Chinese cybercrime is a maturing cottage industry. It keeps regular hours. It has a business plan. It innovates. Like any good business it puts setbacks – defenders who smarten up - behind it pretty quickly.
Kick it out and it will find a way back in, taking weeks or months to pursue its objectives.
With Dell SecureWorks the latest firm to open the lid on a previously little-documented Chinese espionage and spying group during a Black Hat briefing this week perhaps it’s time to reassess the Chinese APT as just something that its main targets in the US, Japan and the EU just have to put up with. This is just the way it’s going to be.
The group Dell SecureWorks wants us to know about is called ‘Emissary Panda’ in Dell-speak, aka ‘Threat Group 3390’, which it has been tracking for two years as it targeted more than 100 organisations, about half from the US and UK.
The targets included the usual sectors, including electronics, automotive, oil and gas, pharma, defence, law, with a number of attacks on the sort of educational and political organisations that seem to fascinate Chinese cybercriminals or their paymasters.
The MO is fairly standard too, covering a mix of remote access Trojans such as PlugX (including a server-side element coded by Mandarin Chinese speakers), watering hole attacks and a penchant for hacking Exchange email servers to facilitate targeted hunt for privileged user accounts. The group is well-rehearsed at compromising web servers.
Interestingly, according to Dell SecureWorks researcher Aaron Hackworth the Emissary Panda hackers are choosy about what they steal, typically doing a directory dump of everything they access before coming back for only small bits of any trove. They often ignore interesting documents in favour of very specific ones, he believes because their ultimate customer for the data has very targeted interests.
If they don’t devote much effort trying to hide their origins in China (the firm has amassed a raft of circumstantial clues pointing to the country) they are pretty persistent. Defenders that managed to detect Emissary Panda and clean out their malware found that it didn’t put the group off form trying to find another way in.
“They planned ahead for eviction so they had already made preparation,” says Hackworth, who likens the methodical way the group resurfaces as almost being like a form of mundane IT management.
They don’t use up valuable zero days simply because they don’t have to. With plenty of PCs vulnerable to old flaws, their business doesn’t require such expensive indulgences to get the job done.
The era of Chinese APTs – as they used to be called by security marketing executives – began in earnest in early 2010 when Google blew the top off the vast Aurora attacks that had targeted not only the search giant but almost anything in the US with a head office. The US had been in denial about the scale of what had been going on and even then Secretary of State Hillary Clinton go in on the act, blaming the Chinese Government for what had been going on. Since then, more attacks have come to light that have been pinned on China and its Government, so many in fact that they are almost routine.
Chinese APTs, or whatever they are called today, just aren’t a story any more and have almost become part of the furniture.
So why write about another hacking group? This one has a catchy brand name, Emissary Panda, but is this stuff still important? Arguably, Dell SecureWorks’ latest expose is significant in that it tells us how mundane this stuff has become, not only for the firms on the receiving end but the attackers themselves. Clearly, they are experienced, professional hackers, stealing data to order. They are in it for the money as much as the ideology although some experts still assume it’s all driven by Anti-US zeal.
It could be that some organisations that might have succumbed five years ago and now tougher and the APT hackers have moved on to other targets, although this would be an optimistic interpretation. More likely, Emissary Panda is but a small example of a big problem people have adapted to. Breaking into organisations is big, profitable business and will remain that way for decades to come.