Depending on who you ask, Russia and China are considered the top two espionage threats by the United States. China gets more media attention as an 'APT' threat, but this is only because China keeps getting caught with their hand in the cookie jar. In our own investigations, we still catch China more than any other country. Part of this might be the relative ease in which Chinese APT can be detected. As we have stated in numerous forums, detecting lateral movement is game-set-match for detecting Chinese APT. But China is not the only player.
We are investigating an increasing amount of economic espionage. In this, we are uncovering attackers from several countries other than China. Of particular note, Russia seems to be the next in line for APT-like economic espionage. And, Russian APT attacks seem much more technically advanced. Whether this is influenced by a long history and culture of malware development is unclear.
Russian APT contrasts sharply with Chinese attacks. As we have pointed out before, Chinese APT hides in plain sight. Their backdoors are simple in nature, doing only the minimum of command and control required to maintain remote persistent access. Once access is gained to the network, the Chinese APT is largely about lateral movement, use of command-line tools, and passing of credentials. Russian APT, on the other hand, clearly involves skilled malware development. Russian remote access tools have all of their capabilities hard-coded internally. There are no external, third-party tools. For example, password hash-dumping is performed by an internal function. Thus, a pass-the-hash toolkit is not required. Also, the command-and-control is more complex and richly featured. The malware is a one-stop shop of capability in the network. This shows a significantly different style between Chinese and Russian groups.
Of course, this cannot be a hard-and-fast rule for attribution. But, this is something we are witnessing and it's prudent to raise the alarm regarding advanced malware tactics. The threat may be evolving because simple APT tactics are easy to detect. Large corporations are certainly taking notice of the APT problem now, and just taking the time to look will likely uncover an attack. Some of the most advanced malware stealth techniques have emerged from the Russian underground. It is likely that these techniques will continue to be disseminated to the international malware development community, including those who participate in APT attacks.
It seems the cat is out of the bag with respect to APT. Cyberattacks are just too easy, and a state-level capability can be put together on a modest budget. We expect an increasing number of attacks of a more sophisticated nature over the next few years.
Nov 2011 - NCIX: Foreign Spies Stealing US Economic Secrets in Cyberspace
"Chinese actors are the world’s most active and persistent perpetrators of economic espionage....Russia’s intelligence services are conducting a range of activities to collect economic information and technology from US targets....We judge that the governments of China and Russia will remain aggressive and capable collectors of sensitive US economic information and technologies, particularly in cyberspace."