Attacks Linked To China APT Supplier Target Channel Providers: Study

Targeted attack campaigns carried out against a variety of organizations globally may stem from cybercriminals with different interests, but a new study has tied at least 11 recent campaigns to potentially the same malware supplier.

Security vendor FireEye said on Wednesday that it has found a link between nearly a dozen attack campaigns to a malware and attack toolkit supplier based in China. The campaigns, carried out in the United States and abroad, were aimed at individuals in a broad spectrum of industries, but the tools undertaken in each campaign had many similarities, signaling the attacks used a centralized source for much of the malware.

Victims ranged from individuals at large defense contractors and global technology companies to small law firms and chemical refineries. Interestingly, solution providers ranging from consultancies to systems integrators and resellers were also targeted in the campaigns FireEye researchers analyzed.

[Related: SMBs Not Immune To Targeted Attacks ]

Sponsored post

FireEye said in its Supply Chain Analysis report that the attacks could be part of a broader offensive waged by a shared development and logistics infrastructure.

"Though they appeared unrelated at first, further investigation uncovered several key links between them: the same malware tools, the same elements of code, binaries with the same timestamps, and signed binaries with the same digital certificates," FireEye said in its report. "Some targets are facing a more organized menace than they realize."

Ned Moran, a senior malware researcher at FireEye, told CRN that resellers and other third-party service providers can hold a wealth of information that cybercriminals can use to gain access to a targeted organization. In addition to stealing credentials to remote access systems, cybercriminals have used third-party providers in social engineering attacks to gain an initial foothold into organizations, he said.

"Resellers or systems integrators can be used to gather intelligence on the ultimate target," Moran told CRN. "A VAR or SI might have unique inside information about a specific target that a bad guy could leverage to discover weaknesses in a targets network or to craft a more believable spear phish."

Security solution providers told CRN that advanced persistent threats that could lead to significant loss of intellectual property are top of mind for nearly all their clients large and small. The best advice to give most businesses is to focus on reducing risks, said Arthur Hedge, president of Morristown N.J.-based Castle Ventures Corp., a solution provider that specializes in managed log reporting and security assessments.

"There's a recognition that they are all under attack in a way that is different than it was a couple of years ago," Hedge told CRN. "It's not random anymore. They realize that at some level, they are being attacked on purpose."

Jim O'Brian, chief information security officer at Overland Park, Kan.-based Choice Solutions, said systems integrators need to be vigilant about their own security systems and processes. Anyone who says they have the silver bullet to keep their clients networks completely safe are not being truthful, O'Brian said.

"If [attackers] know who the big integrators are and they know that those integrators have access to what they're trying to get to, [attackers are] going to try and hit that integrator and live there until [they] can find an entry into that client," O'Brian said.

NEXT: Similarities In Malware And Infrastructure Point To China-Based Supplier

In its malware supply chain report, FireEye said the similarities in the malware samples it analyzed can be traced to a centralized warehouse of attack tools that supplied and maintained the cyberespionage campaigns. The attacks use relatively benign methods to gain initial access to systems, but custom malware and remote access Trojans, or RATs, are designed to evade detection, remaining hidden on systems for months and sometimes years.

The link between all of the campaigns is a shared malware builder tool that FireEye researchers uncovered. The tools are written in Chinese, with testing infrastructure that uses a Chinese language character set.

The first link between all the campaigns was uncovered when investigating a targeted attack campaign called Sunshop. A remote access Trojan called APT.9002 was used in the attacks, carried out in May 2013. The group is believed to have used the Trojan in the Bit9 breach earlier this year. The attackers infected legitimate websites and redirected visitors from several of those websites to a site serving multiple exploits, FireEye said. The underlying infrastructure used in the attacks was tied to multiyear campaigns against companies across 15 industries, the firm said.

Over a three-year period beginning in 2011, a string of campaigns shared the same command-and-control infrastructure to send remote instructions and the same digital certificates to evade detection by most traditional security software. FireEye said those similarities, combined with other malware coding resemblances, indicate that the campaigns are very likely part of a "formal offensive apparatus."

The report was the result of analysis of more than 110 malware samples conducted by the FireEye researchers; all variants of remote access Trojans were used in targeted campaigns to maintain stealthy access to infected systems. FireEye found 65 binaries that displayed unique characteristics, and 47 that used six different digital certificates.

Other malware samples were variants of the PoisonIvy Trojan used in the 2011 RSA SecurID data breach. Some of the malware samples analyzed also were variants of the Hydraq Trojan, a targeted campaign that exploited various vulnerabilities, including zero-day flaws in Internet Explorer, to gain access to corporate systems.