‘Chicken Farm’ Botnets Actively Target Governments, Researchers Warn

The scale of the cyber security threat facing governments and businesses has been highlighted in new research presented at the Black Hat security conference by Taiwanese researchers.

It revealed that an Asian espionage network consisting of more than 5,000 bots – or “chickens” in the region’s parlance – has infected government agencies in the United States, Europe, Taiwan, Thailand, Malaysia and other nations.

Chicken Farms

While the researchers had identified more than two dozen groups operating different “chicken farms” that were responsible for nearly 50 attacks per week on each major Taiwanese agency, their presentation focused on one group of farmers called “LStudio.”

The attacks, most of which are not detected by antivirus software, aim to install stealthy malware to steal sensitive government information, said Benson Wu, lead security researcher at Taiwan-based Xecure Lab, who co-presented the research at Black Hat. Known as advanced persistent threats (APTs), such espionage attacks have become a common occurrence, not only for US companies and government agencies, but those in Taiwan as well, Wu said.

“Taiwan is a great place to study APT – it’s like an APT playground,” he said. “It’s very easy to collect new samples, and everything is so new that (antivirus) has a zero detection rate.”

The researchers refused to attribute the attacks to any specific actors, noting that it is fairly easy to disguise attacks from one country to make them appear to come from another. However, there was a noticeable absence from the list of victims.

“There are no IP addresses from China,” says Fyodor Yarochkin, a security researcher at Academia Sinica/Taiwan, who co-presented the research at Black Hat.

Cyber-espionage has become the crowd-sourced Cold War of the modern era. While many western countries, such as the United States, have adopted espionage on the Internet as a way to gather information a wide variety of information on other countries, many developing nations have focused on stealing economic secrets from the US and Europe.

Cyber Aggression

China is the most aggressive of the current crop of espionage actors, but information-gathering attacks have been attributed circumstantially to the United States, Russia, India, and Israel. More damaging attacks – such as the sabotage of Iran’s nuclear processing capability by the Stuxnet program – have been allegedly carried out by the US, Israel, Iran and North Korea.

“APT malware only accounts for a very tiny percentage of legitimate traffic, but they are like lethal weapons,” Wu said. “Once you have it, you have these lethal malware inside your organisation.”

In the case of LStudio, the attackers appear to be intent on gathering information using a variety of espionage tools that connect to different back-end systems. The researchers were able to gather information on the data centres and the consoles that were used by the attackers.

An interesting component of the system is that it posted messages to a social network as a way to pass information from the compromised systems to the farmers who managed those “chickens.” Messages, such as “Carol: Aaron win the competion (sic) award like ZWEknbws, well known for the series of F512,” identify the specific malware, the user and passes other information.

In addition, the attackers would give each campaign a label that, in many cases, named the target, allowing the attackers to discover that some attacks were directed at the Ministry of Energy, while others focused on the largest media companies in Taiwan.

What do you know about Internet security? Find out with our quiz!

Originally published on eWeek.