A security researcher who’s spent 18 months cataloging and tracking malicious software that was developed and deployed specifically for spying on governments, activists and industry executives says the complexity and scope of these cyberspy networks now rivals many large conventional cybercrime operations.
Joe Stewart, senior director of malware research at Atlanta-based Dell SecureWorks, said he’s tracked more than 200 unique families of custom malware used in cyber-espionage campaigns. He also uncovered some 1,100 Web site names registered by cyberspies for hosting networks used to control the malware, or for “spear phishing,” highly targeted emails that spread the malware.
Although those numbers may seem low in the grand scheme of things (antivirus companies now deal with many tens of thousands of new malware samples each day), almost everything about the way these cyberspying networks are put together seems designed to mask the true scope of the operations, he found. For instance, Stewart discovered that the attackers set up almost 20,000 subdomains on those 1,100 domain names; but these subdomains were used for controlling or handing out new malware for botnets that each only controlled a few hundred computers at a time.
“Unlike the largest cybercrime networks that can contain millions of infected computers in a single botnet, cyber-espionage encompasses tens of thousands of infected computers spread across hundreds of botnets,” Stewart wrote in a paper released at last week’s Black Hat security convention in Las Vegas. “So each botnet…tends to look like a fairly small-scale operation. But this belies the fact that for every [cyber-espionage] botnet that is discovered and publicized, hundreds more continue to lie undetected on thousands of networks.”
Once you get past all the technical misdirection built into the malware networks by its architects, Stewart said, the infrastructure that frames these spy machines generally points in one of two directions: one group’s infrastructure points back to Shanghai, the other to Beijing.
“There have to be hundreds of people involved, just to maintain this amount of infrastructure and this much activity and this many spear phishes, collecting so many documents, and writing this much malware,” Stewart said. “But when it comes time to grouping them, that’s when it gets harder. What I can tell from the clustering I’m doing here is that there are two major groups in operation. Some have dozens of different malware families that they use, but many will share a common botnet command and control infrastructure.”