Stealing US business secrets: Experts ID two huge cyber 'gangs' in China

In 2010, Alperovitch of CrowdStrike was vice president of threat research for McAfee, the cybersecurity company that analyzed the Aurora intrusion at Google. He agrees with Stewart that the group behind Aurora is the same one that hacked RSA and later attempted to hack defense giant Lockheed Martin.

[Editor's note: The original version of this story misidentified Mr. Alperovitch’s role at McAfee.]

In 2011, while still at McAfee, he went on to reveal Comment Crew (which he calls Comment Panda) operating alongside Elderwood. It's called that because the group so often uses a technique involving internal software "comment" features on web pages as a tool to infiltrate target computers.

Comment Crew, Alperovitch found, had infiltrated at least 72 organizations including defense companies, the International Olympic Committee, and the United Nations. He dubbed Comment Crew's campaign Operation ShadyRAT – "RAT" standing for "remote access tool," the name for malware used to control computer systems remotely.

Stewart then discovered a flaw in the malicious software used by the Operation ShadyRAT operators, and that allowed him to track back pilfered data to the perpetrators' computer addresses in Shanghai.

Both big hacker groups were involved in the RSA hack, he has concluded.

Evidence was already strong that at least one and perhaps both were involved in one of this year's major cyberespionage attacks – infiltrating the networks of US natural gas pipeline companies, an attack first reported by the Monitor in May.

Digital signatures, domain names, and other indicators used by the hackers in the RSA case, which were Chinese in origin, lined up with those in the pipeline case, experts told the Monitor at the time.

"The indicators DHS provided to hunt for the gas-pipeline attackers included several that, when we checked them, turned out to be related to those used by the perpetrators of the RSA attack," Robert Huber, co-founder of Critical Intelligence, an Idaho Falls, Idaho, security company told the Monitor at the time. "It makes it highly likely that the same actor was involved in both intrusions."

Stewart, who has spent the past 20 months cataloging the digital infrastructure of the two groups, is staggered by the number of personnel that must be involved. He has discovered hundreds of families of custom made malware, suggesting hundreds of employees and maybe even thousands – some hackers, but many more researchers that support their activities, as well as analysts to cull and process the stolen information.

It suggests a state-supported or at least state-tolerated institution of large and well-funded proportions. Supporting this conclusion, he says, is the fact that the pair of attackers routinely target entire industry groups, not just individual companies.

"Everyone that does cybersecurity for a living should know about these two groups," Stewart says. "It's taken about five years for experts to understand what's really going on – and it's pretty well understood now. But people in our industry don't share this kind of information very freely so it's hard to get up to speed. Just getting antivirus vendors to agree on a name would be a huge leap."

Previous

1 | 2 | 3