Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/28/2014
04:50 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Security Companies Team Up, Take Down Chinese Hacking Group

Novetta, Microsoft, and others form Operation SMN to eradicate Hikit malware and disrupt the cyber espionage gang Axiom's extensive information gathering.

A coalition of security companies has hit a sophisticated hacking group in China with a heavy blow. The effort is detailed in a report released today by Novetta. The coalition, which calls itself Operation SMN, detected and cleaned up malicious code on 43,000 computers worldwide that were targeted by Axiom, an incredibly sophisticated organization that has been stealing intellectual property for more than six years.

This effort was led by Novetta and included Bit9, Cisco, FireEye, F-Secure, iSIGHT Partners, Microsoft, Tenable, ThreatConnect Intelligence Research Team (TCIRT), ThreatTrack Security, Volexity, and other unnamed organizations. Operation SMN is working independently of law enforcement or intelligence agencies. The group united as part of Microsoft's Coordinated Malware Eradication (CME) campaign against Hikit (a.k.a. Hikiti), the custom malware often used by Axiom to burrow into organizations, exfiltrate data, and evade detection, sometimes for years.

Novetta had been closely investigating Hikit since early this summer. So when Novetta senior technical director Andre Ludwig learned about Microsoft's new CME program -- which "calls for organizations to pool their tools, information and actions to drive coordinated campaigns against malware" -- he proposed that they go after Hikit together. But Axiom used a variety of tools to access and re-infect environments -- not just Hikit, but also Derusbi, Deputy Dog, Hydraq, and others. So, Ludwig says, they expanded the group and its scope "so that we absolutely did the best possible job of cleanup and removal" and rolled it all into a Microsoft Malicious Software Removal Tool (MSRT) released Oct. 14.

The work and the tool are comprehensive, but this may be only a temporary setback for Axiom, which is an exceptionally well-oiled attack machine.

Novetta says it has "moderate to high confidence" that Axiom is a well-resourced and well-disciplined subgroup of the state-backed "Chinese Intelligence Apparatus." There are links between Axiom and some of the most sophisticated attacks in recent history, including Operation Aurora in 2010 and the VOHO campaign of 2012.

Axiom seems to be systematically gathering very deep information to support a mission from higher up. According to the report:

Axiom operators have been observed operating in organizations that are of strategic economic interest, that influence environmental and energy policy, and that develop cutting edge information technology including integrated circuits, telecommunications equipment manufacturers, and infrastructure providers.

The targets are relatively few, but the intelligence gathering is comprehensive, covering a variety of target organizations that were very deliberately chosen -- whether that be a technology manufacturer with trade secrets to steal or an NGO protecting government dissidents or whistleblowers.

Finding the ideal targets and getting to them quickly is one of Axiom's greatest strengths. The report notes its ability to sift through large sets of infected machines to identify the highest-interest targets and then quickly (within hours or days) begin followup exploitation -- like escalating access privileges, creating shell utilities customized for the operational environment, and exfiltrating confidential information.

The target organizations are often related in some way, and the Hikit malware uses that to its advantage. As Ludwig explains, once Hikit has burrowed its way into a computing environment, it can create a "mini-network," communicating laterally with other Hikit installations within the organization or related outside organizations, using each other as proxies and never communicating with the command-and-control server directly. And traffic flowing between legitimate organizations that are known partners will not look very suspicious.

Axiom actors also hide their tracks in other ways. The researchers discovered evidence that Axiom created multiple, segregated network infrastructures to carry out different stages of the attack.

As the report describes it, the entire Axiom operation is remarkedly orderly and disciplined. The individuals working for Axiom set up clear Hikit maintenance schedules, to ensure that an infection is still operating correctly and that there haven't been any significant changes to the surrounding environment. Plus, the individuals are making it difficult for the good guys to identify them by avoiding risky behaviors, like using Axiom resources to visit personal websites.

According to the report, this "displays a level of familiarity with investigative and forensics operations that clearly sets [Axiom] apart from the less sophisticated threat actors."

The legacy
Operation SMN is another example of competing security companies collaborating to take down a common adversary -- similar to the operations that took down Gameover Zeus and Blackshades, but without the participation of a government intelligence or law enforcement agency.

Ludwig says he hopes the industry as a whole moves to this more collaborative, proactive approach, "instead of the old model of observe and report."

He also says that his company's executives were entirely supportive of this effort and were not worried about any negative business impacts of sharing their resources with other security companies. "It does not help us to have a stranglehold on the information." The competitive edge, is not in having the information, but in using the information to protect customers.

Download the full report here.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
10/29/2014 | 11:47:55 AM
Re: We Have Arrived at Gibson's Dystopia
Point taken. We can't go full speed ahead and ignore the potential risks..
RetiredUser
50%
50%
RetiredUser,
User Rank: Ninja
10/29/2014 | 11:46:00 AM
Re: We Have Arrived at Gibson's Dystopia
Ah, but you'll note, @Marilyn Cohodas, that I also agree it's a step in the right direction and feel it's finally time we saw this happen - for clarification, what I'm getting at is: Now that we're here, what more can we do to prevent a good thing turning into a bad thing?  I'm that guy that wants to push and combat until the criminal elements are out of our electronic space, but caution and self-preservation are as important elements in this battle as the battle strategy itself :-)
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
10/29/2014 | 8:44:44 AM
Re: We Have Arrived at Gibson's Dystopia
Must respecfully disagree, @Christian Bryant. I think it's a big step in the right direction to see competing security companies collaborate to take down a common adversary. Sure there is potential for abuse. Nothing is perfect. But the best way to defeat the attackers is for the defenders to work in concert against them.
RetiredUser
100%
0%
RetiredUser,
User Rank: Ninja
10/28/2014 | 7:49:06 PM
We Have Arrived at Gibson's Dystopia
Well, OK - maybe not to the extreme of William Gibson's novel Neuromancer, but I'm seeing the signs for sure.  Reading the Axiom report is interesting.  "Finally" is the word that comes to mind.  The report opens the Key Findings with the statement: 

"Axiom is responsible for directing highly sophisticated cyber espionage operations against numerous Fortune 500 companies, journalists, environmental groups, pro-democracy groups, software companies, academic institutions, and government agencies worldwide for at least the last six years. In our coordinated effort, we performed the first ever-private sponsored interdiction against a sophisticated state sponsored advanced threat group. Our efforts detected and cleaned 43,000 separate installations of Axiom tools, including 180 of their top tier implants."

Now, I don't read a ton of fiction - I'm happier with manuals and HOWTOS. But in reading this report, I can't help but wonder at what's next. Cyberwarfare is clearly here at the level of Nations and that is mildly disturbing. The fact that incredibly wealthy corporations have pulled together (like pseudo-governments) and (seemingly) taken the law into their own hands is either frightening or inspiring. I said "finally" earlier because I have always supported the idea of combative cyber security, though it is incredibly risky. But I am thinking of those who almost have to fight for themselves, the small business owner who stands to lose everything.

But here we have mega corporations re-defining the rules of cyber crime; sabotage and espianage are alive and well, reprisals are on the way. At what point before we are the recipients of computer technology pre-built with nasties at both at the hardware and software level? (And yes, for those who are catching on, I'm echoing James Turner from O'Reilly here.)

The report also notes:

"The breadth and scope of Axiom's operations served as motivation and justification for the approach adopted by the coalition of large scale data capture, analysis, and distribution of both data and analytical output to industry. In the intervening period, the coalition has received a substantial amount of information relating to the removal of these malware tools. To date, over 43,000 separate installations of Axiom-related tools have been removed from machines protected by Operation SMN partners, and 180 of those infections were examples of Hikit, the late-stage persistence and data exfiltration tool that represents the height of an Axiom victim's operational lifecycle."

Again, "finally" - the kind of language I like to read, but also again, how far?  It's similar to old-fashioned terrorism where we have to reach that point of "enough". but then the path we take to combat it may lead us down a dark road, and in some ways make the enemy stronger.

Maybe for now this is what we need.  But I am holding my breath a little for the backlash.  In the meantime, saddle up.  Tech just got a whole lot more serious, and we need to sharpen our skills all the more.

 

 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/13/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-14300
PUBLISHED: 2020-07-13
The docker packages version docker-1.13.1-108.git4ef4b30.el7 as released for Red Hat Enterprise Linux 7 Extras via RHBA-2020:0053 (https://access.redhat.com/errata/RHBA-2020:0053) included an incorrect version of runc that was missing multiple bug and security fixes. One of the fixes regressed in th...
CVE-2020-14298
PUBLISHED: 2020-07-13
The version of docker as released for Red Hat Enterprise Linux 7 Extras via RHBA-2020:0053 advisory included an incorrect version of runc missing the fix for CVE-2019-5736, which was previously fixed via RHSA-2019:0304. This issue could allow a malicious or compromised container to compromise the co...
CVE-2020-15050
PUBLISHED: 2020-07-13
An issue was discovered in the Video Extension in Suprema BioStar 2 before 2.8.2. Remote attackers can read arbitrary files from the server via Directory Traversal.
CVE-2020-10987
PUBLISHED: 2020-07-13
The goform/setUsbUnload endpoint of Tenda AC15 AC1900 version 15.03.05.19 allows remote attackers to execute arbitrary system commands via the deviceName POST parameter.
CVE-2020-10988
PUBLISHED: 2020-07-13
A hard-coded telnet credential in the tenda_login binary of Tenda AC15 AC1900 version 15.03.05.19 allows unauthenticated remote attackers to start a telnetd service on the device.