Persistent Threat Attacks Traced to Chinese Servers

A security researcher reported a flaw in advanced persistent threat (APT) attempts used to steal intellectual property in recent high-profile breaches.

Joe Stewart, director of malware research at the Dell SecureWorks counter threat unit, has exposed the apparent home IP addresses of of the attackers' command and control servers, saying that "they point to a few networks, and they are all in China."

Stewart released his findings on Aug. 3 at the Black Hat security event. He discovered that a tool used to redirect traffic from infected computers to command and control servers sometimes returned an error message that revealed the final IP address of the server. The malware included variants of the malicious code believed to have been used in the breach of RSA Security in March.

In one sense, the research says little new about the attacks, which many experts have assumed originated in China.

"The where doesn't give us the who," Stewart said. But the findings do make it harder for Chinese officials to discount claims that the malicious activity is based in that country, and the error message is a signature that organizations can use to check systems for infections by APTs.

Stewart said network administrators will likely fix the flaw that outs the IP addresses now that the SecureWorks counter threat unit's work has been reported. "It is our hope that every institution potentially impacted by APT activity will make haste to search out signs of this activity for themselves before the window of opportunity closes," he wrote in the report.

APTs are a class of malicious code intended to quietly infect systems and remain undetected while stealing sensitive and valuable information. In the past two years, a number of high-profile breaches have resulted in the theft of potentially large amounts of information. The malware typically connects to command and control servers for instructions and to upload data, and the connections usually are routed through intermediate servers to hide their location and identity.

In the course of analyzing patterns of activity for some known APTs, Stewart discovered that if the command and control server was unavailable, the software used to redirect the traffic would sometimes return an error message to the infected client. He identified the bouncer tool being used, called Htrain, written by a well-known Chinese hacker.

He scanned a list of 1,000 IP addresses known to be used by APTs to see if any would return the tell-tale messages.

"Several did," Stewart said. "More than I expected." They revealed a short list of Chinese networks that appear to host the command and control servers.

It is not 100 percent certain that the Chinese IP addresses are the final destination for the traffic. But because they are clustered in a small number of networks and someone took the trouble to hide the addresses, the odds are good that they are the final addresses, Stewart said.

"We found something they didn't expect us to have," he said. "Somebody tried to hide the fact that they were in China, and they failed."

About the Author

William Jackson is the senior writer for Government Computer News (


  • Microsoft Buys Orions Systems To Enhance Vision AI Capabilities in Dynamics 365

    Microsoft announced on Tuesday that it has acquired Orions Systems with the aim of enhancing Dynamics 365 capabilities, as well as the Microsoft Power Platform.

  • Microsoft Hires Movial To Build Android OS for Microsoft Devices

    Microsoft has hired the Romanian operations of software engineering and design services company Movial to develop an Android-based operating system solution for the Microsoft Devices business segment.

  • Microsoft Ending Workflows for SharePoint 2010 Online Next Month

    Microsoft on Monday gave notice that it will be ending support this year for the "workflows" component of SharePoint 2010 Online, as well as deprecating that component for SharePoint 2013 Online.

  • Why Windows Phone Is Dead, But Not Completely Gone

    Don't call it a comeback (because that's not likely). But as Brien explains, there are three ways that today's smartphone market leaves the door open for Microsoft to bring Windows back to smartphones.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.