Is there a global arms merchant serving smaller armies of online cyberterrorists?
An American company that analysed hacking incidents over a period of several years believes it may have zeroed in on one such “cyberarms dealer” that supplies a “myriad of unrelated global attackers” with hacking tools. FireEye suggests what it has uncovered might be part of a trend it dubs the “industrialisation of hacking.”
“Our research points to centralized planning and development by one or more advanced persistent threat (APT) actors” said Darien Kindlund, manager of threat intelligence at FireEye.
Weapons of (mass) cyber destruction
The firm paints a portrait of a “digital quartermaster” that creates malware tools and weapons to support cyber espionage. What’s more, this digital quartermaster might also be a cyber arms dealer who supplies the tools to conduct attacks and establish footholds in targeted systems.
“Malware clearly remains a desired cyber weapon of choice. Streamlining development makes financial sense for attackers, so the findings may imply a bigger trend towards industrialisation that achieves an economy of scale,” said Kindlund.
In its report titled, “Supply Chain Analysis: From Quartermaster to Sunshop,” FireEye pieces together seemingly unrelated cyber attacks that may be part of a broader offensive fuelled by a shared development and logistics infrastructure. It examines 11 APT campaigns – most of them by what FireEye calls the Sunshop Group – targeting a wide swath of industries that shared malware tools, elements of code, binaries with the same timestamps, and signed binaries with the same digital certificates.
Chinese hand seen, but…
FireEye said the dialogues and menu options in the builder tool were in Chinese, indicating it may have been created and used by Chinese speakers. Lest you leap to judgement, the firm says it has no evidence that the group is state-sponsored.
Infosecurity, an online magazine, says FireEye’s conclusions are backed by some other security firms like PandaLabs and Kaspersky Lab.
“I think in general the ‘organisation’ is less formal and is more analogous to the common use of platforms and applications in the legitimate economy,” David Emm, a senior security researcher at Kaspersky, told Infosecurity. “For example, many different types of company may use the same sales management system – because it suits all their needs – but this doesn’t necessarily imply any organisational link between them.”
So, what’s the lesson?
“Like traditional conflict, cyber warfare will continually evolve and change through innovation,” said FireEye CEO David DeWalt. “Not surprisingly, attackers are adopting an industrialised approach. The best hope for those playing defence is a community-based approach that not only monitors advances in cyber attacks, but also propagates information to help mitigate the new threats.”
FireEye is a software security firm. It has built a virtual machine-based security platform that provides real-time threat protection against cyber attacks.