Hack teams behind cyber strikes on numerous enterprise companies, critical infrastructure firms and governments are now sharing attack data and intelligence, according to research from FireEye.
FireEye researchers Thoufique Haq, Ned Moran, Mike Scott and Sai Omkar Vashisht reported in a blog post that notorious Moafee and DragonOK Chinese hack teams are co-ordinating their efforts.
“It appears cyber attack groups in the world’s largest manufacturing country are using a similar approach to infiltrate targeted networks and compromise data – collaborating for increased efficiency and effectiveness,” read the post.
“The first group, named Moafee, appears to operate from the Guangdong Province. Its targets include the military organisations and governments of countries with national interests in the South China Sea, including some within the US defence industrial base. The second group, known as DragonOK, targets high-tech and manufacturing companies in Japan and Taiwan.”
The researchers spotted the trend while analysing the two teams’ attack strategies and tools. “Both campaigns use similar tools, techniques and procedures (TTPs) – including custom-built backdoors and remote-administration tools (RATs) to infiltrate their targets’ networks,” read the report.
“Moafee and DragonOK both use a well-known proxy tool – HUC Packet Transmit Tool (HTran) – to disguise their geographical locations. Both utilise password-protected documents and large file sizes to disguise their attacks. These approaches, along with other similarities in TTPs, seem to indicate the groups are affiliated in some way.”
FireEye also reported evidence that the attackers are sharing infiltration techniques: “The two different operators seem to share backdoors and RATs, some of which are custom. Others are publicly available,” read the post.
FireEye said it has also detected some evidence that a third unnamed hacking group is using similar tactics to the two, but it is too early to say if there is a definitive connection between them.
Attacks targeting critical infrastructure are a growing concern for governments around the globe, as new attack tools are being discovered on a near-monthly basis.
McAfee and Symantec joined Fortinet and Palo Alto Networks as founding members of the intelligence-sharing Cyber Threat Alliance in a bid to combat the influx of new attacks earlier in September.