After lull, PLA 'Comment Crew' hasn't changed cyber-espionage tactics

The Chinese government's alleged cyber-espionage arm remains active after a quiet period, using the same tactics revealed in Mandiant's APT1 report.

In a follow-up to Mandiant Corp.'s explosive APT1 report alleging an extensive hacking operation within the Chinese People's Liberation Army, another threat intelligence firm has concluded that the PLA entity known as "Comment Crew" is still hard at work targeting U.S. enterprises.

Unless people treat [cyberattacks] as a business problem, you're not going to make much headway.

Richard Bejtlich,
CSO, Mandiant Corp.

Arlington, Va.-based Cyber Squared Inc. said in an analysis released last week that the Chinese People's Liberation Army's (PLA) Comment Crew cyber-espionage operation is still using "familiar tactics to target their victims," including ongoing exploitation operations. Mandiant's February "disclosure appears to have done little to stem the onslaught of cyber-espionage from this or other Chinese threat groups," Cyber Squared concluded in a recent post.

Cyber Squared said the February report by Mandiant, detailing the seven-year history of the PLA's Unit 61398 near Shanghai "appears to have done little to stem the onslaught of cyber-espionage from this or other Chinese threat groups."

Comment Crew is "still in the game and up to their old tricks," Cyber Squared reported.

The evidence for that assertion is based on a single yet significant source: a malicious ZIP file containing a fake PDF icon that "dropped" a separate decoy document. Analysts said the decoy mimicked an invitation and agenda for an April modeling and simulation conference sponsored by the National Defense Industrial Association.

Cyber Squared confirmed that the dynamic command-and-control (C2) domain used for the malicious download was probably active from May through November 2012, and that the domain "has also been used to host over a dozen other 'Comment Crew' C2 domains."

The upshot, Cyber Squared concluded, is that Comment Crew has done little to change the way it operates since Mandiant's advanced persistent threat (APT) disclosures in February. "They have not significantly retooled their traditional implant technologies, command-and-control capabilities, or modified their target selection process, as some expected they would," the company said.

A Mandiant executive called Cyber Squared's conclusions "not unexpected," but cautioned that Cyber Squared's "research was a little thin."

In an interview with SearchSecurity, Richard Bejtlich, chief security officer of Alexandria, Va.-based Mandiant, confirmed that Comment Crew and similar groups have recently been more active after a quiet period following the release of Mandiant's report and ensuing political firestorm. But he noted that Cyber Square's assessment is based on a single incident.

Others also urged caution. "We have to be careful to avoid the classic streetlight effect: only searching where the light is," said Rick Holland, senior analyst for security and risk management at Cambridge, Mass.-based Forrester Research Inc.

"One alternative theory is that Comment Crew continues to leverage the same [tactics, tools and procedures] as part of a counter intelligence operation to deceive the security community," Holland said.

Holland added that many of the companies he spoke to after Mandiant's APT1 report was released "didn't have the skills, instrumentation or historical log data to detect Comment Crew's activities."

"It makes little difference whether Comment Crew or some other group is out there compromising networks," said Pete Lindstrom, vice president of research at Pennsylvania-based consultancy Spire Security. "The indicators of compromise are published now, and can be used to identify malicious activity. At this stage, we should be careful about being distracted by APT1 and neglectful of APT2, 3, 4 [and so on]."

Recent disclosures by Mandiant and others have nevertheless helped raise awareness among large enterprises about the growing need for cyber-defenses. Mandiant's Bejtlich said he expects large enterprises to respond by adopting more active defenses against attacks. Smaller enterprises with fewer resources will continue to "struggle and will have to adopt a collective defense posture" along with vendors and suppliers.

"Unless people treat [cyberattacks] as a business problem, you're not going to make much headway," Bejtlich asserted.

Other observers agreed that the apparent success of China's cyber-espionage has more to do with lax U.S. network security than the cyber-tactics of outfits like Comment Crew.

"The problem isn't that the Chinese are so skilled; it's that U.S. companies are so inept," James Lewis, director of the technology and policy program at the Washington-based Center for Strategic and International Studies, wrote in a March opinion piece published in the Washington Post.

Dig deeper on Hacker Tools and Techniques: Underground Sites and Hacking Groups

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close