China's cyber spying 'production line' approach no game for amateurs

News by Tim Ring

Chinese cyber-spying production line shares tools and tactics between different groups suggesting cooperation or at least similar training.

The industrial scale of China's cyber espionage has been highlighted by a FireEye investigation that found two separate spy groups using the same tools and techniques, even though they are hundreds of kilometres apart and targeting different victim groups.

The spookily parallel activity of the Guangdong Province-based Moafee attack group, which targets the US defence industry and other countries' governments and military organisations, and Jiangsu Province-based DragonOK, which targets Japanese and Taiwanese high-tech and manufacturing companies, reveals the “production line” efficiency of China's cyber espionage says FireEye.

In a 10 September blog, FireEye's Thoufique Haq, Ned Moran, Mike Scott and Sai Omkar Vashisht detailed how both attack groups:

* Use multiple, overlapping tools, techniques and procedures (TTPs) to infiltrate and stay on their victims' networks, including custom-built backdoors and remote administration tools (RATs) such as CT/NewCT, Mongall and Nflog, and publicly available RATs such as PoisonIvy.

* Use the same HTRAN (HUC Packet Transmit Tool) 2 tool to proxy connections through intermediate servers and hide their true geographical location.

* Deploy common, multiple methods to hide their activities, including checking for the number of core processors (and quitting if only one is detected); attaching password-protected documents and providing a password in the email contents; and sending large files padded with unnecessary null bites to evade network and host-based AV engines that can't scan larger files.

* Favour audience-specific spear phishing emails written in the intended victim's language, and send an executable file embedded in a ZIP archive or a password-protected Microsoft Office document.

FireEye concludes: “We believe that these groups are from two distinct regions in China and possibly (1) are collaborating, (2) received the same training, (3) have a common toolkit supply chain, or some combination of these three - which means they are employing a ‘production line' type approach to initiating cyber attacks to breach defences.”

The company also identified a third attack group using the same custom backdoors and RATs, but with not enough similar traits to make a definite connection.

It says of Moafee and DragonOK: “By sharing TTPs and co-ordinating joint attacks, these advanced threat actors are leveraging China's supply chain economic expertise to perform extensive worldwide espionage.”

Analysing FireEye's findings, UK cyber espionage expert Professor Mike Jackson, from Birmingham City University, said the hidden links between the two attack groups might indicate a “subtler” approach to cyber espionage within China.

He told via email: “There are many indications that Chinese cyber espionage activities are government-supported and on a massive scale. In May this year the US Government went as far as indicting five individuals with clear connections to the Chinese Government for conspiring to commit computer fraud.

“The current identification of these two groups perhaps indicates a more subtle approach to cyber espionage where the linkage to official government institutions is harder to prove.”

Jackson added: “Use of the same tool by two different groups is not hard-and-fast evidence that the groups are linked. Software tools are passed around the hacker community and it is not unknown for two unlinked groups to be using identical software. What would suggest a linkage between these groups is that the targets and the modus operandi (the way the software tools are exploited) of the two groups appears to be similar.”

Another UK expert, Peter Armstrong, director of the cyber security business at Thales UK, was not surprised at the revealed ‘industrialisation' of cyber espionage.

He told via email: “What was once a cat-and-mouse game against small-scale but well-resourced threat actors has now begun to turn into one of cat and multiple, similar well-resourced and co-ordinated mice.”

Armstrong said the report's findings underline the importance of companies getting threat intelligence on these kinds of groups.

“The collection and analysis of cyber threat intelligence is becoming far more critical to a successful cyber protection programme,” he told us. “The growing importance of identifying and sharing threat actor TTPs (tactics, techniques and procedures) and IOCs (indications of compromise), not just across single businesses but across single and even multiple business sectors, cannot be underestimated.

“What is clear from what has been said here is that this is a sophisticated environment that demands real understanding and capability to be able to support organisations to bolster their defences: this is not a game for enthusiastic amateurs.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews