Law firms are among Australian businesses being targeted by at least 13 Chinese advanced malware groups in a bid to steal intelligence from big business, says forensics bod and Mandiant man Mark Goudie.
The attacks are well planned and rely on a combination of stealth and persistence in order to extract any and all valuable corporate data.
The local Mandiant director presented findings at the Australian Information Security Association conference last week and said one unnamed Aussie firm had been thoroughly owned.
"The property manager was used as a way to get the data about a business deal (merger and acquisition)," Goudie told Vulture South.
"The law firms are data aggregators and are being targeted too - anything that goes through a lawyer is obviously of interest to a deal.
"Law firms tend to operate in verticals as do advanced persistent threat (APT) groups, so it makes a lot of sense when you think about it."
Forensics teams don't stick around after they extracted the evidence so Goudie was not sure what the attackers did with the stolen information or how it subsequently affected the business.
The attack was one of many perpetrated by at least 13 separate Beijing-backed hacking groups directly targeting Australian businesses, Goudie said.
In another recent hack, a victim organisation had more than half of its 200 machines compromised as attackers crawled laterally through the network in a successful bid to exfiltrate any and all valuable financial and sensitive data.
"The APT groups are a lot more surgical in what they do - they go after specific data and try to make as little noise as possible," he said.
His malware fondling counterparts at FireEye, which owns Mandiant, analysed some impressive APT custom code only to highlight blistering failures that had undone the vxers' effort.
PhishMe senior researcher Ronnie Tokazowski said at the time APT writers could do well by chatting to crimeware authors about their obfuscation tricks in exchange for advice on building better payloads. ®
Sponsored: Webcast: Ransomware has gone nuclear