SAN FRANCISCO -- When Mandiant Corp. released its report on APT1, imaginations seemed to run wild with ideas of...
Chinese super hackers conducting incredibly sophisticated attacks from their secret headquarters.
With the Chinese hackers, there is really no penalty for them failing.
Alex Lanstein, Senior Researcher, FireEye
In reality, advanced persistent threats (APTs) largely consist of B-team scrubs running the equivalent of script-kiddie tools created by a few talented hackers with a huge support team behind them. This was the case put forward by Alex Lanstein, senior researcher at Milpitas, Calif.-based security vendor FireEye Inc., during his RSA Conference 2013 presentation, APTs by the Dozen: Dissecting Advanced Attacks from China.
Through his many examples of Chinese attack methods, Lanstein painted a picture of a cyberattack force overwhelming in size but with uneven skill sets. Yes, the Chinese have a few "super-talented people" capable of creating click-and-deploy tools that take advantage of zero-day vulnerabilities in applications like Flash and Java. However, the majority of attacks conducted by Chinese hackers rely on methods as rudimentary as spear phishing. And extraordinarily, this is all that's needed to steal vast amounts of data.
"Almost 0% of the time did they not use just zero-days, but exploits at all… they send you an executable file. That's it," Lanstein said. "It's exactly as advanced as it needs to be."
Among the most popular targets for spear phishing attacks are human resources (HR) personnel. Chinese attackers largely rely on authenticated users to move laterally within networks, and HR users are particularly useful because they know everyone in a given organization, from the system administrator to the head of sale with important business data. HR users are also amongst the most likely targets that will both open emails and attachments because they do both hundreds of times a day.
A key characteristic in targeted attacks is the deployment of decoy content amongst the malicious files. This technique is meant to ensure the target will not contact the IT department. Lanstein relayed a story of his attempts to email a Tibetan activist, the most popular targets for Chinese attackers. Due to the constant surveillance performed by the Chinese on Tibetan activist inboxes, the text of his email was intercepted within 24 hours and used in an attempted spear phishing attack on a German CERT. His friend forwarded the intercepted email to him, which included a screengrab of the FireEye.com website as decoy content.
And even if initial spear phishing attempts are unsuccessful, Lanstein said, Chinese attackers just return to the same well again and again. Why? Quite simply, he said, there are no real repercussions if they are discovered.
"With the Chinese hackers, there is really no penalty for them failing," Lanstein said. "Ninety-nine percent of the time, they don't seem to care if you catch them. They only care about being able to steal the data."
Lanstein also emphasized the human aspect of these massive cyber-espionage operations. When a human is given a problem such as targeting an organization's IP, each person will likely go about solving that problem in a different way. He used the example of two Chinese attackers targeting a Japanese organization. Both utilized spear phishing, but one registered a new email and came up with a convincing body of text, while the other simply sent an empty email with an attachment.
Ultimately, he said, Chinese attackers are not going to stop. If an organization is on a long-term hit list, there will be many attempts over the course of months and even years aimed at stealing that organization's data. The Chinese also have a seemingly endless supply of both committed attackers and free infrastructure, much of which is provided by companies like Google.
"These guys have an unlimited supply of email accounts," Lanstein said. "They've got guys sitting there all day creating email accounts and they've got spreadsheets of thousands of email accounts. It's an incredible amount of man power."
With no current disincentive for Chinese attackers, Lanstein was asked if government intervention represented the best hope going forward for stopping these attacks.
"That would make the biggest impact," he said.
View all of our RSA 2013 Conference coverage.