Cyber Espionage Campaign Reuses Code from China's APT1

US, Canadian organizations in crosshairs of group with apparent links to a Chinese military hacking unit that wreaked havoc several years ago.

5 Min Read

Several US organizations appear to be victims of a widespread data reconnaissance campaign involving malware last associated with Comment Crew aka APT1, a Chinese military-linked group that is believed responsible for stealing data from dozens of American companies between 2006 and 2010.

The attack group behind the latest campaign has carried out at least five separate waves of attacks against organizations in various sectors, the latest in June.

Most of the targets have been in South Korea. But security vendor McAfee, which has been tracking the new threat, says its telemetry suggests that multiple organizations within the financial, healthcare communications, and government sectors in the US and Canada have been hit as well.

McAfee has christened the new campaign Oceansalt based on similarities between its malware and the so-called 'Seasalt' malware associated with the Comment Crew/APT1. McAfee's analysis shows that at least 21% of the code is unique to Seasalt and serves a reconnaissance and control function.

The security vendor says it has been unable to determine how Oceansalt might have obtained access to Seasalt's source code. There's no evidence to suggest that the code was leaked or is available through Dark Web channels. That suggests that the Oceansalt and Comment Crew actors have some sort of a code-sharing arrangement, or that the former has privately gained access to source code from someone belonging to the original Comment Crew.

A third possibility, McAfee says, is that another actor is conducting a false flag operation to make it appear like the Comment Crew has resurfaced after dropping out of sight about five years ago following a 2013 Mandiant (now FireEye) expose on the group. In its exhaustive report released along with some 3,000 IoCs, Mandiant had linked Comment Crew, or APT1, directly to a covert cyber operation of China's People's Liberation Army called Unit 61398. At the time, the security vendor estimated that APT1 had systematically stolen hundreds of terabytes of data from 141 organizations across 20 industries.

McAfee this week stopped short of directly describing Oceansalt as being either China-sponsored or a reincarnation of Comment Crew/APT1. "While we can’t confirm this is nation state, this resembles nation-state capabilities," says Raj Samani, chief scientist and Fellow at McAfee. 

"[It suggests] that all enterprises are in the line of fire of nation states looking to promote and push their national strategic objectives at the cost of each of us," he says.

Tiny But Mighty Malware

McAfee this week described Oceansalt as malware that is harder to detect than other malicious code because of its minimal 76KB footprint on disk.  Oceansalt does not appear to be simply a recompilation of Seasalt but more of an evolution of the original malware based on certain differences between the two implants.

Oceansalt, for instance, uses an encoding and decoding mechanism before sending data to the control server — a feature that was not present in the original malware. Similarly, the addresses for the control servers are hardcoded in Oceansalt whereas Seasalt parsed the data from its binary, McAfee said in its report.

Oceansalt is designed to capture the IP address, computer name, the filepath of the implant, and other system and process details on an infected system and send it to an external server. The malware can be used to delete and write files on disk, open and terminate processes, create, operate and close a reverse shell, and to execute other remote commands. The malware, like a lot of malicious software these days, is being distributed via spearphising emails with Excel and Word attachments.

McAfee says its research shows that the implant itself is a first-stage component that can be used to download other malware components on an infected machine. Data from the control servers that are being used in the campaign shows infected machines in the United States, Canada, Costa Rica, and the Philippines.

Mysterious Mission

The group behind Oceansalt has used multiple versions of the malware in the five waves of attacks it has launched so far. The first wave targeted higher educational institutions in South Korea, the second went after public infrastructure projects in the country, and the third was directed at government fund operated by South Korea's export and import bank. Subsequent attacks have targeted what McAfee describes as a relatively limited number of organizations outside South Korea.

Samani says McAfee is not entirely sure of Oceansalt's motivations. "But [it] appears to be first stage reconnaissance to gain a foothold in compromised organizations," he says.

The new campaign is further evidence of the recently heightened threat that many enterprises face from threat groups that are state-sponsored or most likely are state-sponsored.

Many of the groups and campaigns are China-based, according to some security vendors. Just earlier this month for instance, CrowdStrike released a report summarizing its analysis of threat hunting data between January and June this year. The data showed that of the 70 or so intrusions where CrowdStrike was able to actually identify the threat actor, about 40 were likely China-based.

A Feb 2018 report by the U.S. Director of National Intelligence identified several other nations as backing espionage and other malicious cyber activity targeted at US companies. Among them were Russia, Iran, and North Korea.

Related Content:


Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

About the Author(s)

Jai Vijayan, Contributing Writer

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights