When US security experts started looking into some of the highest profile hacks in recent years – one particular criminal group kept on coming to their attention.The Comment Group, which industry insiders say is based in China, offer hacking for hire – be it for individuals, corporations or governments.
It got its name from what was once its trademark technique – implanting links to malicious malware within the comments sections of popular websites.
But more recently, the Comment Group has become known for being particularly adept in one other important discipline of hacking: straightforward research.
It is an approach that has been devastatingly effective.
The group has been credited as being behind a vast range of attacks – everything from gaining access to user accounts at the EU to, according to Bloomberg, targeting a nuclear power plant that was situated near to a fault line.
In a document published by Wikileaks, the US government regarded the Comment Group – which it referred to as Byzantine Candor – as being one of the most serious of all hacking threats originating from China.
Last month’s revelation by the New York Times that it had been hacked bore many of the Comment Group’s hallmarks.
It happened, the newspaper said, just as journalists were planning a major piece on the former Chinese premier, Wen Jiabao.
When you hear someone describing the Comment Group, it sounds like almost like any other firm, with groups of employees all assigned to different crucial bits of the business.
But it’s in the research department where the Comment Group really stands out.
“They’re looking really for any snippets of information that will give them and initial foothold in their target organisation,” explained David Emm, a senior researcher for Kaspersky Lab.
“Now instantly that puts in the frame anybody in an organisation who is publicly facing – because they’re the ones who tend to generate more snippets of information out there.”
Mr Emm said that the real skill in all this is to make messages as natural and authentic as possible, with real-world cues to suck in the victim.
“We all face spam, but if an email doesn’t look like a routine piece of spam, but it looks like from say John in the IT department and he’s doing a random check, I’m more likely to respond to it.”
Mr Emm also detailed another disturbing tactic utilised by the Comment Group, and others, which is very hard to defend against.
“It is known as waterholing,” he explained. “Which basically involves trying to second guess where the employees of the business might actually go on the web.
“If you can compromise a website they’re likely to go to, hide some malware on there, then whether someone goes to that site, that malware will then install on that person’s system.”
These sites could be anything from the website of an employee’s child’s school – or even a page showing league tables for the corporate five-a-side football team.
“If that’s known, they’re known to be in a league in a particular region, then an attacker can compromise a website they visit about that.”
With such intricate attack strategies, it poses as huge problem for companies trying to defend themselves from harm.
Mr Emm said he believed that more needs to be done to show employees how to be diligent.
“It’s not like training – it’s more akin to how we educate our children about crossing the road or staying safe. You don’t want them to always approach crossing the road with the same routine.”
“You want to actually have a road safety mindset which makes them think about roads coming in different shapes and sizes – but actually they’re aware of what to look for. It’s the same with security.”