It is common knowledge that spear-phishing has become the preferred way for persistent attackers to gain a foothold in targeted systems and network. In fact, most of the successful compromises believed to be executed by Chinese hackers in the last two, three years have been initiated by spear-phishing emails.
Security experts consider a particular group of Chinese-based hackers that offer their services for hire to be behind most of these attacks, and they seem to be experts at sniffing out information that can be used to craft these emails.
The gang has been dubbed the Comment Group because they became known in security circles for peppering the comments sections of popular websites with links leading to malware. Since then, they have obviously discovered that mounting attacks agains specific high-profile targets pays better, so they changed their approach.
The Group’s members specialize in a number of activities.
“They have the guys working on exploits, you have the guys that are changing or programming the malware to gain access to the systems, and then you have the guys that are the operators,” Alienvault Labs Director Jaime Blasco shared with the BBC. “They don’t know a lot about computers, what they do is operate the malware – they try to find the specific information, they collect intelligence from the victims and save that information for whatever purpose.”
The part of the group that concentrates its efforts on finding out personal details about the management and employees of target companies, organizations, their partners and collaborators are the ones on whose effectiveness depends the success of the initial attack.
Crafting an authentic-looking email – containing real-world references – that will trick the recipient into opening a malicious attachment or following a link takes real skill, pointed out Kaspersky Lab researcher David Emm.
To do that, the “researchers” of the group scour the Internet for snippets of information about the most prominent and public-facing individuals in the organization, and use any other source of information they can find.
It is believed that the Group was the one that sent out spear-phishing emails to US diplomats attending a climate change debate in Copenhagen, as well as the one who managed to get a foothold into Coca Cola’s systems last year, which ultimately resulted in the failure to acquire China’s largest soft drinks company.
It is also likely that the recent compromise of New York Times’ systems and journalists’ email accounts has been executed by the Comment Group.
But, according to researchers, the Group has also been known to use a different approach to infect the targeted computers with malware: watering hole attacks.
They are quickly substituting spear phishing emails as the preferred method of compromising computers in targeted campaigns, as this approach allows attackers to target more victims and gather more data.
Watering hole attacks consist in compromising legitimate websites which the targets are likely to visit frequently, rig them with code that redirects visitors to other sites hosting exploit kits, and thusly infect them with malware (mostly RATs) without their knowledge.