Attacks Linked To China APT Supplier Target Channel Providers: Study


Targeted attack campaigns carried out against a variety of organizations globally may stem from cybercriminals with different interests, but a new study has tied at least 11 recent campaigns to potentially the same malware supplier.

Security vendor FireEye said on Wednesday that it has found a link between nearly a dozen attack campaigns to a malware and attack toolkit supplier based in China. The campaigns, carried out in the United States and abroad, were aimed at individuals in a broad spectrum of industries, but the tools undertaken in each campaign had many similarities, signaling the attacks used a centralized source for much of the malware.

Victims ranged from individuals at large defense contractors and global technology companies to small law firms and chemical refineries. Interestingly, solution providers ranging from consultancies to systems integrators and resellers were also targeted in the campaigns FireEye researchers analyzed.

 

[Related: SMBs Not Immune To Targeted Attacks]

FireEye said in its Supply Chain Analysis report that the attacks could be part of a broader offensive waged by a shared development and logistics infrastructure.

"Though they appeared unrelated at first, further investigation uncovered several key links between them: the same malware tools, the same elements of code, binaries with the same timestamps, and signed binaries with the same digital certificates," FireEye said in its report. "Some targets are facing a more organized menace than they realize."

Ned Moran, a senior malware researcher at FireEye, told CRN that resellers and other third-party service providers can hold a wealth of information that cybercriminals can use to gain access to a targeted organization. In addition to stealing credentials to remote access systems, cybercriminals have used third-party providers in social engineering attacks to gain an initial foothold into organizations, he said.

"Resellers or systems integrators can be used to gather intelligence on the ultimate target," Moran told CRN. "A VAR or SI might have unique inside information about a specific target that a bad guy could leverage to discover weaknesses in a targets network or to craft a more believable spear phish."

Security solution providers told CRN that advanced persistent threats that could lead to significant loss of intellectual property are top of mind for nearly all their clients large and small. The best advice to give most businesses is to focus on reducing risks, said Arthur Hedge, president of Morristown N.J.-based Castle Ventures Corp., a solution provider that specializes in managed log reporting and security assessments.

"There's a recognition that they are all under attack in a way that is different than it was a couple of years ago," Hedge told CRN. "It's not random anymore. They realize that at some level, they are being attacked on purpose."

Jim O'Brian, chief information security officer at Overland Park, Kan.-based Choice Solutions, said systems integrators need to be vigilant about their own security systems and processes. Anyone who says they have the silver bullet to keep their clients networks completely safe are not being truthful, O'Brian said.

"If [attackers] know who the big integrators are and they know that those integrators have access to what they're trying to get to, [attackers are] going to try and hit that integrator and live there until [they] can find an entry into that client," O'Brian said.

NEXT: Similarities In Malware And Infrastructure Point To China-Based Supplier