Franchising The Chinese APT

At least two different cyber espionage gangs in China appear to be employing uniform tools and techniques, FireEye finds.

Two Chinese cyber espionage gangs known for targeting very different industries and working out of different regions of the nation actually use some of the same or similar tactics, tools, and resources in their spying operations, researchers found.

Such collaboration and resource sharing has not typically been the MO among the majority of Chinese cyber espionage groups, and this could indicate an evolution in the nation's cyberspying operations toward more organized, streamlined, and cooperative operations, according to FireEye, which studied the inner workings of the groups.

Security researchers from other firms say this is a trend that has been evolving for some time.

"They use similar malware implants, backend infrastructure, and similar social engineering techniques. But they are distinct based on their mission focus and locations," says Thoufique Haq, senior research scientist at FireEye. "It's quite possible they are subgroups with their own mission focus."

The so-called Moafee gang, which targets military and government entities such as the US defense industry, and the DragonOK gang, which targets high-tech and manufacturing companies in Japan and Taiwan, operate out of different regions in China and constitute separate groups, researchers say. Moafee appears to operate out of Guandong Province, and DragonOK appears to operate out of Jiangsu Province.

They use similar phishing email and malicious attachment structures in their targeted cyberattack campaigns, with password-protected Office documents or ZIP files with malicious executables, as well as phony documents that mask the malware running in the background. They each also attempt to hide the malware by halting its execution if only one CPU is detected running it, which could indicate a virtual machine analyzing it. They also require passwords for the victims to open the documents as a way to bypass antivirus engines and other security tools, and they pad files so that they appear larger and can bypass host-based AV engines, FireEye has found.

Moafee and DragonOK also use the backdoor malware, including CT/NewCT, NewCT2, Mongall, Nflog, and PoisonIvy. They also use the popular HTRAN proxy tool on their command and control servers to mask their locations.

"They are collaborating or a handoff is going on between the APT attackers… they are not completely isolated groups," Haq says.

His team could not determine just how successful the two APT groups have been in their cyberspying operations, but most of their operations are still under way. Though Moafee and DragonOK haven't been exposed much publicly before, they have been operating under the radar for some time.

"It's not very often you can gain insight into the methodology of a [cyber espionage] attacker," he says. "In the crimeware industry, you… have a good understanding of the payloads. In APTs, this usually happens behind the curtain."

Aviv Raff, CTO at Seculert, says he and his team have seen attackers sharing tools and resources. "There are even 'as-a-service' groups just for that. However, I think it's more important to understand the motive behind the attack, instead of trying to attribute it to a specific attacker."

Researchers at AlienVault also have seen Chinese APTs sharing zero-day exploits for several years, says Jaime Blasco, director of AlienVault Labs. "It seems there is either a supply chain or I would say a huge amount of information-exchanging and collaboration between groups operating in China," Blasco says.

What was the most surprising thing about the Moafee and DragonOK groups? "The most surprising aspect here is their use of very simple evasion techniques, such as detecting the CPU… that's been known about for more than a decade in the industry," Haq says. "I'm very surprised they were still able to use them and remain effective against their targets."

Meanwhile, FireEye says a third Chinese APT group may also be using some of the same tools and techniques as Moafee and DragonOK. "By sharing TTPs and coordinating joint attacks, these advanced threat actors are leveraging China's supply chain economic expertise to perform extensive worldwide espionage," FireEye's research team wrote in a blog post today.

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights