Written by Jeff Stone
Professional hackers who already try to hide their activity through an array of technical means now seem to be trying on more corporate disguises, by creating front companies or working as government contractors to boost their legitimacy.
U.S. law enforcement in September accused hackers based in Iran and China of conducting global espionage operations while appearing to exist as otherwise innocuous technology firms. While the public nature of the charges are proof the efforts weren’t entirely successful, the tactic marks an evolution of the use of dummy corporations since a group of financial scammers stole a reported $1 billion by posing as a cybersecurity testing firm.
“It just makes it harder to figure out who’s doing what, and what are their motivations,” John Demers, the U.S. assistant attorney general for national security, said of the apparent motivation in a recent interview.
“For a company that’s suffered a breach, it may throw you off the scent at first,” he said. “That said, I think we’ve been able to get through those veils… of these front companies and we’ve been able to get attribution. But it does allow some deniability.”
The Justice Department on Sept. 16 unsealed an indictment against five Chinese men and two Malaysian nationals for their alleged role in a years-long spying scheme that infected software including Asus, CCleaner and Netsarang with malware.
Some suspects working as part of the larger operation functioned as part of Chengdu 404, which marketed itself as a penetration testing company with a “patriotic spirit,” states one indictment.
While advertising offensive hacking tests, Chengdu 404 used phishing and other means to breach more than 100 organizations in the U.S., South Korea, Japan and other countries, according to the charges. The hackers would exploit their access to steal source code, software signing certificates and personally identifiable information on Beijing’s behalf, while collecting money for themselves. (Security firms have linked the activity to APT41, a suspected Chinese cyber-espionage unit thought to be connected to the Ministry of State Security.)
Intelligence analysts contend the Chinese government began outsourcing cyber-espionage work to nondescript companies after a 2014 agreement in which the U.S. and China agreed to not sponsor any malicious cyber activity for economic gain.
“In China not all of these companies are ‘front companies’ in the strict sense that they were established by intelligence agencies to hide their involvement,” Timo Steffens, a researcher and the author of “Attribution of Advanced Persistent Threats,” said in a Twitter message.
“The APT landscape in China is run in a ‘whole country’ approach, leveraging skills from universities, individual, and private and public sectors,” he said. “So some of the smaller companies might just be a way for individual hackers to band together and be eligible for government contracts.”
Publication of the indictment against the alleged Chinese hackers came one day before the Treasury Department imposed sanctions against 45 people it says were associated with an Iranian hacking group, and tech firms they allegedly used for their work. State-sponsored hackers used the Rana Intelligence Computing Company to target Iranian dissidents, journalists and global travel companies, Treasury said.
The FBI has since publicized eight sets of malware connected to Rana, though the bureau also linked open-source penetration testing tools like Metasploit and Mimikatz to the group. Legitimate pen-test firms use the same tools.
Phishing messages published in a September FBI alert demonstrate that Rana hackers also tried tricking would-be victims into downloading malware by directing email recipients to download a new software meant to help track satellites.
A less than proud history of similar hacks
Tactics allegedly used by Chengdu 404 and the Rana tech firm come years after FIN7, a notorious cybercrime gang, used the “Combi Security” name to recruit new members. The group reportedly stole more than $1 billion from international victims, including targeting more than 100 companies in the U.S.
U.S. prosecutors say three Ukrainian men arrested in 2018 claimed to operate Combi Security as a legitimate penetration testing firm. Instead of actually carrying out tests, though, the company hacked point-of-sale terminals, stole credit card information and breached major American restaurant and retail chains.
An indictment against FIN7’s former IT administrator, Fedir Hladyr, included allegations that he oversaw project tracking tools meant to provide status updates about various “company” efforts. Instead of demanding that subordinates meet sales goals, though, Hladyr instructed subordinates to add malicious code, stolen payment data and screenshots from breached companies. (He pleaded guilty in 2019.)
Not all of the Combi Security’s employees seemed to know they actually were helping a prolific group of scammers, security researchers say now. Firms including FireEye and Kaspersky have found archived job listings associated with Combi Security. It’s a tactic that would have allowed Combi Security to tap into a pool of cyber talent that otherwise would be reserved for legitimate companies, said Kimberly Goody, a senior manager of cybercrime analysis at FireEye.
“Criminals need more operators to deploy tools against more victims,” she said. “They can use university students, or the foreign equivalents of LinkedIn or Indeed, and they can look for people who have posted for resumes. Then they can make them believe they are working for a legitimate company, and maybe pay them more money along the way.”
Sean Lyngaas contributed reporting.