'Chinese' APT group hits hundreds of Japanese firms

News by Tim Ring

A suspected Chinese hacker group dubbed 'Blue Termite' has been targeting hundreds of Japanese businesses and government organisations in a cyber-espionage campaign stretching back to 2013.

In an expose published yesterday, Kaspersky Lab says one of Blue Termite's main targets was Japan's Pension Service – which in June suffered a cyber-attack that resulted in the theft of more than a million Japanese citizens' personal records.

But the group's top targets also feature a wide range of Japanese high-tech firms – including chemical, satellite, medical and food companies, as well as automotive, electrical, semiconductor, robotics, communications, energy and financial businesses - in what may be a campaign of mainly industrial espionage.

Blue Termite is still active, Kaspersky warns, and its main weapon is the Flash Player zero-day exploit (CVE-2015-5119) that was leaked last month when the Italian Hacking Team group was itself hacked.

The APT group also uses sophisticated backdoors customised to each individual victim, Kaspersky said, and has sited most of its command and control servers in Japan.

But Kaspersky points out that Blue Termite's testing IP address is in Shanghai and its command and control user interface and other technical documents are written in Chinese – though it stops short of saying definitively that the hackers come from China.

The company has been tracking Blue Termite for 10 months, and says it has been active since at least November 2013.

Kaspersky researcher and blog author, Suguru Ishimaru, pointed out: “Blue Termite is the first campaign known to Kaspersky Lab to be strictly focused on Japan targets.”

He also said the group switched tactics after the high-profile Japan Pension Service hack - from using mainly spear-phishing emails to spreading its malware via the Flash zero-day - because Japanese organisations would have gone on high alert.

This switch has resulted in a “significant spike'” in the group's infection rate in July, Kaspersky said.

“The attackers have compromised several Japanese websites so that visitors of the sites would automatically download an exploit once they are on the website and become infected,” the company added.

One compromised site belonged to a prominent member of the Japanese government.

Analysing the campaign, UK APT expert John Walker believes Blue Termite is likely to be from China and focused mainly on industrial espionage.

Walker, a visiting Professor with Nottingham-Trent University and director of security consultancy ISX, told SCMagazineUK.com: “By placing the C2 servers outside China they're covering their backs so the Chinese Government, if it's backed by them, could easily walk away and say ‘it's nothing to do with us.'

“Looking at the targets, I believe it's more about industrial espionage than anything else, looking for what information they can gather. It's more state-sponsored, or state-ignored, industrial espionage – getting access to people of interest and value that can promote the Chinese economy.

“They are looking for specific industries that have high value. You're looking at high-gain industries with a lot of money at stake in research and development. If you can rip that off, you're cutting the corners to producing valuable products.”

But another UK APT expert, author and cyber-security researcher David Lacey, advised caution about Blue Termite's nationality.

“It's impossible to be precise about their origin as it might be a false-flag attack,” he told SCMagazineUK.com via email. “It's easy to plant a few foreign-language documents. Deception is the real art of information warfare.”

Walker now expects the campaign to spread from the Japan to the West. “Just because it's there now doesn't mean it won't be here in the future. I would expect it to be in other territories – probably today and it hasn't been identified, but it will certainly be here tomorrow.”

Ishimaru explained how Kaspersky exposed Blue Termite. “Each victim is supplied with a unique malware sample that is made in such a way that it could only be launched on a specific PC, targeted by the Blue Termite actor,” he said. “This has been done in order to make it difficult for security researchers to analyse the malware and detect it.”

But Kaspersky was able to ‘brute-force' the decryption keys from a number of malware samples and analyse them.

Highlighting key aspects of the campaign, David Lacey said: “It's interesting that this group selects only one target,” adding: “It would seem sensible to site C2 servers in the target country as they might be less obvious as a threat.”

Earlier this week Zscaler reported that, like Blue Termite, the Chinese APT group known as Emissary Panda and Threat Group 3390 had also been using Hacking Team Flash exploits.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews