China’s hackers are still at it; Iran’s are getting better
May 21, 2013
Not only is APT1, the Chinese-government hacking group made famous by Mandiant last February back at its old tricks, but other Chinese espionage outfits have been hacking away undeterred by the public naming and shaming of their colleagues.
Even as APT1 (formally known as Unit 61398 of the People’s Liberation Army) took a break after Mandiant publicized its exploits, the rest of China’s advanced hackers stayed on the offensive, stealing data any way they could.
"A lot of the press reporting has been saying that China took a break for three months and now they’re back, [but] that was just one group … the rest of them just kept up the regular pace of operations; no discernable change from our point of view," Richard Bejtlich, Mandiant’s chief security officer told Killer Apps yesterday, regarding APT1’s actions in the wake of his firm’s February report detailing their activities. "It’s not like they received any sort of tasking that said, ‘hey, the U.S. is onto us, we’d better take it easy.’ It was more like, ‘we don’t care, let’s just keep on conducting operations.’"
As for APT1, they did some "cleanup activities and then they took a break from, for the most part from breaking into targets that we had seen them going after," said Bejtlich. "In the last four weeks or so, they seem to be making a push back to their normal levels of activity, it’s not all the way back there in terms of the numbers of victims we see them in but they are coming back."
"We’ve seen them attempting to get access to some of the previous victims as well as trying their hand with some new victims," said Bejtlich of APT1’s renewed cyber activities.
These advanced Chinese hacking groups are among the roughly 24 highly skilled cyber espionage outfits around the world — sometimes collectively called Advanced Persistent Threats (the APT in the moniker, APT1) — that Mandiant tracks, according to Bejtlich. (Most of the APT groups Mandiant tracks are Chinese but some are Russian.)
In the meantime, Mandiant has also seen a rise in Middle Eastern hackers, suspected of being Iranian, who appear to be honing their abilities to penetrate and stay in the networks of both governments and businesses.
"We may have eyes on some Iranians as well," said Bejtlich. "I don’t know if they’re necessarily at the APT level, but they’re distinct enough that we can track them and have a decent idea of where they’re coming from."
The Middle Eastern hackers aren’t "in any way" as sophisticated as groups like APT1, according to Bejtlich. "The limited activity that we’ve seen seems to be almost educational on their part, it seems like they’re trying to determine what it’s like to operate on a live network."
While Chinese hackers know what antivirus software to expect, how the network will be built, and even how its defenders will react to their presence, "the Iranians don’t tend to have that, from what we see but we think they’re taking steps now to develop those skills," said Bejtlich.
He went on to say this activity may be a "leading indicator" that Iranian espionage operatives may be gearing up to conduct more advanced online operations.
"We typically haven’t seen digital work done on the theft side, but that’s starting to change," said Bejtlich. "We think we’ve seen them on networks, which is new for us."
He acknowledged that while this is the first time Mandiant has tracked suspected Iranian hackers inside a corporate network, other cybersecurity researchers may have come across Iranian operatives in cyberspace. (Last summer’s famous cyber attacks that wiped hard drives on 30,000 of oil giant Saudi Aramco’s computers have been blamed by some on Iranian-backed hackers. Then there’s last fall’s denial of service attacks that were pinned on Iran.)
"We’re not a lock that these guys are Iranians but there are some indications that they are so we’re trying to devote some time and figure out who they are," he added. "The case we have is not a destructive case, somebody didn’t go in an destroy a bunch of computers."
Rep. Mike Rogers, chair of the House Intelligence Committee has said that Iranian hackers may pose the biggest threat of a destructive cyber attack to the United States.
Here’s what Killer Apps reported on Rogers saying last February:
Rogers said that Iran had already displayed its willingness to wreak havoc abroad in the attacks last August against the Saudi Aramco oil company and the Qatari gas firm RasGas, which wiped the data from 30,000 computers and kept employees off email for more than a week.
The U.S. government has yet to name a culprit in those attacks, but Rogers said that, based on his conversations with private sector cyber security analysts, he is "99.9 percent sure" that Iran was behind them.
"That’s a new level of capability," said Rogers. "They have obviously aggressively stepped up their campaign."
He then pointed to last fall’s denial of service attacks against U.S. banks as also being the work of Iranian cyber operators, though he acknowledged those attacks were far less sophisticated and damaging.
"Most people believe that was a probing action, they’re trying to find deficiencies in our systems to find a better way to come back and cause some catastrophic disruption," Rogers said.
