Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Advanced Threats

06:25 PM
Connect Directly

Chinese Nation-State Hackers Give Up Attack Campaign

It worked on Hurricane Panda. Can APT30 and other organized cyberespionage groups also be convinced that an attack campaign isn't worth the trouble?

Can highly motivated, well-financed, well-organized nation-state cyber attackers working in shifts be persuaded to abandon a long-running attack campaign against a single target? CrowdStrike has new evidence to suggest the answer is yes. And that's heartening news, when viewed alongside the sobering report released by FireEye yesterday about APT30, a cyberespionage group that's been active in South-East Asia for over 10 years.

Hurricane Panda Backs Off  

Last April, CrowdStrike was called in to a company that had been thoroughly infiltrated by Hurricane Panda, a well-organized, China-based attack group CrowdStrike has been tracking since 2013. By June, they had completed remediation efforts and entirely ousted Hurricane Panda.

Within hours, the attackers were trying to regain access to the target company.

"What we noticed was they didn't give up," says Dmitri Alperovitch, co-founder and CTO of CrowdStrike. "They kept trying to come back. We were witnessing daily activities." 

Day after day, for four months, the attackers tried to get back in, by using their preferred method of initial compromise: the China Chopper webshell, a small 70-byte text file that provides attackers full command execution and file upload/download capabilities, thereby opening a door for credential theft. The CrowdStrike tool could detect this "indicator of attack" and shut down the process before the compromise could occur.

After four futile months of this, the Hurricane Panda attackers upped their game.

They tried to compromise the organization by exploiting a Windows kernel zero-day vulnerability, which Alperovitch describes as "fairly rare and very, very expensive." Such a vulnerability might only appear on the black market a few times a year, and cost tens of thousands of dollars.

CrowdStrike stopped the attack and spotted the vulnerability. They reported the vulnerability to Microsoft, which patched it. Now, that pricey vulnerability won't be useful to Hurricane Panda, against that client or anyone else with their Windows patches up to date.

At that point, in October, Hurricane Panda ceased their attempts to compromise the organization. 

[Everything you need to know about today’s IT security challenges – but were afraid to ask. Register with Discount Code DRBLOG to save $100 for this special one-day event, Dark Reading's Cyber Security Crash Course at Interop on Wednesday, April 29.]

In December, CrowdStrike was called in to another organization, on another Hurricane Panda intrusion. After one month of a similar scenario -- being ousted from the target, and having repeated attempts to regain access be repelled -- the attackers again used a webshell, but for a different purpose. It executed a command to check if CrowdStrike was loaded in memory.

When it found it was, the attackers abandoned their siege of that target as well.

"This is the first time we're seeing a group like this stopping and giving way," says Alperovitch. "They have a job to do."

Alperovitch does not believe that these two incidents can, alone, be considered a trend. However he does find it encouraging that people running cyberespionage organizations can be deterred -- that they are doing cost-benefit analyses and deciding some attack campaigns aren't worth the effort.

Further, he says, these cases show the value of watching for the indicators of attack -- not just the indicators of compromise -- and watching for suspicious intent behind a user's actions -- not just watching for the users you already know are malicious.

What Will APT30 Do Next?

Yesterday, FireEye released a report detailing the extraordinarily orderly operations of APT30, an attack group that's been around for over 10 years, and uses a custom malware suite better developed and better managed than any enterprise software you have.

Jen Weedon, FireEye's manager of threat intelligence, says they're impressed by APT30's professionalism, persistent focus on a particular region, and the fact that it's operated unabated and with so little change for over a decade. 

APT30 is a cyberespionage group that appears to be a nation-state funded actor in China, that goes after targets in Southeast Asia, whether they be in government or commercial organizations, and have done for over a decade. Operators work in shifts and can formally prioritize certain targets over others and add notes to victim profiles -- like they would in a well-run telemarketing call center. 

APT30 registers their own domains for command-and-control servers, and some of those domains have been in use for many years. They've "chosen to invest in the long-term refinement and development of what appear to be a dedicated set of tools," according to FireEye's report, including droppers, downloaders, and backdoors that can steal data from air-gapped machines, go into stealth mode, and maintain persistence through a variety of other methods. Weedon says APT30 were going after air-gapped machines before other China-based groups were.

Through command-and-control communications, APT30 regularly updates the malware, so that only the most recent version is running on the victim system at the time.

Weedon partly credits APT30's business-like approach for their uncommon success, but also acknowledges that the targets' defenses in that region may continue to be particularly weak. 

Could APT30 be deterred in the same way that Hurricane Panda was? "Part of the answer comes back to who their ultimate sponsor is," says Weedon. "They have a mandate...It depends on what their exact requirements are."

She says that if they couldn't go after a target directly, they may go after them indirectly. APT30 is very successful at tailoring phishing messages to exploit trusted relationships and to make them related to geo-political events that will lure the kind of targets they want.

What is clear, is that APT30 is in it for the long haul. From the report:

This dedication to adapting and modifying tools over a number of years, as opposed to discarding old tools in favor of newer, readily available ones, implies that APT30 has a long-term mission, and that their mission is consistent enough for their existing tools to be sufficient to support their operations over a long period of time.

"I'm looking foward to seeing how they adapt," in response to being outed by the FireEye report, says Weedon. "They're probably going to burn all the infrastructure. They'll probably try to change their malware in some significant way...but we'll pick it up again before long."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
4/15/2015 | 9:24:56 AM
Man these guys sound just like the NSA, oh wait.
User Rank: Ninja
4/14/2015 | 9:42:13 AM
The silence could be the indicator of future, or newer, activity.
Excellent article. 

But one has to wonder if the perpetrators behind APT30 really did "give up".

Just because the guardian controls are not seeing new activity doesn't mean the bad guys are done. 
They may just be waiting for the dust to settle (complacency to set in) or they are already inside the walls, but using a different (new) APT methodology that the guardian controls are not familiar with.

Time will tell...
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
10 Notable Security Acquisitions of 2019 (So Far)
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-06-17
In radare2 through 3.5.1, cmd_mount in libr/core/cmd_mount.c has a double free for the ms command.
PUBLISHED: 2019-06-17
Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that the desktop application used to connect to the device suffers from a stack overflow if more than 26 characters are passed to it as the Wi-Fi name. This application is installed o...
PUBLISHED: 2019-06-17
Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that the device has Telnet functionality enabled by default. This device acts as an Endoscope camera that allows its users to use it in various industrial systems and settings, car ga...
PUBLISHED: 2019-06-17
Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that the desktop application used to connect to the device suffers from a stack overflow if more than 26 characters are passed to it as the Wi-Fi password. This application is install...
PUBLISHED: 2019-06-17
Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that an attacker connected to the device Wi-Fi SSID can exploit a memory corruption issue and execute remote code on the device. This device acts as an Endoscope camera that allows it...