Stewart says he thinks two of the largest groups involved in cyber-espionage that "share a large infrastructure" are coming out of China. But China is hardly alone, as the U.S. and Israel are also being tied to the for cyber-espionage. And there's also the growing sense that it's not just "government-backed actors" conducting cyber-espionage.
"As it becomes increasingly revealed that more and more governments are involved in cyber-espionage and cyber-sabotage, it has the effect of legitimizing this type of activity for certain private companies," says Stewart in his "Chasing APT" report. "Other research we have conducted has uncovered a sizable cyber-espionage operation carried out by a private computer security company in an Asian country (not China) against a foreign military, presumably on behalf of the government of the country in which that company resides. This type of outsourcing of offensive hacking to contractors is to be expected given that the market demand for such skills often precludes governments from possessing that talent for very long -- however, we have discovered the scope of that company's operations also extend to using backdoors and spear-phishing to spy on companies in the U.S. and Europe, and even journalists in the same country. Ironically, this same company offers ethical hacking courses as part of their services lineup."
Dell SecureWorks isn't naming this company, but in the "Chasing APT" paper Stewart points out that "companies found to engage in this kind of activity will likely have a difficult time maintaining trusted relationships with ethical security companies and security researchers who disavow such actions against civilian targets. This will make it harder for these companies to (legally) obtain real-time cyber threat intelligence, ultimately damaging both their reputation and their ability to defend their clients' networks from attacks."
In terms of its technical analysis of APTs, SecureWorks believes that along with the 200 unique families of custom malware used in cyber-espionage intrusions, there appear to be more than 1,100 domain names registered by cyber-espionage actors for use in hosting malware command-and-control or spear-phishing, and nearly 20,000 subdomains as well for purposes such as "malware C2 resolution."
But unlike other types of criminal botnets that "can contain millions of infected computers," cyber-espionage is far more focused, with "tens of thousands of infected computers spread across hundreds of botnets, each of which may only control a few to a few hundred computers at a time," the Dell SecureWorks report concludes.