Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:00 PM
Connect Directly

Cyber Espionage Campaign Reuses Code from China's APT1

US, Canadian organizations in crosshairs of group with apparent links to a Chinese military hacking unit that wreaked havoc several years ago.

Several US organizations appear to be victims of a widespread data reconnaissance campaign involving malware last associated with Comment Crew aka APT1, a Chinese military-linked group that is believed responsible for stealing data from dozens of American companies between 2006 and 2010.

The attack group behind the latest campaign has carried out at least five separate waves of attacks against organizations in various sectors, the latest in June.

Most of the targets have been in South Korea. But security vendor McAfee, which has been tracking the new threat, says its telemetry suggests that multiple organizations within the financial, healthcare communications, and government sectors in the US and Canada have been hit as well.

McAfee has christened the new campaign Oceansalt based on similarities between its malware and the so-called 'Seasalt' malware associated with the Comment Crew/APT1. McAfee's analysis shows that at least 21% of the code is unique to Seasalt and serves a reconnaissance and control function.

The security vendor says it has been unable to determine how Oceansalt might have obtained access to Seasalt's source code. There's no evidence to suggest that the code was leaked or is available through Dark Web channels. That suggests that the Oceansalt and Comment Crew actors have some sort of a code-sharing arrangement, or that the former has privately gained access to source code from someone belonging to the original Comment Crew.

A third possibility, McAfee says, is that another actor is conducting a false flag operation to make it appear like the Comment Crew has resurfaced after dropping out of sight about five years ago following a 2013 Mandiant (now FireEye) expose on the group. In its exhaustive report released along with some 3,000 IoCs, Mandiant had linked Comment Crew, or APT1, directly to a covert cyber operation of China's People's Liberation Army called Unit 61398. At the time, the security vendor estimated that APT1 had systematically stolen hundreds of terabytes of data from 141 organizations across 20 industries.

McAfee this week stopped short of directly describing Oceansalt as being either China-sponsored or a reincarnation of Comment Crew/APT1. "While we can’t confirm this is nation state, this resembles nation-state capabilities," says Raj Samani, chief scientist and Fellow at McAfee. 

"[It suggests] that all enterprises are in the line of fire of nation states looking to promote and push their national strategic objectives at the cost of each of us," he says.

Tiny But Mighty Malware

McAfee this week described Oceansalt as malware that is harder to detect than other malicious code because of its minimal 76KB footprint on disk.  Oceansalt does not appear to be simply a recompilation of Seasalt but more of an evolution of the original malware based on certain differences between the two implants.

Oceansalt, for instance, uses an encoding and decoding mechanism before sending data to the control server — a feature that was not present in the original malware. Similarly, the addresses for the control servers are hardcoded in Oceansalt whereas Seasalt parsed the data from its binary, McAfee said in its report.

Oceansalt is designed to capture the IP address, computer name, the filepath of the implant, and other system and process details on an infected system and send it to an external server. The malware can be used to delete and write files on disk, open and terminate processes, create, operate and close a reverse shell, and to execute other remote commands. The malware, like a lot of malicious software these days, is being distributed via spearphising emails with Excel and Word attachments.

McAfee says its research shows that the implant itself is a first-stage component that can be used to download other malware components on an infected machine. Data from the control servers that are being used in the campaign shows infected machines in the United States, Canada, Costa Rica, and the Philippines.

Mysterious Mission

The group behind Oceansalt has used multiple versions of the malware in the five waves of attacks it has launched so far. The first wave targeted higher educational institutions in South Korea, the second went after public infrastructure projects in the country, and the third was directed at government fund operated by South Korea's export and import bank. Subsequent attacks have targeted what McAfee describes as a relatively limited number of organizations outside South Korea.

Samani says McAfee is not entirely sure of Oceansalt's motivations. "But [it] appears to be first stage reconnaissance to gain a foothold in compromised organizations," he says.

The new campaign is further evidence of the recently heightened threat that many enterprises face from threat groups that are state-sponsored or most likely are state-sponsored.

Many of the groups and campaigns are China-based, according to some security vendors. Just earlier this month for instance, CrowdStrike released a report summarizing its analysis of threat hunting data between January and June this year. The data showed that of the 70 or so intrusions where CrowdStrike was able to actually identify the threat actor, about 40 were likely China-based.

A Feb 2018 report by the U.S. Director of National Intelligence identified several other nations as backing espionage and other malicious cyber activity targeted at US companies. Among them were Russia, Iran, and North Korea.

Related Content:


Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-10-19
The Video_Converter app 0.1.0 for Nextcloud allows denial of service (CPU and memory consumption) via multiple concurrent conversions because many FFmpeg processes may be running at once. (The workload is not queued for serial execution.)
PUBLISHED: 2019-10-19
Information Disclosure is possible on WAGO Series PFC100 and PFC200 devices before FW12 due to improper access control. A remote attacker can check for the existence of paths and file names via crafted HTTP requests.
PUBLISHED: 2019-10-19
templates/pad.html in Etherpad-Lite 1.7.5 has XSS when the browser does not encode the path of the URL, as demonstrated by Internet Explorer.
PUBLISHED: 2019-10-18
In the Linux kernel before 5.3.4, a reference count usage error in the fib6_rule_suppress() function in the fib6 suppression feature of net/ipv6/fib6_rules.c, when handling the FIB_LOOKUP_NOREF flag, can be exploited by a local attacker to corrupt memory, aka CID-ca7a03c41753.
PUBLISHED: 2019-10-18
In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclo...