Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:50 PM
Connect Directly

Security Companies Team Up, Take Down Chinese Hacking Group

Novetta, Microsoft, and others form Operation SMN to eradicate Hikit malware and disrupt the cyber espionage gang Axiom's extensive information gathering.

A coalition of security companies has hit a sophisticated hacking group in China with a heavy blow. The effort is detailed in a report released today by Novetta. The coalition, which calls itself Operation SMN, detected and cleaned up malicious code on 43,000 computers worldwide that were targeted by Axiom, an incredibly sophisticated organization that has been stealing intellectual property for more than six years.

This effort was led by Novetta and included Bit9, Cisco, FireEye, F-Secure, iSIGHT Partners, Microsoft, Tenable, ThreatConnect Intelligence Research Team (TCIRT), ThreatTrack Security, Volexity, and other unnamed organizations. Operation SMN is working independently of law enforcement or intelligence agencies. The group united as part of Microsoft's Coordinated Malware Eradication (CME) campaign against Hikit (a.k.a. Hikiti), the custom malware often used by Axiom to burrow into organizations, exfiltrate data, and evade detection, sometimes for years.

Novetta had been closely investigating Hikit since early this summer. So when Novetta senior technical director Andre Ludwig learned about Microsoft's new CME program -- which "calls for organizations to pool their tools, information and actions to drive coordinated campaigns against malware" -- he proposed that they go after Hikit together. But Axiom used a variety of tools to access and re-infect environments -- not just Hikit, but also Derusbi, Deputy Dog, Hydraq, and others. So, Ludwig says, they expanded the group and its scope "so that we absolutely did the best possible job of cleanup and removal" and rolled it all into a Microsoft Malicious Software Removal Tool (MSRT) released Oct. 14.

The work and the tool are comprehensive, but this may be only a temporary setback for Axiom, which is an exceptionally well-oiled attack machine.

Novetta says it has "moderate to high confidence" that Axiom is a well-resourced and well-disciplined subgroup of the state-backed "Chinese Intelligence Apparatus." There are links between Axiom and some of the most sophisticated attacks in recent history, including Operation Aurora in 2010 and the VOHO campaign of 2012.

Axiom seems to be systematically gathering very deep information to support a mission from higher up. According to the report:

Axiom operators have been observed operating in organizations that are of strategic economic interest, that influence environmental and energy policy, and that develop cutting edge information technology including integrated circuits, telecommunications equipment manufacturers, and infrastructure providers.

The targets are relatively few, but the intelligence gathering is comprehensive, covering a variety of target organizations that were very deliberately chosen -- whether that be a technology manufacturer with trade secrets to steal or an NGO protecting government dissidents or whistleblowers.

Finding the ideal targets and getting to them quickly is one of Axiom's greatest strengths. The report notes its ability to sift through large sets of infected machines to identify the highest-interest targets and then quickly (within hours or days) begin followup exploitation -- like escalating access privileges, creating shell utilities customized for the operational environment, and exfiltrating confidential information.

The target organizations are often related in some way, and the Hikit malware uses that to its advantage. As Ludwig explains, once Hikit has burrowed its way into a computing environment, it can create a "mini-network," communicating laterally with other Hikit installations within the organization or related outside organizations, using each other as proxies and never communicating with the command-and-control server directly. And traffic flowing between legitimate organizations that are known partners will not look very suspicious.

Axiom actors also hide their tracks in other ways. The researchers discovered evidence that Axiom created multiple, segregated network infrastructures to carry out different stages of the attack.

As the report describes it, the entire Axiom operation is remarkedly orderly and disciplined. The individuals working for Axiom set up clear Hikit maintenance schedules, to ensure that an infection is still operating correctly and that there haven't been any significant changes to the surrounding environment. Plus, the individuals are making it difficult for the good guys to identify them by avoiding risky behaviors, like using Axiom resources to visit personal websites.

According to the report, this "displays a level of familiarity with investigative and forensics operations that clearly sets [Axiom] apart from the less sophisticated threat actors."

The legacy
Operation SMN is another example of competing security companies collaborating to take down a common adversary -- similar to the operations that took down Gameover Zeus and Blackshades, but without the participation of a government intelligence or law enforcement agency.

Ludwig says he hopes the industry as a whole moves to this more collaborative, proactive approach, "instead of the old model of observe and report."

He also says that his company's executives were entirely supportive of this effort and were not worried about any negative business impacts of sharing their resources with other security companies. "It does not help us to have a stranglehold on the information." The competitive edge, is not in having the information, but in using the information to protect customers.

Download the full report here.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
10/29/2014 | 11:47:55 AM
Re: We Have Arrived at Gibson's Dystopia
Point taken. We can't go full speed ahead and ignore the potential risks..
User Rank: Ninja
10/29/2014 | 11:46:00 AM
Re: We Have Arrived at Gibson's Dystopia
Ah, but you'll note, @Marilyn Cohodas, that I also agree it's a step in the right direction and feel it's finally time we saw this happen - for clarification, what I'm getting at is: Now that we're here, what more can we do to prevent a good thing turning into a bad thing?  I'm that guy that wants to push and combat until the criminal elements are out of our electronic space, but caution and self-preservation are as important elements in this battle as the battle strategy itself :-)
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
10/29/2014 | 8:44:44 AM
Re: We Have Arrived at Gibson's Dystopia
Must respecfully disagree, @Christian Bryant. I think it's a big step in the right direction to see competing security companies collaborate to take down a common adversary. Sure there is potential for abuse. Nothing is perfect. But the best way to defeat the attackers is for the defenders to work in concert against them.
User Rank: Ninja
10/28/2014 | 7:49:06 PM
We Have Arrived at Gibson's Dystopia
Well, OK - maybe not to the extreme of William Gibson's novel Neuromancer, but I'm seeing the signs for sure.  Reading the Axiom report is interesting.  "Finally" is the word that comes to mind.  The report opens the Key Findings with the statement: 

"Axiom is responsible for directing highly sophisticated cyber espionage operations against numerous Fortune 500 companies, journalists, environmental groups, pro-democracy groups, software companies, academic institutions, and government agencies worldwide for at least the last six years. In our coordinated effort, we performed the first ever-private sponsored interdiction against a sophisticated state sponsored advanced threat group. Our efforts detected and cleaned 43,000 separate installations of Axiom tools, including 180 of their top tier implants."

Now, I don't read a ton of fiction - I'm happier with manuals and HOWTOS. But in reading this report, I can't help but wonder at what's next. Cyberwarfare is clearly here at the level of Nations and that is mildly disturbing. The fact that incredibly wealthy corporations have pulled together (like pseudo-governments) and (seemingly) taken the law into their own hands is either frightening or inspiring. I said "finally" earlier because I have always supported the idea of combative cyber security, though it is incredibly risky. But I am thinking of those who almost have to fight for themselves, the small business owner who stands to lose everything.

But here we have mega corporations re-defining the rules of cyber crime; sabotage and espianage are alive and well, reprisals are on the way. At what point before we are the recipients of computer technology pre-built with nasties at both at the hardware and software level? (And yes, for those who are catching on, I'm echoing James Turner from O'Reilly here.)

The report also notes:

"The breadth and scope of Axiom's operations served as motivation and justification for the approach adopted by the coalition of large scale data capture, analysis, and distribution of both data and analytical output to industry. In the intervening period, the coalition has received a substantial amount of information relating to the removal of these malware tools. To date, over 43,000 separate installations of Axiom-related tools have been removed from machines protected by Operation SMN partners, and 180 of those infections were examples of Hikit, the late-stage persistence and data exfiltration tool that represents the height of an Axiom victim's operational lifecycle."

Again, "finally" - the kind of language I like to read, but also again, how far?  It's similar to old-fashioned terrorism where we have to reach that point of "enough". but then the path we take to combat it may lead us down a dark road, and in some ways make the enemy stronger.

Maybe for now this is what we need.  But I am holding my breath a little for the backlash.  In the meantime, saddle up.  Tech just got a whole lot more serious, and we need to sharpen our skills all the more.


Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 85da504d2dc30188b89f44c3276fc5a25b31251f contains a buffer overflow which could allow attackers to obtain sensitive information.