News Opinion Markets Personal Finance Tech Politics Sustainability TV Video Radio

Following the Hackers’ Trail

Private researchers have tracked Comment group, starting with malware the hacking team left behind in compromised networks then gradually identifying indicators that are the equivalent of fingerprints at a crime scene. The group is one of the most active cyber espionage teams from China, compromising over 1,000 victims including, according to a leaked classified cable, the computer networks of the U.S. Army and State Department. Researchers have developed an archive cataloguing 40 families of custom malware and hundreds of domain names as the group has hacked its way through Fortune 500 companies, government bodies, law firms, and other high profile targets. U.S. intelligence agencies, which once referred to the group as Byzantine Candor, have linked the Shanghai hackers to the People’s Liberation Army, China’s military, according to a leaked classified cable and former intelligence sources. Read the full story.

1 - Phishing for access
A target computer receives what's called a spear-phishing email that has either an attachment containing malware or a link to a malicious zip file. If the attachment is opened, the malware instructs the computer's web browser to visit an innocuous website and look for code hidden there by the hackers. It is located in the area of web pages used by programmers that's known as "comments" and isn't visible to most users. From there, the code redirects the browser to a malicious site where it will download more extensive malware. This first stage is unique to Comment group, lending the team its name.
2 - Infiltrating the network
The downloaded malware allows the hacker to set up backdoors into the target network and control multiple computers and servers from a remote location. Investigators can later find malware in the targeted network that was left behind and analyze the code, linking it to particular hacking teams.
3 - Taking control
Malware instructs the network to call out to internet protocol (IP) addresses controlled by the team. These IPs serve as the hackers' link to the network, allowing them to both upload their custom tools to the target network and download stolen data from their victims. U.S. intelligence agencies and private investigators have logged thousands of IP addresses, domain names and sub domains associated with Comment group, according to people involved in the investigations. A few are listed here.
4 - Reporting back to China
Stolen data is invariably sent back to Internet Service Providers (ISP) located in Shanghai, which matches intelligence from U.S. spy agencies indicating that city as Comment group’s home base, according to a leaked diplomatic cable. In many cases, the group disguises its location using a program called HTran.
hidden browser
calls out
malware accesses
hacking tool
sets installed
files, data,
emails stolen
data funneled
through web servers
HTran is a program used by Comment group and other Chinese hacking teams to disguise their geographic location by bouncing traffic off IP addresses around the world before making it to the final destination. An error in the software, first identified by Joe Stewart from Dell SecureWorks, has allowed researchers to trace the ultimate destination for the stolen data to cities in China.
Telltale signs of Comment group
Forensic investigators tracking the Comment group have identified signature markers, from common passwords to procedures that are unique to the hackers. For example, Comment group developed its own software for specialized tasks, like stealing e-mail. Below are some ways investigators recognize the team's tracks.
Hacking toolsets
Comment group hackers send commands to victim computers through a command shell invisible to the person sitting in front of the computer screen. The example below is from an intrusion last year against the European Council. A hacker used a tool called “mapiget” to steal a cache of e-mails from username BASSOOD, identified as Odile Renaud-Basso, at the time a member of president Herman Van Rompuy’s cabinet.
Command used to steal email
Ugly Gorilla
While most hackers prefer anonymity, one member of Comment group brazenly leaves the moniker “ugly gorilla” or the letters “ug” in domain names or malware, like a personalized signature, according to security researchers. The hacker also appears to have a sense of humor – one of his domain names used in the past is, combining two common descriptors of a gorilla, along with sub-domains like “tree” and “man”.
Sample of domains linked to Ugly Gorilla

What do you think about this article? Comment below!