Much of the talk about cybercrime remains focused on East Asia. But according to Trend Micro, it is hackers in Eastern Europe that have actually emerged as more sophisticated.
In a report entitled 'Peter the Great vs. Sun Tzu', Tom Kellermann, vice president of cyber security at Trend Micro, compared hackers from the two regions according to their focus, organization and the sophistication of their malware and infrastructure. His conclusion - the Eastern Europeans are far more insidious and strategic.
"They are like master craftsmen who produce nano-code which is modular and which obfuscates itself," he told SecurityWeek. "The report spells it out."
Due to the competitive nature of the environment, East European hackers create customized malware with the capabilities typically hard-coded internally without external third-party tools, the report notes. Robust anti-debugging techniques and complex command-and-control structures are hallmarks of Eastern European groups. While Eastern European malware is not always innovative, it often incorporates several exploits designed by others in creative ways, Kellerman wrote.
On the other hand, fewer anti-debugging techniques are used by East Asian hackers, who are more interested in speed and productivity. Backdoors also tend to be simpler, he noted, stating that "East Asian malware is thrown together quickly using already-existing components."
"East Asian hackers on the other hand tend to use cheap, hosted infrastructure usually from mass ISPs that are easy to set up and manage," he said in the report. "They are not necessarily concerned with being identified as the attacker as they do not go great lengths to hide their tracks like the East European hackers do. This was shown in the recent LuckyCat incident which was traced back to Sichuan University which is a known training school for East Asian military."
While East Asian groups tend to work for other organizations interested in their skills, hackers from Eastern Europe generally operate in small, independent units, and are focused on profit, he wrote. Their infrastructure tends to be developed by them specifically for their own use in attacks.
"They (Eastern European groups] tend to want to be in control of their entire infrastructure and will routinely set up their own servers for use in attacks, develop their own DNS servers to route traffic and create sophisticated traffic directional systems used in their attacks," according to the report. "If they do go outside, they will carefully select bulletproof hosters to support their infrastructure. It is their hallmark to maintain control of the whole stack similar to the business models pioneered by Apple."
"In general, the East Asian hackers are not at the same skill level of maturity as their East European counterparts," Kellermann concluded. "The East European’s are master craftsmen who have developed a robust economy of scale which serves as an arms bazaar for a myriad of cyber munitions and bulletproof hosting infrastructures," he said. Comparing the two to real-world military tactics, Kellermann added that East European hackers act like snipers when they launch campaigns, whereas the East Asian hackers tend to colonize entire ecosystems via the “thousand grains of sand approach”.
The full report can be read here in PDF format.