Security Experts:

Connect with us

Hi, what are you looking for?



Cyber Arms Dealer at Center of 11 Advanced Attack Campaigns: FireEye

Sometimes, the cyber-underworld can sometimes seem like a free-for-all as opposed to an intricate, interconnected network of crime.

Sometimes, the cyber-underworld can sometimes seem like a free-for-all as opposed to an intricate, interconnected network of crime.

But according to a report from FireEye, a Web tying together nearly a dozen separate attack campaigns may have a single nexus – a cybercriminal supplying attackers with weapons they are using to target multiple industries.

“What we initially believed to be 11 different APT campaigns used the same malware tools, the same elements of code, binaries with the same timestamps, and signed binaries with the same digital certificates,” according to the report. “Through this discovery, we believe that we have identified a shared development and logistics operation used to support a number of different APT actors engaged in distinctive but overlapping campaigns. This development and logistics operation is best described as a digital quartermaster whose mission is to supply and maintain malware tools and weapons used in support of cyber espionage operations.”

“This digital quartermaster is a possible cyber arms dealer, supplying the operators responsible for conducting attacks and establishing footholds within targeted organizations. As such, we refer to this entity as the Sunshop Digital Quartermaster (SDQ),” the report noted.

The name SDQ comes from the ‘Sunshop’ attack campaign FireEye detected in May in which attackers compromised certain websites in an effort to redirect users to site serving various exploits. In the ensuing months, FireEye discovered after examining the underlying infrastructure that Sunshop used resources shared across other APT campaigns. 

All totaled, the researchers collected 110 unique binaries, detected as Trojan.APT.9002, Trojan.APT.PoisonIvy, Trojan.APT.Gh0st, Trojan.APT.Kaba, and Trojan.APT.Briba. More than 60 of these binaries were packaged with two unique manifest resources, and 47 were signed with six different digital certificates, the firm explained, adding that the binaries connected to 54 unique “fully qualified domains.”

In its analysis, FireEye researchers found a builder – a tool used to create different variants of the same malware – they believe was likely used in some of the 11 campaigns due to the common characteristics of the malware samples that were discovered. The tools appear to be written in Chinese, and the testing infrastructure seems to be configured with the native Chinese language character set. The dialogues and menu options in the builder tool are in Chinese as well.

The various campaigns targeted a number of industries, including the aerospace, telecommunications and energy sectors. Other targets include the federal government. All 11 of the campaigns were active between at least July 2011 and September 2013, but could have been active before then.

According to Fireye, there a three possibilities: SDQ is a single actor behind all 11 campaigns; SDQ does not exist, and APT attackers are simply sharing information amongst each other; or SDQ exists and supports each of the campaigns as part of a “formal offensive apparatus” of development and logistics. Of the three, the third option is the most likely, researchers speculated.

“In each of these scenarios, a shared development and logistics infrastructure or some notion of a digital quartermaster clearly underpins all of the activity presented in this report,” the researchers noted in the paper. “Whether this quartermaster involves informal connections between developers or a structured bureaucratic organization serving a central offensive apparatus is unclear. Regardless of the scenario, the overall finding of a shared development and logistics infrastructure suggests targeted organizations are facing a more organized menace than they realize.”

“Our research points to centralized planning and development by one or more advanced persistent threat (APT) actors,” said Darien Kindlund, manager of threat intelligence at FireEye, in a statement. “Malware clearly remains a desired cyber weapon of choice. Streamlining development makes financial sense for attackers, so the findings may imply a bigger trend towards industrialization that achieves an economy of scale.”

Written By

Click to comment

Expert Insights

Related Content


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona


Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.


The UK’s NCSC has issued a security advisory to warn about spearphishing campaigns conducted by two unrelated Russian and Iranian hacker groups.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Albanian prosecutors on Wednesday asked for the house arrest of five public employees they blame for not protecting the country from a cyberattack by...


Cybersecurity firm Group-IB is raising the alarm on a newly identified advanced persistent threat (APT) actor targeting government and military organizations in Asia and...


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.