Can highly motivated, well-financed, well-organized nation-state cyber attackers working in shifts be persuaded to abandon a long-running attack campaign against a single target? CrowdStrike has new evidence to suggest the answer is yes. And that's heartening news, when viewed alongside the sobering report released by FireEye yesterday about APT30, a cyberespionage group that's been active in South-East Asia for over 10 years.
Hurricane Panda Backs Off
Last April, CrowdStrike was called in to a company that had been thoroughly infiltrated by Hurricane Panda, a well-organized, China-based attack group CrowdStrike has been tracking since 2013. By June, they had completed remediation efforts and entirely ousted Hurricane Panda.
Within hours, the attackers were trying to regain access to the target company.
"What we noticed was they didn't give up," says Dmitri Alperovitch, co-founder and CTO of CrowdStrike. "They kept trying to come back. We were witnessing daily activities."
Day after day, for four months, the attackers tried to get back in, by using their preferred method of initial compromise: the China Chopper webshell, a small 70-byte text file that provides attackers full command execution and file upload/download capabilities, thereby opening a door for credential theft. The CrowdStrike tool could detect this "indicator of attack" and shut down the process before the compromise could occur.
After four futile months of this, the Hurricane Panda attackers upped their game.
They tried to compromise the organization by exploiting a Windows kernel zero-day vulnerability, which Alperovitch describes as "fairly rare and very, very expensive." Such a vulnerability might only appear on the black market a few times a year, and cost tens of thousands of dollars.
CrowdStrike stopped the attack and spotted the vulnerability. They reported the vulnerability to Microsoft, which patched it. Now, that pricey vulnerability won't be useful to Hurricane Panda, against that client or anyone else with their Windows patches up to date.
At that point, in October, Hurricane Panda ceased their attempts to compromise the organization.
[Everything you need to know about today’s IT security challenges – but were afraid to ask. Register with Discount Code DRBLOG to save $100 for this special one-day event, Dark Reading's Cyber Security Crash Course at Interop on Wednesday, April 29.]
In December, CrowdStrike was called in to another organization, on another Hurricane Panda intrusion. After one month of a similar scenario -- being ousted from the target, and having repeated attempts to regain access be repelled -- the attackers again used a webshell, but for a different purpose. It executed a command to check if CrowdStrike was loaded in memory.
When it found it was, the attackers abandoned their siege of that target as well.
"This is the first time we're seeing a group like this stopping and giving way," says Alperovitch. "They have a job to do."
Alperovitch does not believe that these two incidents can, alone, be considered a trend. However he does find it encouraging that people running cyberespionage organizations can be deterred -- that they are doing cost-benefit analyses and deciding some attack campaigns aren't worth the effort.
Further, he says, these cases show the value of watching for the indicators of attack -- not just the indicators of compromise -- and watching for suspicious intent behind a user's actions -- not just watching for the users you already know are malicious.
What Will APT30 Do Next?
Yesterday, FireEye released a report detailing the extraordinarily orderly operations of APT30, an attack group that's been around for over 10 years, and uses a custom malware suite better developed and better managed than any enterprise software you have.
Jen Weedon, FireEye's manager of threat intelligence, says they're impressed by APT30's professionalism, persistent focus on a particular region, and the fact that it's operated unabated and with so little change for over a decade.
APT30 is a cyberespionage group that appears to be a nation-state funded actor in China, that goes after targets in Southeast Asia, whether they be in government or commercial organizations, and have done for over a decade. Operators work in shifts and can formally prioritize certain targets over others and add notes to victim profiles -- like they would in a well-run telemarketing call center.
APT30 registers their own domains for command-and-control servers, and some of those domains have been in use for many years. They've "chosen to invest in the long-term refinement and development of what appear to be a dedicated set of tools," according to FireEye's report, including droppers, downloaders, and backdoors that can steal data from air-gapped machines, go into stealth mode, and maintain persistence through a variety of other methods. Weedon says APT30 were going after air-gapped machines before other China-based groups were.
Through command-and-control communications, APT30 regularly updates the malware, so that only the most recent version is running on the victim system at the time.
Weedon partly credits APT30's business-like approach for their uncommon success, but also acknowledges that the targets' defenses in that region may continue to be particularly weak.
Could APT30 be deterred in the same way that Hurricane Panda was? "Part of the answer comes back to who their ultimate sponsor is," says Weedon. "They have a mandate...It depends on what their exact requirements are."
She says that if they couldn't go after a target directly, they may go after them indirectly. APT30 is very successful at tailoring phishing messages to exploit trusted relationships and to make them related to geo-political events that will lure the kind of targets they want.
What is clear, is that APT30 is in it for the long haul. From the report:
This dedication to adapting and modifying tools over a number of years, as opposed to discarding old tools in favor of newer, readily available ones, implies that APT30 has a long-term mission, and that their mission is consistent enough for their existing tools to be sufficient to support their operations over a long period of time.
"I'm looking foward to seeing how they adapt," in response to being outed by the FireEye report, says Weedon. "They're probably going to burn all the infrastructure. They'll probably try to change their malware in some significant way...but we'll pick it up again before long."