in this kind of activity will likely have a difficult time maintaining trusted relationships with ethical security companies and security researchers who disavow such actions against civilian targets. This will make it harder for these companies to (legally) obtain real-time cyber threat intelligence, ultimately damaging both their reputation and their ability to defend their clients' networks from attacks."

In terms of its technical analysis of APTs, SecureWorks believes that along with the 200 unique families of custom malware used in cyber-espionage intrusions, there appear to be more than 1,100 domain names registered by cyber-espionage actors for use in hosting malware command-and-control or spear-phishing, and nearly 20,000 subdomains as well for purposes such as "malware C2 resolution."

But unlike other types of criminal botnets that "can contain millions of infected computers," cyber-espionage is far more focused, with "tens of thousands of infected computers spread across hundreds of botnets, each of which may only control a few to a few hundred computers at a time," the Dell SecureWorks report concludes.

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: @MessmerE, email:

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ellen Messmer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts