Chinese APTs primed by a 'digital quartermaster,' FireEye believes

Shadowy organisation creating digital weapons

A clutch of apparently distinct APT cyber-attack campaigns appear to be linked to one another through a single Chinese "digital quartermaster," or "arm's dealer" security firm FireEye has argued in an analysis that joins some new forensic dots.

FireEye has past form in pulling apart APTs and its latest investigation starts with the 'Sunshop' APT it first spotted in May of this year and which it now believes was only one part of a web encompassing 11 other previously distinct APTs.

On its own these connections aren't a major discovery given that the concept of APTs implies organisation as well as intent, but the firm argues that it offers insight into the complex ecosystem from which APTs now spring.

Given that the 11 campaigns targeted a similar spectrum of critical industries - defence, telecoms, tech and government - it could be the case that some organisations are under simultaneous attack from a greater number of APTs than they realise. Spotting the connections could also allow for quicker fingerprinting.

The campaigns turned out on close inspection to share tools, some of their code, the use of signed digital certificates as well as the great giveaway, binaries with identical timestamps. The last detail ruled out simple coincidence.

What was less clear is how the campaigns came to share this infrastructure and FireEye peoposes a new type of cyber-actor, the specialist quartermaster of expert supplier that manufactures the weapons used by others. It's not clear if this actor is one part of a larger organisations or simply paid to supply the others but the latter seemed possible, FireEye said.

"Our research points to centralized planning and development by one or more advanced persistent threat (APT) actors" said Darien Kindlund, FireEye's threat intelligence manager.

"Malware clearly remains a desired cyber weapon of choice. Streamlining development makes financial sense for attackers, so the findings may imply a bigger trend towards industrialization that achieves an economy of scale."

As with so many other documented APTs, the quartermaster was highly likely to be Chinese; the assembly or 'builder' tool used in the campaigns had dialogs and menus in Chinese.

Attackers were adopting an "industrialised approach" to the processes through which cyberattacks were planned, built and carried out, FireEye said.

Once frightening and new, APTs are becoming just another threat that organisations have to pay attention to even as the tools to defend against them are only now starting to arrive.

In September, Kaspersky Lab reported on the Icefog campaign, used to target other Asian countries during 2011 but whose existence only became clear much later.

Another retrospective APT 'discovery' was the Hidden Lynx group now blamed for the infamous Aurora hacks on Google and others in 2009 that kick-started the whole era of complex cyber-campaigns. That research also described a Chinese group with up to 100 professionals; APTs might be a major threat to US firms but they are also clearly putting food on someone's table.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityFireEye

More about APTFireEyeGoogleKaspersky

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts