A clutch of apparently distinct APT cyber-attack campaigns appear to be linked to one another through a single Chinese “digital quartermaster,” or "arm's dealer" security firm FireEye has argued in an analysis that joins some new forensic dots.
FireEye has past form in pulling apart APTs and its latest investigation starts with the ‘Sunshop’ APT it first spotted in May of this year and which it now believes was only one part of a web encompassing 11 other previously distinct APTs.
On its own these connections aren't a major discovery given that the concept of APTs implies organisation as well as intent, but the firm argues that it offers insight into the complex ecosystem from which APTs now spring.
Given that the 11 campaigns targeted a similar spectrum of critical industries – defence, telecoms, tech and government - it could be the case that some organisations are under simultaneous attack from a greater number of APTs than they realise. Spotting the connections could also allow for quicker fingerprinting.
The campaigns turned out on close inspection to share tools, some of their code, the use of signed digital certificates as well as the great giveaway, binaries with identical timestamps. The last detail ruled out simple coincidence.
What was less clear is how the campaigns came to share this infrastructure and FireEye peoposes a new type of cyber-actor, the specialist quartermaster of expert supplier that manufactures the weapons used by others. It’s not clear if this actor is one part of a larger organisations or simply paid to supply the others but the latter seemed possible, FireEye said.
“Our research points to centralized planning and development by one or more advanced persistent threat (APT) actors” said Darien Kindlund, FireEye’s threat intelligence manager.
“Malware clearly remains a desired cyber weapon of choice. Streamlining development makes financial sense for attackers, so the findings may imply a bigger trend towards industrialization that achieves an economy of scale.”
As with so many other documented APTs, the quartermaster was highly likely to be Chinese; the assembly or ‘builder’ tool used in the campaigns had dialogs and menus in Chinese.
Attackers were adopting an “industrialised approach” to the processes through which cyberattacks were planned, built and carried out, FireEye said.
Once frightening and new, APTs are becoming just another threat that organisations have to pay attention to even as the tools to defend against them are only now starting to arrive.
In September, Kaspersky Lab reported on the Icefog campaign, used to target other Asian countries during 2011 but whose existence only became clear much later.
Another retrospective APT ‘discovery’ was the Hidden Lynx group now blamed for the infamous Aurora hacks on Google and others in 2009 that kick-started the whole era of complex cyber-campaigns. That research also described a Chinese group with up to 100 professionals; APTs might be a major threat to US firms but they are also clearly putting food on someone’s table.