FireEye: Digital Arms Dealer Might Be Fuelling Advanced Attacks

Researchers have uncovered links between 11 seemingly separate advanced hacker attack campaigns, hinting at a centralised digital arms dealer supplying a range of high-quality hacking services for government-backed bodies.

Similar command and control infrastructure, malware, code strings, timestamps and digital certificates were used in all attacks, FireEye researchers said.

A Chinese threat actor has been implicated in the latest findings. The report homed in on a malware builder tool written in Chinese. Testing infrastructure was also written in Chinese.

China-based hackers were suspected by FireEye researchers of carrying out zero-day Internet Explorer attacks uncovered over the weekend.

Sunshop digital arms dealer

The builder tool was used in the Sunshop campaign, which infected strategic websites to redirect visitors to multiple exploits. Looking deeper into Sunshop, the researchers found links to campaigns targeting companies across 15 sectors, including US government organisations and technology suppliers.

“Taken together, these commonalities point to centralised APT planning and development,” the FireEye report read. “How prevalent this model has become is unclear. But adopting it makes financial sense for attackers, so the findings may imply a bigger trend.

“This development and logistics operation is best described as a ‘digital quartermaster’. Its mission: supply and maintain malware tools and weapons to support cyber espionage. This digital quartermaster also might be a cyber arms dealer of sorts, a common supplier of tools used to conduct attacks and establish footholds in targeted systems.”

FireEye admitted such a digital arms dealer might not exist and that the attackers could be simply sharing information with each other, but it was highly confident there was a centralised point where hackers were acquiring their tools.

Looking across its research data, FireEye found six different digital certificates, some of which were stolen, used by 47 malware samples from 11 different campaigns. Two portable executable resources were used by 64 samples.

“Whether this quartermaster involves informal connections between developers or a structured bureaucratic organisation serving a central offensive apparatus is unclear. Regardless of the scenario, the overall finding of a shared development and logistics infrastructure suggests targeted organisations are facing a more organised menace than they realise,” added the report.

Are you a security expert? Try our quiz!