Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Advanced Threats

06:25 PM
Connect Directly

Chinese Nation-State Hackers Give Up Attack Campaign

It worked on Hurricane Panda. Can APT30 and other organized cyberespionage groups also be convinced that an attack campaign isn't worth the trouble?

Can highly motivated, well-financed, well-organized nation-state cyber attackers working in shifts be persuaded to abandon a long-running attack campaign against a single target? CrowdStrike has new evidence to suggest the answer is yes. And that's heartening news, when viewed alongside the sobering report released by FireEye yesterday about APT30, a cyberespionage group that's been active in South-East Asia for over 10 years.

Hurricane Panda Backs Off  

Last April, CrowdStrike was called in to a company that had been thoroughly infiltrated by Hurricane Panda, a well-organized, China-based attack group CrowdStrike has been tracking since 2013. By June, they had completed remediation efforts and entirely ousted Hurricane Panda.

Within hours, the attackers were trying to regain access to the target company.

"What we noticed was they didn't give up," says Dmitri Alperovitch, co-founder and CTO of CrowdStrike. "They kept trying to come back. We were witnessing daily activities." 

Day after day, for four months, the attackers tried to get back in, by using their preferred method of initial compromise: the China Chopper webshell, a small 70-byte text file that provides attackers full command execution and file upload/download capabilities, thereby opening a door for credential theft. The CrowdStrike tool could detect this "indicator of attack" and shut down the process before the compromise could occur.

After four futile months of this, the Hurricane Panda attackers upped their game.

They tried to compromise the organization by exploiting a Windows kernel zero-day vulnerability, which Alperovitch describes as "fairly rare and very, very expensive." Such a vulnerability might only appear on the black market a few times a year, and cost tens of thousands of dollars.

CrowdStrike stopped the attack and spotted the vulnerability. They reported the vulnerability to Microsoft, which patched it. Now, that pricey vulnerability won't be useful to Hurricane Panda, against that client or anyone else with their Windows patches up to date.

At that point, in October, Hurricane Panda ceased their attempts to compromise the organization. 

[Everything you need to know about today’s IT security challenges – but were afraid to ask. Register with Discount Code DRBLOG to save $100 for this special one-day event, Dark Reading's Cyber Security Crash Course at Interop on Wednesday, April 29.]

In December, CrowdStrike was called in to another organization, on another Hurricane Panda intrusion. After one month of a similar scenario -- being ousted from the target, and having repeated attempts to regain access be repelled -- the attackers again used a webshell, but for a different purpose. It executed a command to check if CrowdStrike was loaded in memory.

When it found it was, the attackers abandoned their siege of that target as well.

"This is the first time we're seeing a group like this stopping and giving way," says Alperovitch. "They have a job to do."

Alperovitch does not believe that these two incidents can, alone, be considered a trend. However he does find it encouraging that people running cyberespionage organizations can be deterred -- that they are doing cost-benefit analyses and deciding some attack campaigns aren't worth the effort.

Further, he says, these cases show the value of watching for the indicators of attack -- not just the indicators of compromise -- and watching for suspicious intent behind a user's actions -- not just watching for the users you already know are malicious.

What Will APT30 Do Next?

Yesterday, FireEye released a report detailing the extraordinarily orderly operations of APT30, an attack group that's been around for over 10 years, and uses a custom malware suite better developed and better managed than any enterprise software you have.

Jen Weedon, FireEye's manager of threat intelligence, says they're impressed by APT30's professionalism, persistent focus on a particular region, and the fact that it's operated unabated and with so little change for over a decade. 

APT30 is a cyberespionage group that appears to be a nation-state funded actor in China, that goes after targets in Southeast Asia, whether they be in government or commercial organizations, and have done for over a decade. Operators work in shifts and can formally prioritize certain targets over others and add notes to victim profiles -- like they would in a well-run telemarketing call center. 

APT30 registers their own domains for command-and-control servers, and some of those domains have been in use for many years. They've "chosen to invest in the long-term refinement and development of what appear to be a dedicated set of tools," according to FireEye's report, including droppers, downloaders, and backdoors that can steal data from air-gapped machines, go into stealth mode, and maintain persistence through a variety of other methods. Weedon says APT30 were going after air-gapped machines before other China-based groups were.

Through command-and-control communications, APT30 regularly updates the malware, so that only the most recent version is running on the victim system at the time.

Weedon partly credits APT30's business-like approach for their uncommon success, but also acknowledges that the targets' defenses in that region may continue to be particularly weak. 

Could APT30 be deterred in the same way that Hurricane Panda was? "Part of the answer comes back to who their ultimate sponsor is," says Weedon. "They have a mandate...It depends on what their exact requirements are."

She says that if they couldn't go after a target directly, they may go after them indirectly. APT30 is very successful at tailoring phishing messages to exploit trusted relationships and to make them related to geo-political events that will lure the kind of targets they want.

What is clear, is that APT30 is in it for the long haul. From the report:

This dedication to adapting and modifying tools over a number of years, as opposed to discarding old tools in favor of newer, readily available ones, implies that APT30 has a long-term mission, and that their mission is consistent enough for their existing tools to be sufficient to support their operations over a long period of time.

"I'm looking foward to seeing how they adapt," in response to being outed by the FireEye report, says Weedon. "They're probably going to burn all the infrastructure. They'll probably try to change their malware in some significant way...but we'll pick it up again before long."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
User Rank: Ninja
4/14/2015 | 9:42:13 AM
The silence could be the indicator of future, or newer, activity.
Excellent article. 

But one has to wonder if the perpetrators behind APT30 really did "give up".

Just because the guardian controls are not seeing new activity doesn't mean the bad guys are done. 
They may just be waiting for the dust to settle (complacency to set in) or they are already inside the walls, but using a different (new) APT methodology that the guardian controls are not familiar with.

Time will tell...
User Rank: Ninja
4/15/2015 | 9:24:56 AM
Man these guys sound just like the NSA, oh wait.
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-24
In the bindata RubyGem before version 2.4.10 there is a potential denial-of-service vulnerability. In affected versions it is very slow for certain classes in BinData to be created. For example BinData::Bit100000, BinData::Bit100001, BinData::Bit100002, BinData::Bit<N>. In combination with &lt...
PUBLISHED: 2021-06-24
The blockchain node in FISCO-BCOS V2.7.2 may have a bug when dealing with unformatted packet and lead to a crash. A malicious node can send a packet continuously. The packet is in an incorrect format and cannot be decoded by the node correctly. As a result, the node may consume the memory sustainabl...
PUBLISHED: 2021-06-23
Vulnerability in OpenGrok (component: Web App). Versions that are affected are 1.6.7 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise OpenGrok. Successful attacks of this vulnerability can result in takeover of OpenGrok. CVSS 3.1 ...
PUBLISHED: 2021-06-23
A vulnerability in SonicOS where the HTTP server response leaks partial memory by sending a crafted HTTP request, this can potentially lead to an internal sensitive data disclosure vulnerability.
PUBLISHED: 2021-06-23
A command execution vulnerability exists in the default legacy spellchecker plugin in Moodle 3.10. A specially crafted series of HTTP requests can lead to command execution. An attacker must have administrator privileges to exploit this vulnerabilities.