A Few APT Groups Carry Out Most Attacks

Concerned with the amount of U.S. intellectual property being stolen from corporate networks, a group of security professionals sat down and compared notes on the various groups they tracked.

Security consultants are tracking a dozen groups responsible for advanced threats - all out of China. High-tech firms, oil companies, and defense contractors have all fallen prey to the 12 teams out to steal trade secrets and sensitive or classified information. The goal of research is to detect and define groups that perform most attacks. One group, for example, is called the Comment Crew because of its signature tactic of embedding command-and-control information in the comments of Web pages. Moreover, knowing whether an attacker is part of the advanced persistent threat (APT), it is possible to determine whether a company calls for help. The term APT was coined by the defense industry for attackers that don't easily go away. Various attributes can be used to classify attackers into groups, including their tools and techniques, the characteristics of their infrastructure, and their targets. Mandiant, for example, keeps dossiers on the 12 groups it tracks, and when called in by a client, compares and gathers network intelligence with what it knows about the usual suspects. The company can analyze an incident under investigation and match it to various groups' modes of operation, including their tools, passwords, encryption used, command-and-control infrastructure, and targets. Not everyone believes the problem of advanced attackers can be put at the collective feet of 12 groups. Hundreds of hacking groups on the Internet have the capability to steal intellectual property. In addition, groups in other countries, such as Russia and Iran, are active as well. Original news can be read at DarkReading web site.