The breach of RSA, the security division of EMC, last spring in which sensitive information related to RSA SecurID tokens was stolen, can be traced back to an attack originating in China, a security researcher strongly believes based on a close look into malware associated with the RSA breach.

Joe Stewart, director of malware research for Dell SecureWorks, says his conclusion is based on his work on a project to classify 60 different families of custom malware that have been used in the type of cyber espionage attack often referred to today as an '"advanced persistent threat (APT)."

The definition of APT can vary, but to Stewart it means cyber-espionage activity targeted at government or industry.


Two malware components known to have been used in the RSA breach are based on a common hacker tool called "HTran" that can disguise the location of command-and-control servers used to siphon off sensitive stolen data back to the attackers. When installed on a target host (often hacked third party servers), the HTran malware will bounce incoming connections back to the more concealed command-and-control server operated by the attacker.

The HTran malware tool was originally written by the well known Chinese hacker with the handle 'lion' who reportedly founded the Honker Union of China, a nationalist hacking group in the People's Republic of China.

HTran currently is used to conceal the hacker's intended network destination in terms of IP address. But in his research, Stewart says he's found that HTran releases error messages that reveal the true IP address of the attacker's hidden command-and-controllers.

China link

In the case of the RSA breach, based on related samples analysed by Stewart that use command-and-control components disclosed by CERT, two of the HTran malware components were redirecting traffic to just a few networks in mainland China, Stewart says. These appear to be ISPs in Beijing and Shanghai, including China Unicom, the state-owned telecommunications carrier.

The Dell SecureWorks report notes, "It's not surprising that hackers using a Chinese hacking tool might be operating from IP addresses in the PRC. Most of the Chinese destination IPs belong to large ISPs, making further attribution of the hacking activity difficult or impossible without the cooperation of the PRC government."

Stewart points out that hackers who have been using HTran to hit RSA and likely other targets will certainly want to change the HTran system, as these attackers realise it's known how to trace IP addresses through HTran error messages.

SecureWorks is releasing not only details about its findings in a report, but also some Snort-based signatures for general use to detect this APT Trojan. Secureworks says its own service for customers is using this type of defence to detect and block APT malware that's identified.

The APT attack against RSA has been costly to the company, with EMC recently disclosing that it had taken a $66 million charge to cover costs associated with coping with the breach of last March in which sensitive information about SecurID was stolen.

Another security firm, McAfee, also released a report on the topic of APT this week. In the report, entitled "Operation Shady RAT," McAfee alleges more than 70 corporations and government organisations since 2006 have also suffered cyber-espionage intrusions, though it didn't name a source of these attacks.