Research shows arms dealer used in cyberespionage attacks

Companies battling tireless cyberespionage campaigns may be up against well-organized attackers that are fed a steady stream of malware from a talented developer of cyber-arms.

[New malware variant suggests cybercriminals targeting SAP users]

Security vendor FireEye analyzed 11 advanced persistent threat (APT) campaigns that seemed unrelated on the surface, but later were found to share the same malware supply chain. The centralized logistics point to a level of organization that’s indicative of a trend towards industrialization in the malware business.

To increase the likelihood of a successful attack, malware development is being separated from that of the hacker, so the latter can focus on commandeering an infected system and stealing data, Ned Moran, senior malware researcher at FireEye, said Wednesday.

“Much like a capitalist economy, by specializing in certain roles and responsibilities everybody is more efficient as a result,” Moran said.

“We think this report shows that there are specialists who build these tools, these builders, as we documented, and so we think this is evidence of moving towards an industrialized capability in producing malware.”

The similarities FireEye found that pointed to a single “digital quartermaster” in the APT campaigns included the same malware tools, the same elements of code, binaries with the same timestamps and signed binaries with the same digital certificates.

The malware development and testing tools were in Chinese, but FireEye did not find any evidence that the APT attacks were connected to any organization in China.

FireEye believes the most likely scenario is a single cyber-arms dealer fed the attackers with malware, which has to be modified regularly to avoid detection by anti-virus software and to target newly discovered vulnerabilities in applications.

A second, but less likely, possibility is the attackers behind each of the campaigns shared malware and the development process, Moran said. A third scenario, and the least likely, is one large organization with separate development and attack units was behind all of the campaigns.

The chances of having one group behind the attacks are low because each campaign used malware with different artifacts, such as passwords, attack identifiers and programming techniques.

“We believe it’s likely that there’s a (single) quartermaster,” Moran said.

FireEye’s research started in May with its discovery of an attack campaign the vendor called the “Sunshop.” The attackers had compromised several Korean defense and military think-tank websites and redirected visitors to a site serving multiple exploits.

Over the next three months, FireEye found that Sunshop and the 11 APT campaigns shared the same malware tools and code elements.

The attacks spanned multiple years and targeted companies across 15 sectors, including aerospace and defense contractors; manufacturing, high-tech, energy and chemical industries; and federal, state and local government agencies.

[Georgia Tech warns of emerging threats in cloud, mobile]

While the attackers were bent on stealing intellectual property, it was not known whom they were working for, Moran said.

Details on FireEye’s findings is available in a report, released this week, entitled “Supply Chain Analysis: From Quartermaster to Sunshop.”