Trend Micro chief technology officer Raimund Genes has warned that businesses' concern about state-sponsored attacks is blinding them to the larger threat posed by Russian cyber crooks.
Genes told V3 that the tit-for-tat accusations between nations about who hacked who is hampering security vendors' ability to help combat cyber crime.
"When I see a lot of stuff like the Mandiant report blaming the Chinese, I have to agree that the Chinese do dabble with corporate espionage but do you not think that the Americans do it as well? Do you not think the Russians do it?" said Genes (pictured left).
"I'm more concerned about the Russians. They perfected cybercrime a long time ago and have the dangerous guys for hire. You see more in Eastern Europe than you see in China, they perfected the model quite a while ago and the most sophisticated attack code we're seeing is coming out of Russia."
The Mandiant report was a released earlier in 2013. It claimed to have uncovered evidence linking two Advanced Persistent Threats (APT) campaigns to a Chinese military unit.
The report re-sparked the ongoing spat between the Chinese and American governments.
Genes said that the high interest around nation state hacking and the threat posed by APT has distracted businesses from the threat posed by criminals.
"I hate the term APT. Last week I was in RSA and everyone was ranting ‘APT this' and ‘APT that. The fact is a lot of the stuff we're seeing is not advanced. Stuxnet was advanced but it wasn't targeted, because it was spreading way too widely," said Genes.
"We know it was spreading everywhere. If it had only triggered when it was in a centrifuge system in Iran then it would be a different story. It's the same with all this Red October nonsense, if it's good you don't see it."
The Trend Micro CTO said that many criminals customised versions of existing tools to mount their targeted attacks, making them cheap to develop and difficult to detect.
"The funny thing is that very often the attack is targeted, but the attackers uses a variant of an existing attack tool. For example they'll use something like Poison Ivy with a remote access Trojan developed in the Russian underground or somewhere. He'll then use a crypto to ensure it's not detected," said Genes.
"He then scripts it so that it only triggers if it sees a specific employee name or document on the company network and then it actually gets persistent within the environment, making lateral movements to find its target.
"You don't see it because if it's targeted then I ensure that my payload only triggers in the network or area it wants to."