Reverse Deception: Organized Cyber Threat Counter-Exploitation by Sean Bodmer

and data theft
Attack origination points
Unknown
Numbers involved in attack
Hundreds of systems and dozens of enterprises
Knowledge source
Online forums where the attacker lurked
     
    Titan Rain
    The Titan Rain APT was publicly disclosed in 2005 and is said to have continued for more than three years. This was a series of coordinated attacks against American computer systems that focused primarily on the sectors of industry where the US government had several sensitive interests. The threat was reported as being of Chinese origin, and to date, the true perpetrators remain unknown. Overall, the victims involved in the attack were targeted for their sensitive information. This can be considered a cyber espionage case, although the event was never officially labeled as a state-sponsored espionage or corporate-espionage-based series of events.
    This APT has been a very regular topic of late, as international corporations and governments point fingers at the People’s Republic of China (PRC), accusing some of its citizens of stealing intellectual property for the purpose of societal, military, and/or monetary gain.
    The only known pieces of this event are the observables, which provide the only way to work an event of this magnitude and length once it’s discovered. Investigators can learn from the mistakes that enabled the events to occur in the first place. In this case, some of the skills and methods used at various times were enough to allow the investigators to determine significant details that enabled attribution of the motives and intent of the threat. The following observables of this event illustrate some measurable details when gauging threats and adversaries.
     
Titan Rain
Observables
Objectives
Espionage
Timeliness
Precisioned and punctual
Resources
Several years’ worth of code and infrastructure development and operations
Risk tolerance
Depending on the objectives at hand
Skills and methods
Ranging from simple to sophisticated
Actions
Theft of sensitive information
Attack origination points
Global IP addresses (purportedly most from Chinese IP space)
Numbers involved in attack
Thousands
Knowledge source
Unknown
     
    Stormworm
    The Stormworm event was advanced in its use of peer-to-peer (P2P) command-and-control infrastructure (which is a network-based configuration for remote operational control of a botnet), and the precision in which its operators controlled, manipulated, and disrupted specific Internet communications throughout the world. The delivery of this bot agent was not overly advanced, as it primarily relied on the age-old technique of social engineering, via e-mail messages that contained attachments and/or embedded links to malicious exploit sites. This method is in use today, and has been defined as phishing, spear phishing , and whaling .
NOTE

Spear phishing relates to sending victims relevant information regarding their professional, organizational, or personal interests. This increases the level of assumed trust by the victims and increases the difficulty in identifying socially engineered e-mail .
     
    The execution and usage of Stormworm proved that the operators and controllers behind this APT were actively monitoring and countering security groups and vendors all around the world. The operators actively attacked network communications of several security vendors. Other security groups that attempted to infiltrate and shut down the botnet were themselves taken offline for hours to days at a time.
    Some industry experts have estimated that at one point during its primary operating period of over three years, this botnet accounted for about 8 percent of all malware running on Microsoft Windows systems around the world. The Stormworm botnet worked across numerous industries and sectors, leading to criminal behaviors such as intellectual property theft, identity fraud, bank fraud, and espionage. In 2007, security experts reported that this botnet was large enough to knock an entire country