Cyber-security research firm FireEye has published a new report alleging that there may be a single actor providing important code development resources to as many as 11 separate APT campaigns. All of the tools have been written using a Chinese language character set, pointing to the likely national origin of this tool provider. FireEye alleges that this “Quartermaster” may be something of a digital arms dealer, enabling various APT teams to construct attack tools using point and click interfaces rather than advanced coding skills.
FireEye first discovered the digital breadcrumbs leading to their conclusion while examining the Sunshop water-holing attack which took over legitimate websites and used them to redirect browsers to malware sites. The 11 APT groups that they connected through their investigation were found to share resources in various combinations, among them: Portable executable resources, Pilfered Digital Certificates, API import tables, Compile times, and C2 (Command and Control) Infrastructure. FireEye’s highest confidence assessment is that a “Sunshop Digital Quartermaster” (SDQ) exists which supports a variety of separate APT campaigns as part of a “formal offensive apparatus”. While some of the APT campaigns are also using malware obtained from the digital black market, most of them are heavily reliant on tools which are not available on the criminal internet underground and almost certainly originated with a single source, this “SDQ”. FireEye does acknowledge that it is still possible that the APT groups simply share these programs informally, but there is substantial evidence that there is a single originating source of the tools within the code examples they have analyzed in the report.
Dan Gifford – MCySec Media Manager