Vulnerabilities / Threats //

Advanced Threats

4/13/2015
06:25 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

Chinese Nation-State Hackers Give Up Attack Campaign

It worked on Hurricane Panda. Can APT30 and other organized cyberespionage groups also be convinced that an attack campaign isn't worth the trouble?

Can highly motivated, well-financed, well-organized nation-state cyber attackers working in shifts be persuaded to abandon a long-running attack campaign against a single target? CrowdStrike has new evidence to suggest the answer is yes. And that's heartening news, when viewed alongside the sobering report released by FireEye yesterday about APT30, a cyberespionage group that's been active in South-East Asia for over 10 years.

Hurricane Panda Backs Off  

Last April, CrowdStrike was called in to a company that had been thoroughly infiltrated by Hurricane Panda, a well-organized, China-based attack group CrowdStrike has been tracking since 2013. By June, they had completed remediation efforts and entirely ousted Hurricane Panda.

Within hours, the attackers were trying to regain access to the target company.

"What we noticed was they didn't give up," says Dmitri Alperovitch, co-founder and CTO of CrowdStrike. "They kept trying to come back. We were witnessing daily activities." 

Day after day, for four months, the attackers tried to get back in, by using their preferred method of initial compromise: the China Chopper webshell, a small 70-byte text file that provides attackers full command execution and file upload/download capabilities, thereby opening a door for credential theft. The CrowdStrike tool could detect this "indicator of attack" and shut down the process before the compromise could occur.

After four futile months of this, the Hurricane Panda attackers upped their game.

They tried to compromise the organization by exploiting a Windows kernel zero-day vulnerability, which Alperovitch describes as "fairly rare and very, very expensive." Such a vulnerability might only appear on the black market a few times a year, and cost tens of thousands of dollars.

CrowdStrike stopped the attack and spotted the vulnerability. They reported the vulnerability to Microsoft, which patched it. Now, that pricey vulnerability won't be useful to Hurricane Panda, against that client or anyone else with their Windows patches up to date.

At that point, in October, Hurricane Panda ceased their attempts to compromise the organization. 

[Everything you need to know about today’s IT security challenges – but were afraid to ask. Register with Discount Code DRBLOG to save $100 for this special one-day event, Dark Reading's Cyber Security Crash Course at Interop on Wednesday, April 29.]

In December, CrowdStrike was called in to another organization, on another Hurricane Panda intrusion. After one month of a similar scenario -- being ousted from the target, and having repeated attempts to regain access be repelled -- the attackers again used a webshell, but for a different purpose. It executed a command to check if CrowdStrike was loaded in memory.

When it found it was, the attackers abandoned their siege of that target as well.

"This is the first time we're seeing a group like this stopping and giving way," says Alperovitch. "They have a job to do."

Alperovitch does not believe that these two incidents can, alone, be considered a trend. However he does find it encouraging that people running cyberespionage organizations can be deterred -- that they are doing cost-benefit analyses and deciding some attack campaigns aren't worth the effort.

Further, he says, these cases show the value of watching for the indicators of attack -- not just the indicators of compromise -- and watching for suspicious intent behind a user's actions -- not just watching for the users you already know are malicious.

What Will APT30 Do Next?

Yesterday, FireEye released a report detailing the extraordinarily orderly operations of APT30, an attack group that's been around for over 10 years, and uses a custom malware suite better developed and better managed than any enterprise software you have.

Jen Weedon, FireEye's manager of threat intelligence, says they're impressed by APT30's professionalism, persistent focus on a particular region, and the fact that it's operated unabated and with so little change for over a decade. 

APT30 is a cyberespionage group that appears to be a nation-state funded actor in China, that goes after targets in Southeast Asia, whether they be in government or commercial organizations, and have done for over a decade. Operators work in shifts and can formally prioritize certain targets over others and add notes to victim profiles -- like they would in a well-run telemarketing call center. 

APT30 registers their own domains for command-and-control servers, and some of those domains have been in use for many years. They've "chosen to invest in the long-term refinement and development of what appear to be a dedicated set of tools," according to FireEye's report, including droppers, downloaders, and backdoors that can steal data from air-gapped machines, go into stealth mode, and maintain persistence through a variety of other methods. Weedon says APT30 were going after air-gapped machines before other China-based groups were.

Through command-and-control communications, APT30 regularly updates the malware, so that only the most recent version is running on the victim system at the time.

Weedon partly credits APT30's business-like approach for their uncommon success, but also acknowledges that the targets' defenses in that region may continue to be particularly weak. 

Could APT30 be deterred in the same way that Hurricane Panda was? "Part of the answer comes back to who their ultimate sponsor is," says Weedon. "They have a mandate...It depends on what their exact requirements are."

She says that if they couldn't go after a target directly, they may go after them indirectly. APT30 is very successful at tailoring phishing messages to exploit trusted relationships and to make them related to geo-political events that will lure the kind of targets they want.

What is clear, is that APT30 is in it for the long haul. From the report:

This dedication to adapting and modifying tools over a number of years, as opposed to discarding old tools in favor of newer, readily available ones, implies that APT30 has a long-term mission, and that their mission is consistent enough for their existing tools to be sufficient to support their operations over a long period of time.

"I'm looking foward to seeing how they adapt," in response to being outed by the FireEye report, says Weedon. "They're probably going to burn all the infrastructure. They'll probably try to change their malware in some significant way...but we'll pick it up again before long."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
SgS125
50%
50%
SgS125,
User Rank: Ninja
4/15/2015 | 9:24:56 AM
hmmm
Man these guys sound just like the NSA, oh wait.
aws0513
50%
50%
aws0513,
User Rank: Ninja
4/14/2015 | 9:42:13 AM
The silence could be the indicator of future, or newer, activity.
Excellent article. 

But one has to wonder if the perpetrators behind APT30 really did "give up".

Just because the guardian controls are not seeing new activity doesn't mean the bad guys are done. 
They may just be waiting for the dust to settle (complacency to set in) or they are already inside the walls, but using a different (new) APT methodology that the guardian controls are not familiar with.

Time will tell...
'PowerSnitch' Hacks Androids via Power Banks
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/8/2018
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-6705
PUBLISHED: 2018-12-12
Privilege escalation vulnerability in McAfee Agent (MA) for Linux 5.0.0 through 5.0.6, 5.5.0, and 5.5.1 allows local users to perform arbitrary command execution via specific conditions.
CVE-2018-15717
PUBLISHED: 2018-12-12
Open Dental before version 18.4 stores user passwords as base64 encoded MD5 hashes.
CVE-2018-15718
PUBLISHED: 2018-12-12
Open Dental before version 18.4 transmits the entire user database over the network when a remote unathenticated user accesses the command prompt. This allows the attacker to gain access to usernames, password hashes, privilege levels, and more.
CVE-2018-15719
PUBLISHED: 2018-12-12
Open Dental before version 18.4 installs a mysql database and uses the default credentials of "root" with a blank password. This allows anyone on the network with access to the server to access all database information.
CVE-2018-6704
PUBLISHED: 2018-12-12
Privilege escalation vulnerability in McAfee Agent (MA) for Linux 5.0.0 through 5.0.6, 5.5.0, and 5.5.1 allows local users to perform arbitrary command execution via specific conditions.