FireEye Releases Report Revealing A Possible Malware “Cyber Arms Dealer”

New Report, “Supply Chain Analysis: From Quartermaster to Sunshop,” Explains How Malware Attackers May Employ a Common Development and Logistics Center

FireEye, Inc. (NASDAQ: FEYE), the leader in stopping today's advanced cyber attacks, today announced the release of a new report, Supply Chain Analysis: From Quartermaster to Sunshop. The report details how many seemingly unrelated cyber attacks may, in fact, be part of a broader offensive fueled by a shared development and logistics infrastructure — a finding that suggests some targets are facing a more organized menace than they realize.

“Our research points to centralized planning and development by one or more advanced persistent threat (APT) actors” said Darien Kindlund, manager of threat intelligence at FireEye. “Malware clearly remains a desired cyber weapon of choice. Streamlining development makes financial sense for attackers, so the findings may imply a bigger trend towards industrialization that achieves an economy of scale.”

The report examines 11 APT campaigns targeting a wide swath of industries. Though they appeared unrelated at first, further investigation uncovered several key links between them: the same malware tools, the same elements of code, binaries with the same timestamps, and signed binaries with the same digital certificates.

This report focuses on two key findings:

  1. Shared Development and Logistics: Examining the 11 APT campaigns revealed a shared development and logistics operation used to support several APT actors in distinct but overlapping campaigns. This development and logistics operation is best described as a “digital quartermaster.” Its mission: supply and maintain malware tools and weapons to support cyber espionage. This digital quartermaster also might be a cyber arms dealer, a common supplier of tools used to conduct attacks and establish footholds in targeted systems.
  2. Shared Builder Tool: FireEye researchers located a builder tool likely used in some of the 11 APT campaigns. The dialogues and menu options in the builder tool were in Chinese, indicating that it may have been created and used by Chinese speakers.

“Like traditional conflict, cyber warfare will continually evolve and change through innovation,” said FireEye CEO David DeWalt. “Not surprisingly, attackers are adopting an industrialized approach. The best hope for those playing defense is a community-based approach that not only monitors advances in cyber attacks, but also propagates information to help mitigate the new threats.”

About FireEye, Inc.

FireEye Threat Prevention Platform provides real-time, dynamic threat protection without the use of signatures to protect an organization across the primary threat vectors and across the different stages of an attack life cycle. The core of the FireEye platform is a virtual execution engine, complemented by dynamic threat intelligence, to identify and block cyber attacks in real time. FireEye has over 1,300 customers across more than 40 countries, including over 100 of the Fortune 500.

Media Contact

Bill Bode

Highwire PR

415-963-4174 x49


# # #

© 2013 FireEye, Inc. All rights reserved. FireEye is a registered trademark of FireEye, Inc. in the United States and other countries. All other brands, products, or service names are or may be trademarks or service marks of their respective owners.