Research shows arms dealer used in cyberespionage attacks

Companies battling tireless cyberespionage campaigns may be up against well-organized attackers that are fed a steady stream of malware from a talented developer of cyber-arms.

[New malware variant suggests cybercriminals targeting SAP users]

Security vendor FireEye analyzed 11 advanced persistent threat (APT) campaigns that seemed unrelated on the surface, but later were found to share the same malware supply chain. The centralized logistics point to a level of organization that's indicative of a trend towards industrialization in the malware business.

To increase the likelihood of a successful attack, malware development is being separated from that of the hacker, so the latter can focus on commandeering an infected system and stealing data, Ned Moran, senior malware researcher at FireEye, said Wednesday.

"Much like a capitalist economy, by specializing in certain roles and responsibilities everybody is more efficient as a result," Moran said.

"We think this report shows that there are specialists who build these tools, these builders, as we documented, and so we think this is evidence of moving towards an industrialized capability in producing malware."

The similarities FireEye found that pointed to a single "digital quartermaster" in the APT campaigns included the same malware tools, the same elements of code, binaries with the same timestamps and signed binaries with the same digital certificates.

The malware development and testing tools were in Chinese, but FireEye did not find any evidence that the APT attacks were connected to any organization in China.

FireEye believes the most likely scenario is a single cyber-arms dealer fed the attackers with malware, which has to be modified regularly to avoid detection by anti-virus software and to target newly discovered vulnerabilities in applications.

A second, but less likely, possibility is the attackers behind each of the campaigns shared malware and the development process, Moran said. A third scenario, and the least likely, is one large organization with separate development and attack units was behind all of the campaigns.

The chances of having one group behind the attacks are low because each campaign used malware with different artifacts, such as passwords, attack identifiers and programming techniques.

"We believe it's likely that there's a (single) quartermaster," Moran said.

FireEye's research started in May with its discovery of an attack campaign the vendor called the "Sunshop." The attackers had compromised several Korean defense and military think-tank websites and redirected visitors to a site serving multiple exploits.

Over the next three months, FireEye found that Sunshop and the 11 APT campaigns shared the same malware tools and code elements.

The attacks spanned multiple years and targeted companies across 15 sectors, including aerospace and defense contractors; manufacturing, high-tech, energy and chemical industries; and federal, state and local government agencies.

[Georgia Tech warns of emerging threats in cloud, mobile]

While the attackers were bent on stealing intellectual property, it was not known whom they were working for, Moran said.

Details on FireEye's findings is available in a report, released this week, entitled "Supply Chain Analysis: From Quartermaster to Sunshop."

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about APTFireEye

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts