FireEye has conducted research that suggests several apparently unrelated advanced persistent threats (APTs) may be related after all.
The company closely examined several APTs that were initially believed to have no connection, and has revealed that it is more likely that these APTs are part of a broader attack using the same development and logistics infrastructure.
Deon La Grange, country manager of FireEye SA, says the research strongly indicates that an APT supply chain exists that is sophisticated and co-ordinated and not at all random. "Organisations face a greater menace than what meets the eye," he says.
La Grange says the problem is compounded by the fact that businesses today are trying to protect themselves using 20th Century defence tools in a 21st Century cyber threat landscape.
A wider trend
The report, titled "Supply Chain Analysis: From Quartermaster to Sunshop", examined 11 APT campaigns targeting a variety of industries. Close examination revealed that although the attacks appeared to be unrelated, several key links between them belied this notion.
The attacks used the same malware tools, the same elements of code, binaries with the same timestamps, and signed binaries with the same digital certificates. En masse, these commonalities suggest the planning and development of these threats was centralised, says FireEye.
The company adds that how widespread this resource sharing is remains unclear, but since it makes financial sense for cyber criminals, it might well be indicative of a wider trend.
The report shows that the attacks shared a development and logistics operation that supported a few APT attackers in 'distinct but overlapping' campaigns. FireEye described the operation as a 'digital quartermaster' whose mission is to supply and maintain the malware tools that support cyber espionage. The company adds that the digital quartermaster could also be seen as a 'cyber arms dealer' in a fashion - a supplier of cyber weapons used to carry out attacks and infiltrate targets' systems.
In terms of the tools themselves, FireEye researchers uncovered a 'builder' tool that was most likely used in several of the 11 campaigns analysed. The tools, which seem to be written in Chinese, had a testing infrastructure that was configured with the same native Chinese language character set. The builder tool's dialogues and menu options were also in Chinese.
The Sunshop connection
In May, FireEye uncovered an APT dubbed 'Sunshop' that infected several Web sites, and redirected visitors to a site riddled with exploits.
In August, the company said the attack remained active, and later that month, it discovered several more related attacks, whose underlying infrastructure showed the campaign was using resources across other campaigns that weren't thought to have a connection to Sunshop.
From the evidence found, FireEye drew several possible conclusions. Firstly, that a shared development and logistics operation (SDQ) does exist, supporting different APT campaigns. However, the company stressed it is possible that SDQ and APT campaigns that were initially thought to be separate campaigns run by different criminals are in fact a single cluster run by one well-resourced actor, but that this scenario is unlikely.
FireEye says this is so as each cluster of activity used malware samples that employed different elements such as passwords, campaign identifiers and mutexes. "These artefacts were generally consistent within each cluster of activity but differed across clusters," the company explains.
A third possibility, says FireEye, is that SDQ does not exist, and APT attackers share their tools informally among themselves.
However, because each of these scenarios features a shared development and logistics infrastructure, or a digital quartermaster of sorts, it is not known whether the connections are informal or a structured bureaucratic organisation serving a central offensive apparatus, the company says.
Fighting APTs
La Grange says fighting an APT using traditional security measures is ineffective. "Once organisations have been infiltrated, the APTs are incredibly difficult to find as they obfuscate and hide deep in the memory of infected systems ensuring a long life and proportional increased business impact.
"In 2001, the bulk of security spend was on AV, firewalls and intrusion prevention systems. Twelve years on, the scenario hasn't changed proportionally, although the cyber threat landscape has, leaving many organisations far more vulnerable and, in most cases, already compromised."
He adds that FireEye also tracks the number of attacks where the code is seen for the first time. "These zero-day attacks measure between 66% and 69% of attacks discovered in FireEye's Dynamic Threat Intelligent (DTI) cloud, with new attacks increasing from around 18 000 individual targeted attacks in CY13Q2 to 33 000 in CY13Q3, as determined by the DTI cloud."
Industry research conducted earlier this year in more than 1 000 medium-sized to large organisations revealed that 72% of organisations rated their security somewhere between good to great, meaning they were happy with their investment in tools, processes and security controls, says La Grange. "However, 51% of these could not confirm to determine whether they had been a victim of a zero-day attack or APT as they simply do not have the tools to determine what they don't know. Our research, based on where we deploy our systems, is that 95.4% of companies are compromised despite their existing investments.
"Clearly there is a big gap between what organisations think their security posture is and what it is relative to the new advanced targeted threat vectors prevailing on networks today. The lacklustre approach organisations have towards zero-day attacks and APTs creates a platform for the supply chain; if the attackers were not gaining value, they would not invest in the infrastructure - clearly they see an ROI."
Share