APT1: Q&A on Attacks by the Comment Crew

Today Mandiant released a detailed report dubbed "APT1" which focuses on a prolific cyber espionage campaign by the Comment Crew going back to at least 2006 and targeting a broad range of industries. The report cites the earliest known public reference about APT1 infrastructure as originating from Symantec. We have detected this threat as Backdoor.Wualess since 2006 and have been actively tracking the group behind these attacks. The following Q&A briefly outlines some of the relevant Symantec information around this group:

Q: Do Symantec and Norton products protect against threats used by this group?

Yes. Symantec confirms protection for attacks associated with the Comment Crew through our antivirus and IPS signatures, as well as STAR malware protection technologies such as our reputation and behavior-based technologies. Symantec.cloud and Symantec Mail Security for Microsoft Exchange also detect the targeted emails used by this group.

Q: Has Symantec been aware of the activities of the Comment Crew?

Yes. Symantec has been actively tracking the work of the Comment Crew for a period of time to ensure that the best possible protection is in place for the different threats used by this group.

Q: Why are they called the Comment Crew?

They were dubbed the Comment Crew due to their use of HTML comments to hide communication to the command-and-control servers.

Q: How does a victim get infected?

The initial compromise occurs through a spear phishing email sent to the target. The email contains an attachment using a theme relevant to the target. Some recent examples used by this group and blocked by Symantec technologies are listed here:

  • U.S. Stocks Reverse Loss as Consumer Staples, Energy Gain.zip
  • Instruction_of_KC-135_share_space.doc
  • New contact sheet of the AN-UYQ-100 contractors.pdf
  • U.S. Department of Commerce Preliminarily Determines Chinese and Vietnamese Illegally Dumped Wind Towers in the United States.doc
  • ArmyPlansConferenceOnNewGCVSolicitation.pdf
  • Chinese Oil Executive Learning From Experience.doc
  • My Eight-year In Bank Of America.pdf

Similar to what Symantec indicated in a recent blog, if the malicious attachment is opened, it attempts to use an exploit against the target victim's system. It drops the malicious payload as well as a clean document to keep the ruse going.

Q: Does Symantec know who this group is targeting?

Yes. Symantec telemetry has identified many different industries being targeted by this group including Finance, Information Technology, Aerospace, Energy, Telecommunications, Manufacturing, Transportation, Media, and Public Services. The following Figure shows a worldwide heatmap for detections related to this group since the beginning of 2012.

Figure. Heatmap of Comment Crew related detections

Q: Currently, what are the most prevalent threats being used by this group?

Symantec, in the last year, has identified the most prevalent threats being used by this group as Trojan.Ecltys, Backdoor.Barkiofork, and Trojan.Downbot.

Q: Has Symantec released any publications around these attacks?

Yes. We have recently released publications to address techniques and targets of Trojan.Ecltys and Backdoor.Barkiofork, both of which are threats used by this group:

We have also investigated associated attacks of this group:

Q: What are the Symantec detection family names for threats used by this group?

Symantec also detects numerous other files used by this group under various detection names:

Q: Does Symantec have IPS protection for these threat families?

Yes. There are several IPS signatures to catch threat families associated with this group:

Q: How will this report affect the Comment Crew operations?

Despite the exposure of the Comment Crew, Symantec believes they will continue their activities. We will continue to monitor activities and provide protection against these attacks. We advise customers to use the latest Symantec technologies and incorporate layered defenses to best protect against attacks by groups like the Comment Crew.

Facebook, Twitter, Apple hack sprung from iPhone developer forum

iPhone Dev SDK, the web forum that was at the center of the hack of Facebook and other companies in January.

The website used to infect engineers at Facebook with espionage malware has been identified as an iPhone developer forum by people close to the investigation into the hacking incident.

That page, at the iPhone developer website iphonedevsdk.com, was used to expose visitors to a previously undocumented vulnerability in Oracle's Java browser plugin. The "zero-day" exploit allowed the attackers to install a collection of malware on the Java-enabled computers of those who visited the site. Ars readers shouldn't visit the site because it still may still be compromised.

iphonedevsdk.com is an example of a "watering hole" attack. These attacks compromise a site popular with a population of desired hacking victims, using security vulnerabilities to install code on the Web server hosting it, which injects attacks into the HTML sent to its visitors. In this case, the site, which hosts a Web forum for iPhone developers, netted the hackers access to the computers of software engineers and developers working on mobile application projects for a number of companies, including Facebook. The exploit was the source of the attack on Twitter that led to the theft of Twitter usernames and passwords, according to a source familiar with the attack, and was used to infect computers belonging to Apple engineers. The source requested anonymity because he was not authorized to provide the details to the press.

Read 1 remaining paragraphs | Comments

Unusually detailed report links Chinese military to hacks against US

The emblem of the People's Liberation Army.

Security firm Mandiant has published an unusually detailed report documenting China-sponsored hacking intrusions that have siphoned terabytes of sensitive data from 141 organizations over the past seven years.

The 74-page study is only the latest report to lay a battery of computer intrusions at the feet at hackers linked to China's government or military apparatus. But until now, many of those claims lacked crucial details, opening them up to skeptics who complained that the lack of specificity made it difficult or impossible to conclude Chinese actors were behind attacks targeting US governmental agencies, corporations, and human rights organizations. Given the anonymity that shrouds most network intrusions, critics have pointed out, the use of Chinese domain names, IP addresses, and localized language in computer espionage campaigns could almost as easily have been chosen by perpetrators from other countries who want to divert the attention of investigators.

The Mandiant report is largely a response to these critics. It identifies a 12-story white office tower on the outskirts of Shanghai as the nerve center for a hacking group long known to security researchers as the "Comment Crew." IP addresses that have been used for years in espionage hacks map to the immediate surroundings of the building. The tower also happens to be the headquarters for the People Liberation Army's Unit 61398, which was described in 2011 as the "premier entity targeting the United States and Canada, most likely focusing on political, economic, and military-related intelligence" by the Virginia-based nongovernmental organization known as the Project 2049 Institute. Many of the claims in the Mandiant report have been independently confirmed by US intelligence officials, according to an article published by The New York Times.

Read 10 remaining paragraphs | Comments

Apple HQ also targeted by hackers, will release tool to protect customers

Apple says a "small number" of computers on its Cupertino campus were attacked by hackers, according to Reuters. The hack appears to exploit the same Java vulnerability that recently compromised computers at Facebook. “There is no evidence that any data left Apple," the company reportedly said.

According to the Reuters exclusive, Apple is currently working with law enforcement to identify the hackers. (The company has since also confirmed to Macworld the same details.) The company also said it planned to release software on Tuesday that would help Mac users keep their own machines safe. But assuming the exploit is indeed the same one used at Facebook, the attackers may not be able to get to many Mac users in the first place. Following last year's Flashback malware scare, many Mac users disabled or uninstalled Java on their machines. Apple has also removed the Java plugin from all Mac-compatible Web browsers and blacklisted Java browser plugins on OS X twice this year already in order to prevent critical exploits.

The incident follows a recent series of attacks targeting The New York Times, The Wall Street Journal, and other publications. Various attacks in the past months have also hit Twitter and Facebook (Facebook told Ars last week how the hack unfolded). Among other things, the hack used a compromised, third-party website for mobile developers to exploit a previously unknown vulnerability in Java, causing anyone who visited with Java enabled to become infected.

Read 3 remaining paragraphs | Comments