Savviest hackers hail from Eastern Europe, researchers say
By Lucian Constantin
PCWorldSep 23, 2012 12:39 pm PDT
Despite an increasing number of successful cyberattacks launched by East Asian hackers against companies and government institutions around the world in recent years, Eastern European cybercriminals remain a more sophisticated threat to the global Internet, security researchers say.
“While East Asian hackers dominate cybersecurity-related headlines around the world with high-profile intrusions and advanced persistent threats (APTs), it would be a mistake to conclude that these attackers are the sole or greatest criminal threat to the global Internet today,” Tom Kellermann, vice president of cybersecurity at antivirus vendor Trend Micro, said in a report entitled “Peter the Great Versus Sun Tzu.”
“After conducting extensive research into the nature of the East Asian and East European underground, Trend Micro has concluded that hackers from the former Soviet Bloc are a more sophisticated and clandestine threat than their more well-known East Asian counterparts,” said Kellermann, who until recently served as a commissioner on the Commission on Cyber Security for the 44th U.S. Presidency.
East Europeans are “master craftsmen” when it comes to malware development, Kellerman contends. “East European malware are so elegantly crafted, they have been dubbed the ‘Faberge Eggs’ of the malware world,” he said.
East Asian hackers will use zero-day exploits — exploits targeting previously unknown vulnerabilities — and spear phishing in order to compromise a target’s computer system, but then will rely on basic malware and third-party tools to maintain and expand their access on a target’s network. (See also “Hackers shift tactics, study warns.”)
Small, advanced hacks
In contrast, East European hackers use exploits created by others for initial penetration, but their malware programs are customized specifically for their goals and have all of the needed functionality built in.
Malware programs produced in Eastern Europe tend to be small in size and use advanced detection evasion techniques, Kellermann said.
Kellermann attributes the advanced malware writing skills of Eastern European hackers to a long history of high-quality science and math education in the region. He also credits the discipline of making every line of code count that stems from the fact that computer scientists from the former Soviet Bloc had to make do with less sophisticated computing resources.
“As an East European vendor of anti-malware technologies, we also believe that the European malware underground is more technical and has more tradition than the Asian hacking scene,” Bogdan Botezatu, senior e-threat analyst at Romanian antivirus vendor BitDefender, said Thursday via e-mail.
“In the early days of the post-communist era, East Europeans (especially Bulgarians and Russians) have focused their attention on infecting capitalist countries as a response to the state of their economy,” Botezatu said. “Aided by a solid background in mathematics and cryptography, the East Europeans have quickly become the undisputed champions in a, back then, means of political protest and retaliation.”
“In more than 20 years of activity, these groups have shifted their focus from political protest to writing commercial malware and their experience with malware, packing and cryptography have made a huge difference,” the BitDefender researcher said.
Another reason why Eastern European hackers present a more sophisticated threat than their East Asian counterparts is their method of operation, which Kellermann compared to that of independent mercenary commando units that thrive based on their accomplishments.
Eastern European hackers operate in small teams, are precise and focused in their attacks and go to great lengths to protect their identities because their reputation is key to their success.
“The East European underground is a tightly knit community of fellow mercenary commandos who routinely buy and sell data to one another,” Kellermann said. “If your reliability is called into question, your ability to profit or even survive is harmed, possibly to the point of extinction.”
Stealing trade data
East Asian hackers, on the other hand, are “cyber foot-soldiers” who don’t seem to care very much about whether they’re detected or identified, Kellermann said.
He thinks this is because they operate as part of larger groups that are funded by certain organizations, usually to steal trade secrets or other sensitive data from corporations and government agencies.
If one East Asian hacker is exposed he doesn’t lose his ability to make money and can simply go back to work. In a sense, group funding means better financial stability for East Asian hackers.
Meanwhile, East European hackers need to steal data they can immediately sell or exploit for a profit, like financial credentials, credit card details, or personal information.
This is why the Eastern European cybercriminal underground has developed cybermoney-laundering systems that use customer vetting and alternative payment channels, Kellermann said.
“It’s a nice idea, but perhaps a little oversimplified,” David Harley, a senior research fellow at Slovakia-based antivirus vendor ESET, said Thursday via e-mail. Harley believes that being identified can actually serve as an ego boost for some East Asian hackers.
“Even back in the early noughties when attackers from China were just beginning to attract our attention, they were not particularly careful about covering their tracks (except from their targets, of course),” Harley said. “For instance, we knew quite a lot about Wicked Rose [the leader of a well known Chinese hacker group] and his compatriots that went quite a long way beyond the technicalities of the 0-days they were using, such as their reputed links with the Chinese military.”
“They seem to have had a romantic, even idealistic view of their activities, and that seems to persist with later players,” Harley said. “Eastern European players aren’t there for the glory, and it’s likely that they feel they have more to lose if they get caught.”
“In sum, one could say that East Europe is a high-end market while East Asia is a mass market when it comes to hacking,” Kellermann said. “In general, East Asian hackers do not have the same level of maturity in terms of skill as their East European counterparts.”