Technical analysis of 11 malware campaigns has discovered signs that they share the same digital infrastructure—including the use of certificates, executable resources and development tools—suggesting that attackers are sharing code or may even be part of the same organization, according to an analysis published by threat-protection firm FireEye.
The report, published in mid-November, describes how the company linked 110 malware binaries into 11 different campaigns, where the attackers—all thought to be from China—used the same techniques and resources to compromise the networks of a group of victims. Yet those 11 campaigns were not as separate as the firm first thought; a variety of other evidence found in the binaries suggests that the programs had been created using similar support resources.
The analysis points to a single “quartermaster,” who may be acting as a supplier for the different groups attacking government agencies as well as companies in the technology, financial, telecommunications and energy industries, among others, the report stated.
The links suggest that, at the very least, different espionage groups are using the same tools and methods. More likely, the Chinese groups are part of a larger organization with a centralized source of code and other resources, Ned Moran, senior malware researcher with FireEye and a co-author of the report, told eWEEK.
“It’s bad news because these guys look to be pretty organized,” he said. “It explains why we are constantly reading about company X suffered an intrusion traced back to China, and then company Y. We now understand why that is possible.”
Companies in the United States and Western Europe face increasing attacks by espionage groups, many of them based in China. The groups are adopting hit-and-run tactics and may actually be hackers-for-hire, taking contracts from domestic companies, according to recent analyses. China is the most prolific adversary, but botnets have been tracked back to Russia and Eastern Europe, and the United States has its own cyber-operations.
Many of the 110 malware binaries used in the 11 campaigns shared some common characteristics. In total, 65 were packaged with one of two different manifest resources, and 47 were signed with one of a group of six digital signatures. As a whole, the group of binaries connected to 54 different fully qualified domain names.
While none of the attributes linked all the malware programs together, taken as a whole, the evidence links them all to a common infrastructure. The similarities are likely caused by a small number of builder programs used to create the malware for each campaign, the report stated.
Overall, the evidence suggests that a central research and development group—sort of a digital Q branch—likely provides operatives with the tools and infrastructure to complete their missions.
The commonalities also suggest that defenders could focus on identifying and blocking malware by focusing on the attributes of a limited number of tools used to create the malware rather than the far more numerous variants used in attacks.
“The good news is that if these guys are relying on some formal or informal logistic development tool; all you have to do is figure out what the unique aspects of that tool are and build your defenses around those attributes,” Moran said.