Malware Campaigns May Be Linked to a Single Source
The similar structure of several malware campaigns suggests that industrial spies may be collaborating—or, more likely, a single entity is behind the campaigns.Technical analysis of 11 malware campaigns has discovered signs that they share the same digital infrastructure—including the use of certificates, executable resources and development tools—suggesting that attackers are sharing code or may even be part of the same organization, according to an analysis published by threat-protection firm FireEye. The report, published in mid-November, describes how the company linked 110 malware binaries into 11 different campaigns, where the attackers—all thought to be from China—used the same techniques and resources to compromise the networks of a group of victims. Yet those 11 campaigns were not as separate as the firm first thought; a variety of other evidence found in the binaries suggests that the programs had been created using similar support resources. The analysis points to a single "quartermaster," who may be acting as a supplier for the different groups attacking government agencies as well as companies in the technology, financial, telecommunications and energy industries, among others, the report stated. The links suggest that, at the very least, different espionage groups are using the same tools and methods. More likely, the Chinese groups are part of a larger organization with a centralized source of code and other resources, Ned Moran, senior malware researcher with FireEye and a co-author of the report, told eWEEK.
"It's bad news because these guys look to be pretty organized," he said. "It explains why we are constantly reading about company X suffered an intrusion traced back to China, and then company Y. We now understand why that is possible."