Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:00 PM
Connect Directly

Cyber Espionage Campaign Reuses Code from China's APT1

US, Canadian organizations in crosshairs of group with apparent links to a Chinese military hacking unit that wreaked havoc several years ago.

Several US organizations appear to be victims of a widespread data reconnaissance campaign involving malware last associated with Comment Crew aka APT1, a Chinese military-linked group that is believed responsible for stealing data from dozens of American companies between 2006 and 2010.

The attack group behind the latest campaign has carried out at least five separate waves of attacks against organizations in various sectors, the latest in June.

Most of the targets have been in South Korea. But security vendor McAfee, which has been tracking the new threat, says its telemetry suggests that multiple organizations within the financial, healthcare communications, and government sectors in the US and Canada have been hit as well.

McAfee has christened the new campaign Oceansalt based on similarities between its malware and the so-called 'Seasalt' malware associated with the Comment Crew/APT1. McAfee's analysis shows that at least 21% of the code is unique to Seasalt and serves a reconnaissance and control function.

The security vendor says it has been unable to determine how Oceansalt might have obtained access to Seasalt's source code. There's no evidence to suggest that the code was leaked or is available through Dark Web channels. That suggests that the Oceansalt and Comment Crew actors have some sort of a code-sharing arrangement, or that the former has privately gained access to source code from someone belonging to the original Comment Crew.

A third possibility, McAfee says, is that another actor is conducting a false flag operation to make it appear like the Comment Crew has resurfaced after dropping out of sight about five years ago following a 2013 Mandiant (now FireEye) expose on the group. In its exhaustive report released along with some 3,000 IoCs, Mandiant had linked Comment Crew, or APT1, directly to a covert cyber operation of China's People's Liberation Army called Unit 61398. At the time, the security vendor estimated that APT1 had systematically stolen hundreds of terabytes of data from 141 organizations across 20 industries.

McAfee this week stopped short of directly describing Oceansalt as being either China-sponsored or a reincarnation of Comment Crew/APT1. "While we can’t confirm this is nation state, this resembles nation-state capabilities," says Raj Samani, chief scientist and Fellow at McAfee. 

"[It suggests] that all enterprises are in the line of fire of nation states looking to promote and push their national strategic objectives at the cost of each of us," he says.

Tiny But Mighty Malware

McAfee this week described Oceansalt as malware that is harder to detect than other malicious code because of its minimal 76KB footprint on disk.  Oceansalt does not appear to be simply a recompilation of Seasalt but more of an evolution of the original malware based on certain differences between the two implants.

Oceansalt, for instance, uses an encoding and decoding mechanism before sending data to the control server — a feature that was not present in the original malware. Similarly, the addresses for the control servers are hardcoded in Oceansalt whereas Seasalt parsed the data from its binary, McAfee said in its report.

Oceansalt is designed to capture the IP address, computer name, the filepath of the implant, and other system and process details on an infected system and send it to an external server. The malware can be used to delete and write files on disk, open and terminate processes, create, operate and close a reverse shell, and to execute other remote commands. The malware, like a lot of malicious software these days, is being distributed via spearphising emails with Excel and Word attachments.

McAfee says its research shows that the implant itself is a first-stage component that can be used to download other malware components on an infected machine. Data from the control servers that are being used in the campaign shows infected machines in the United States, Canada, Costa Rica, and the Philippines.

Mysterious Mission

The group behind Oceansalt has used multiple versions of the malware in the five waves of attacks it has launched so far. The first wave targeted higher educational institutions in South Korea, the second went after public infrastructure projects in the country, and the third was directed at government fund operated by South Korea's export and import bank. Subsequent attacks have targeted what McAfee describes as a relatively limited number of organizations outside South Korea.

Samani says McAfee is not entirely sure of Oceansalt's motivations. "But [it] appears to be first stage reconnaissance to gain a foothold in compromised organizations," he says.

The new campaign is further evidence of the recently heightened threat that many enterprises face from threat groups that are state-sponsored or most likely are state-sponsored.

Many of the groups and campaigns are China-based, according to some security vendors. Just earlier this month for instance, CrowdStrike released a report summarizing its analysis of threat hunting data between January and June this year. The data showed that of the 70 or so intrusions where CrowdStrike was able to actually identify the threat actor, about 40 were likely China-based.

A Feb 2018 report by the U.S. Director of National Intelligence identified several other nations as backing espionage and other malicious cyber activity targeted at US companies. Among them were Russia, Iran, and North Korea.

Related Content:


Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Look Beyond the 'Big 5' in Cyberattacks
Robert Lemos, Contributing Writer,  11/25/2020
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: We are really excited about our new two tone authentication system!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-12-01
HCL iNotes is susceptible to a sensitive cookie exposure vulnerability. This can allow an unauthenticated remote attacker to capture the cookie by intercepting its transmission within an http session. Fixes are available in HCL Domino and iNotes versions 10.0.1 FP6 and 11.0.1 FP2 and later.
PUBLISHED: 2020-12-01
HCL Domino is susceptible to a lockout policy bypass vulnerability in the LDAP service. An unauthenticated attacker could use this vulnerability to mount a brute force attack against the LDAP service. Fixes are available in HCL Domino versions 9.0.1 FP10 IF6, 10.0.1 FP6 and 11.0.1 FP1 and later.
PUBLISHED: 2020-12-01
ManageOne versions,,,, ,, 8.0.0 and 8.0.1 have a command injection vulnerability. An attacker with high privileges may exploit this vulnerability through some operations on the plug-in component. Due to insufficient input validation of ...
PUBLISHED: 2020-12-01
Huawei FusionCompute versions 6.5.1 and 8.0.0 have a command injection vulnerability. An authenticated, remote attacker can craft specific request to exploit this vulnerability. Due to insufficient verification, this could be exploited to cause the attackers to obtain higher privilege.
PUBLISHED: 2020-11-30
Affected versions of Automation for Jira - Server allowed remote attackers to read and render files as mustache templates in files inside the WEB-INF/classes & <jira-installation>/jira/bin directories via a template injection vulnerability in Jira smart values using mustache partials. The ...