A coalition of security companies has hit a sophisticated hacking group in China with a heavy blow. The effort is detailed in a report released today by Novetta. The coalition, which calls itself Operation SMN, detected and cleaned up malicious code on 43,000 computers worldwide that were targeted by Axiom, an incredibly sophisticated organization that has been stealing intellectual property for more than six years.
This effort was led by Novetta and included Bit9, Cisco, FireEye, F-Secure, iSIGHT Partners, Microsoft, Tenable, ThreatConnect Intelligence Research Team (TCIRT), ThreatTrack Security, Volexity, and other unnamed organizations. Operation SMN is working independently of law enforcement or intelligence agencies. The group united as part of Microsoft's Coordinated Malware Eradication (CME) campaign against Hikit (a.k.a. Hikiti), the custom malware often used by Axiom to burrow into organizations, exfiltrate data, and evade detection, sometimes for years.
Novetta had been closely investigating Hikit since early this summer. So when Novetta senior technical director Andre Ludwig learned about Microsoft's new CME program -- which "calls for organizations to pool their tools, information and actions to drive coordinated campaigns against malware" -- he proposed that they go after Hikit together. But Axiom used a variety of tools to access and re-infect environments -- not just Hikit, but also Derusbi, Deputy Dog, Hydraq, and others. So, Ludwig says, they expanded the group and its scope "so that we absolutely did the best possible job of cleanup and removal" and rolled it all into a Microsoft Malicious Software Removal Tool (MSRT) released Oct. 14.
The work and the tool are comprehensive, but this may be only a temporary setback for Axiom, which is an exceptionally well-oiled attack machine.
Novetta says it has "moderate to high confidence" that Axiom is a well-resourced and well-disciplined subgroup of the state-backed "Chinese Intelligence Apparatus." There are links between Axiom and some of the most sophisticated attacks in recent history, including Operation Aurora in 2010 and the VOHO campaign of 2012.
Axiom seems to be systematically gathering very deep information to support a mission from higher up. According to the report:
Axiom operators have been observed operating in organizations that are of strategic economic interest, that influence environmental and energy policy, and that develop cutting edge information technology including integrated circuits, telecommunications equipment manufacturers, and infrastructure providers.
The targets are relatively few, but the intelligence gathering is comprehensive, covering a variety of target organizations that were very deliberately chosen -- whether that be a technology manufacturer with trade secrets to steal or an NGO protecting government dissidents or whistleblowers.
Finding the ideal targets and getting to them quickly is one of Axiom's greatest strengths. The report notes its ability to sift through large sets of infected machines to identify the highest-interest targets and then quickly (within hours or days) begin followup exploitation -- like escalating access privileges, creating shell utilities customized for the operational environment, and exfiltrating confidential information.
The target organizations are often related in some way, and the Hikit malware uses that to its advantage. As Ludwig explains, once Hikit has burrowed its way into a computing environment, it can create a "mini-network," communicating laterally with other Hikit installations within the organization or related outside organizations, using each other as proxies and never communicating with the command-and-control server directly. And traffic flowing between legitimate organizations that are known partners will not look very suspicious.
Axiom actors also hide their tracks in other ways. The researchers discovered evidence that Axiom created multiple, segregated network infrastructures to carry out different stages of the attack.
As the report describes it, the entire Axiom operation is remarkedly orderly and disciplined. The individuals working for Axiom set up clear Hikit maintenance schedules, to ensure that an infection is still operating correctly and that there haven't been any significant changes to the surrounding environment. Plus, the individuals are making it difficult for the good guys to identify them by avoiding risky behaviors, like using Axiom resources to visit personal websites.
According to the report, this "displays a level of familiarity with investigative and forensics operations that clearly sets [Axiom] apart from the less sophisticated threat actors."
Operation SMN is another example of competing security companies collaborating to take down a common adversary -- similar to the operations that took down Gameover Zeus and Blackshades, but without the participation of a government intelligence or law enforcement agency.
Ludwig says he hopes the industry as a whole moves to this more collaborative, proactive approach, "instead of the old model of observe and report."
He also says that his company's executives were entirely supportive of this effort and were not worried about any negative business impacts of sharing their resources with other security companies. "It does not help us to have a stranglehold on the information." The competitive edge, is not in having the information, but in using the information to protect customers.
Download the full report here.