14 DAY TRIAL // Cyber-attacks from threat actors believed to operate from China and Russia under governmental supervision have captured most of the headlines of the security beat in online publications lately, bringing to public attention the unseen war between nations across the globe.
The groups have been in the business of stealing sensitive information from infrastructure companies, government organizations, and NATO, for several years, leveraging APTs (advanced persistent threats).
As its name suggests, an APT is designed as an advanced threat that can infiltrate a target’s network and remain concealed for extended periods of time, allowing the attacker to exfiltrate valuable information.
The advanced part generally consists in constantly adapting the code to evade detection as new security measures are added by the target, and employing multiple methods to compromise a computer.
Chinese hackers are no laughing matter
In a recent interview for CBS’ 60 minutes, FBI director James Comey said about the Chinese hackers that they were not proficient at hacking.
“They're kicking in the front door, knocking over the vase, while they're walking out with your television set,” Comey said about cyber intrusions originating from China.
Private security companies seem to have proven him wrong when they joined efforts to identify the methods and tools used by a Chinese APT (advanced persistent threat) group known to have been operating for at least four years.
Dubbed Operation SMN, the coalition included Cisco, FireEye, F-Secure, iSight Partners, Microsoft, Symantec, Tenable, ThreatTrack and Volexity, all led by Novetta under Microsoft’s Coordinated Malware Eradication program.
Making such big names in the industry work together does seem to imply a highly sophisticated adversary capable of changing behavior and easily switching attack vectors and the way it operates in order to evade detection and achieve persistence on the targeted network.
This is exactly what the group of security companies discovered during their joint investigation, which included sharing their resources and threat intelligence about a common enemy.
Some cyber-attacks go undetected for months
The group of hackers making the object of Operation SMN is believed to consist of between 50 and 100 operatives and has received several names, since agreeing upon a common tag seems to have been the least concern of the alliance.
Novetta refers to it as Axiom, while Cisco named it Group 72. Similarities have been found with the activities of other groups (Hidden Lynx, Elderwood, Deputy Dog, Ephemeral Hydra, ShellCrew) that have been researched independently and poorly shared in the security industry, and which could be part of the same enterprise.
F-Secure referred to Hidden Lynx/Axiom/Group 72 as a “a sophisticated and well-resourced cyber espionage group;” Cisco says that it “possesses an established, defined software development methodology;” Symantec called it “highly capable” and said that it “is regarded as one of the pioneers of the ‘watering-hole’ attack method and it appears to have early access to zero-day vulnerabilities.”
Hurricane Panda, a different cyber-espionage group also appearing to hail from China, has been recently discovered by Crowdstrike to exploit a Windows zero-day vulnerability for at least five months.
This is not the only case where zero-days are leveraged for large periods of time. Hackers believed to be from Russia and backed by the government also relied on a Windows zero-day in their computer compromising activity. Crowdstrike asserts that they’ve been in the game for at least five years.
The obvious conclusion from all this is that cyber-espionage groups are to be regarded as an extremely powerful adversary that resorts to all types of tricks to achieve their goal.
Method for dismantling cyber espionage attacks could work against cybercriminals
However, Operation SMN showed that cooperation between entities in the computer security industry can lead to uncovering ongoing espionage activities.
This was achieved by placing into a common pool the intelligence gathered individually by each participating company. United against a single adversary, they were able to create solutions for disrupting the malicious activity of a particular entity and for defending against it.
As a result of the combined research from the aforementioned security firms, and from its own resources, the FBI released a warning document to companies and organizations about recent cyber-attacks connected with the Chinese government.
The same approach could be relied on against well-organized cybercriminal groups pilfering bank accounts of customers across the world.
Shared threat intelligence is great in the fight against cybercrime
The advantages of a database containing particularities of an attack and the actor behind it are undeniable and evident.
Cyphort CTO and co-founder Ali Golshan told us in an interview in late September that “one huge advantage the bad guys have over the good guys is that they are way more likely and willing to share intelligence with each other. Security vendors tend to covet threat intelligence because they consider it their IP.”
“That gut response on the part of security vendors to protect their IP results in a lack of information sharing across the industry that makes defense harder,” he added.
In a paper hosted in Google cloud, a security researcher using the online alias @9bplus presents a method he used to track and identify the activity of a malicious actor, based on information from VirusTotal.
Cybercriminals seeking financial gains have become more proficient at compromising systems, and the research and defense model used in Operation SMN could be applied in this case, too.
Moreover, it should prove more efficient since the malware used in cyber espionage campaigns is more advanced and there are cases where code from state-sponsored cyber-attacks has been used for stealing financial information (BlackEnergy).
Gathering intelligence from multiple sources, including its own, is what the FBI is trying to do with their malware analysis platform Malware Investigator. This could be the right way to collect knowledge and use it to crack down on cybercriminals, without disrupting the competition for customers between the security companies.