Novetta leads Cyber Security Coalition and coordinates malware interdictions

Novetta Novetta Solutions, LLC, a provider of advanced analytics technology solutions, announced on October 14 that it will leading a cyber security coalition developed to interdict malware used by advanced threat groups.

In July, Novetta selected strategic cyber security industry partners, including Cisco, FireEye, F-Secure, iSIGHT Partners, Microsoft, Symantec, Tenable, ThreatConnect, ThreatTrack Security, Volexity and other industry leaders to participate in the coalition. Utilizing partner capabilities for the large-scale coordinated detection and remediation of malware, the objective of the coalition is to remediate the adverse impact of professional cyber espionage groups and other threat actors.

Novetta strategically teamed with the security industry leaders to execute coordinated, effective remediation and disruption of activities tied to several families of malware used by advanced threat actor groups across the globe. The effort was originally focused on the HiKit family of malware with plans to expand out to address other tools used by a particular threat actor group.

The coalition’s efforts were tied to Microsoft’s Malware Software Removal Tool (MSRT) and other coalition signature and product updates to be released on October 14, 2014. A comprehensive report covering this family of malware as well as technical details and additional insight into attribution will be released by the coalition on October 28.

The targeted threat actor group under this effort has designed and used several tools and techniques that focus on remaining undetected by security researchers and law enforcement authorities while allowing attackers to quickly compromise and expand within targeted networks. The observed targets of these attacks are large public network infrastructure providers, holders of extensive IP portfolios, and government entities from various countries in Asia and the United States.

Technical details to be released in the comprehensive report, as well as the executive summary, indicates that this threat actor group operates out of China. Their motives appear to be oriented toward large-scale technology theft and intelligence gathering.

“We felt it was important to take action proactively in coordination with our coalition security industry partners. The cumulative effect of such coordinated approaches could prove quite disruptive to the adversaries in question and mitigate some of the threat activity that plagues the joint customer base of this coalition,” said Novetta CEO Peter LaMontagne. “Novetta’s unique capabilities are centered around years of experience in identifying, tracking, reverse engineering, and creating network based detection and decoding of threats that are typically considered the high end of the threat actor spectrum.”

Novetta asserted that it wanted to ensure that the public was made aware of both this targeted threat actor group and that the coalition is taking every step to remediate this threat through coordinated analysis, distribution of information, and coordinated action with its trusted industry partners.

This initiative is one of the first efforts under the Microsoft supported Coordinated Malware Eradication (CME) program which aims to bring organizations in cyber security and in other industries together to change the game against malware.

This initiative, led and coordinated by Novetta, seeks to go beyond reporting of malware and put into action tools and an approach that will better protect coalition customers. To date, the operation has acquired an extensive set of malware samples associated with this actor group, constructed an in-depth knowledge base of the malware family and associated tool chain, and has begun the process of shipping developed signatures and remediation recommendations to industry partners for internal and external consumption and use. This coordinated effort provides a broader view and access to more data than if efforts had been undertaken by any one partner alone.  “This is akin to an ‘open source software’ approach for cyber threat mitigation—the adversaries share and retool their malware.  We need to do the same on the defensive side,” commented LaMontagne.

Novetta and its partners have published several preliminary triage reports to outline this Advanced Persistent Threat group and several of the malware families it uses, and plan to release a comprehensive technical report by October 28. That technical report will include a high level overview of the threat actor group, some of the targeted industries they attacked, an overview of malware families they used and their capabilities.  In addition, the report will include an in-depth review of the Tactics, Techniques, and Procedures (TTP’s) of this group and who we believe they could be based on this larger narrative. As a result of this effort, Novetta and its coalition partners encourage other security vendors to not just analyze and report on these types of threats, but to also work within industry circles to share their finished and raw technical analysis with those in the industry who are able and willing to take action.