Vulnerabilities / Threats //

Advanced Threats

06:25 PM
Connect Directly

Chinese Nation-State Hackers Give Up Attack Campaign

It worked on Hurricane Panda. Can APT30 and other organized cyberespionage groups also be convinced that an attack campaign isn't worth the trouble?

Can highly motivated, well-financed, well-organized nation-state cyber attackers working in shifts be persuaded to abandon a long-running attack campaign against a single target? CrowdStrike has new evidence to suggest the answer is yes. And that's heartening news, when viewed alongside the sobering report released by FireEye yesterday about APT30, a cyberespionage group that's been active in South-East Asia for over 10 years.

Hurricane Panda Backs Off  

Last April, CrowdStrike was called in to a company that had been thoroughly infiltrated by Hurricane Panda, a well-organized, China-based attack group CrowdStrike has been tracking since 2013. By June, they had completed remediation efforts and entirely ousted Hurricane Panda.

Within hours, the attackers were trying to regain access to the target company.

"What we noticed was they didn't give up," says Dmitri Alperovitch, co-founder and CTO of CrowdStrike. "They kept trying to come back. We were witnessing daily activities." 

Day after day, for four months, the attackers tried to get back in, by using their preferred method of initial compromise: the China Chopper webshell, a small 70-byte text file that provides attackers full command execution and file upload/download capabilities, thereby opening a door for credential theft. The CrowdStrike tool could detect this "indicator of attack" and shut down the process before the compromise could occur.

After four futile months of this, the Hurricane Panda attackers upped their game.

They tried to compromise the organization by exploiting a Windows kernel zero-day vulnerability, which Alperovitch describes as "fairly rare and very, very expensive." Such a vulnerability might only appear on the black market a few times a year, and cost tens of thousands of dollars.

CrowdStrike stopped the attack and spotted the vulnerability. They reported the vulnerability to Microsoft, which patched it. Now, that pricey vulnerability won't be useful to Hurricane Panda, against that client or anyone else with their Windows patches up to date.

At that point, in October, Hurricane Panda ceased their attempts to compromise the organization. 

[Everything you need to know about today’s IT security challenges – but were afraid to ask. Register with Discount Code DRBLOG to save $100 for this special one-day event, Dark Reading's Cyber Security Crash Course at Interop on Wednesday, April 29.]

In December, CrowdStrike was called in to another organization, on another Hurricane Panda intrusion. After one month of a similar scenario -- being ousted from the target, and having repeated attempts to regain access be repelled -- the attackers again used a webshell, but for a different purpose. It executed a command to check if CrowdStrike was loaded in memory.

When it found it was, the attackers abandoned their siege of that target as well.

"This is the first time we're seeing a group like this stopping and giving way," says Alperovitch. "They have a job to do."

Alperovitch does not believe that these two incidents can, alone, be considered a trend. However he does find it encouraging that people running cyberespionage organizations can be deterred -- that they are doing cost-benefit analyses and deciding some attack campaigns aren't worth the effort.

Further, he says, these cases show the value of watching for the indicators of attack -- not just the indicators of compromise -- and watching for suspicious intent behind a user's actions -- not just watching for the users you already know are malicious.

What Will APT30 Do Next?

Yesterday, FireEye released a report detailing the extraordinarily orderly operations of APT30, an attack group that's been around for over 10 years, and uses a custom malware suite better developed and better managed than any enterprise software you have.

Jen Weedon, FireEye's manager of threat intelligence, says they're impressed by APT30's professionalism, persistent focus on a particular region, and the fact that it's operated unabated and with so little change for over a decade. 

APT30 is a cyberespionage group that appears to be a nation-state funded actor in China, that goes after targets in Southeast Asia, whether they be in government or commercial organizations, and have done for over a decade. Operators work in shifts and can formally prioritize certain targets over others and add notes to victim profiles -- like they would in a well-run telemarketing call center. 

APT30 registers their own domains for command-and-control servers, and some of those domains have been in use for many years. They've "chosen to invest in the long-term refinement and development of what appear to be a dedicated set of tools," according to FireEye's report, including droppers, downloaders, and backdoors that can steal data from air-gapped machines, go into stealth mode, and maintain persistence through a variety of other methods. Weedon says APT30 were going after air-gapped machines before other China-based groups were.

Through command-and-control communications, APT30 regularly updates the malware, so that only the most recent version is running on the victim system at the time.

Weedon partly credits APT30's business-like approach for their uncommon success, but also acknowledges that the targets' defenses in that region may continue to be particularly weak. 

Could APT30 be deterred in the same way that Hurricane Panda was? "Part of the answer comes back to who their ultimate sponsor is," says Weedon. "They have a mandate...It depends on what their exact requirements are."

She says that if they couldn't go after a target directly, they may go after them indirectly. APT30 is very successful at tailoring phishing messages to exploit trusted relationships and to make them related to geo-political events that will lure the kind of targets they want.

What is clear, is that APT30 is in it for the long haul. From the report:

This dedication to adapting and modifying tools over a number of years, as opposed to discarding old tools in favor of newer, readily available ones, implies that APT30 has a long-term mission, and that their mission is consistent enough for their existing tools to be sufficient to support their operations over a long period of time.

"I'm looking foward to seeing how they adapt," in response to being outed by the FireEye report, says Weedon. "They're probably going to burn all the infrastructure. They'll probably try to change their malware in some significant way...but we'll pick it up again before long."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
4/15/2015 | 9:24:56 AM
Man these guys sound just like the NSA, oh wait.
User Rank: Ninja
4/14/2015 | 9:42:13 AM
The silence could be the indicator of future, or newer, activity.
Excellent article. 

But one has to wonder if the perpetrators behind APT30 really did "give up".

Just because the guardian controls are not seeing new activity doesn't mean the bad guys are done. 
They may just be waiting for the dust to settle (complacency to set in) or they are already inside the walls, but using a different (new) APT methodology that the guardian controls are not familiar with.

Time will tell...
Russia Hacked Clinton's Computers Five Hours After Trump's Call
Robert Lemos, Technology Journalist/Data Researcher,  4/19/2019
Tips for the Aftermath of a Cyberattack
Kelly Sheridan, Staff Editor, Dark Reading,  4/17/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-04-20
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.
PUBLISHED: 2019-04-20
Cross-site scripting (XSS) vulnerability in display.php in I, Librarian 4.10 allows remote attackers to inject arbitrary web script or HTML via the project parameter.
PUBLISHED: 2019-04-19
SV_SteamAuthClient in various Activision Infinity Ward Call of Duty games before 2015-08-11 is missing a size check when reading authBlob data into a buffer, which allows one to execute code on the remote target machine when sending a steam authentication request. This affects Call of Duty: Modern W...
PUBLISHED: 2019-04-19
The client in Electronic Arts (EA) Origin 10.5.36 on Windows allows template injection in the title parameter of the Origin2 URI handler. This can be used to escape the underlying AngularJS sandbox and achieve remote code execution via an origin2://game/launch URL for QtApplication QDesktopServices ...
PUBLISHED: 2019-04-19
CloudBees Jenkins Operations Center, when an expired trial license exists, allows Cleartext Password Storage and Retrieval via the proxy configuration page.