Novetta Solutions has been leading the investigation into the threat actor for the last six years, and consulted with Bit9, Cisco, FireEye, F-Secure, iSIGHT Partners, Microsoft, Symantec, Tenable, ThreatConnect, ThreatTrack Security, and Volexity during this process – as documented by SC two weeks ago.
However, in a new report released on Tuesday, the firm went into more detail – specifically on the likelihood that the group is part of Chinese intelligence and that its use of malware varies from the generic to the tailored and custom – with the latter's effect sometimes measurable ‘in years'.
According to the 47-page ‘Operation SMN: Axiom Threat Actor Group Report' (PDF), the security coalition found that the so-called “Axiom” group has been gathering intelligence on an assortment of targets but in particular firms in telecommunications, security and integrated circuits, as well as government agencies that specifically focus on aerospace, humanitarian and environmental issues. Pro-democracy groups and journalists were also sought.
The report details that the team spent months coordinating remediation efforts which included removing the group's malware, issuing public warnings (on 14 and 28 October) and releasing detection signatures to the wider industry.
Axiom is believed to be behind the PlugX and Gh0St RAT malware, as well as the infamous Poison Ivy remote access Trojan (RAT), and Hikit backdoor. During the investigation, researchers also uncovered its use of a new malware family called “Zox” while they also detailed how Axiom used similar tactics (most notably water-holing) to high-profile attacks such as Operation Snowman and Operation Deputy Dog and Ephemeral Hydra.
Security companies found that Axiom malware hit more than 43,000 systems worldwide in total, 180 of which included HiKit – the actor's data exfiltration tool which deploys a backdoor Trojan to maintain access to a victim's computer. A map of HiKit infections shows that the actor was, in particular, targeting those in North America and South Asia, although there also appears to be incidents in the UK and central Europe.
The origin of the threat actor is easier to ascertain. The report notes that the cyber espionage group specifically targeted “pro-democracy non-governmental organisations (NGOs) and other groups and individuals that would be perceived as a potential threat to the stability of the Chinese state” and it goes on to add that Novetta now has “moderate to high confidence that the organisation-tasking Axiom is a part of the Chinese Intelligence Apparatus”.
“This belief has been partially confirmed by a recent FBI flash released to Infragard stating the actors are affiliated with the Chinese government,” reads the report, which adds that the group is “well resourced, disciplined, and sophisticated sub-group of a larger cyber-espionage group that has been directing operations unfettered for over six years.”
Some may see this as a direct link to China's 24-person People's Liberation Army Unit 61398, which most recently attacked three contractors working on Israel's Iron Dome missile defence system to steal 700 files, including those with intellectual property.
In an interview with SCMagazine.com late on Tuesday, Novetta senior technical director Andre Ludwig outlined how Hikit is often used for reconnaissance that verifies whether attackers' previous findings “are still relevant.”
“[Hikit] has technical capabilities that are rather sophisticated, but the telling part of seeing Hikit on the network, is that it has been employed where the attacker has tremendous [access], such admin credentials, other user account credentials, and multiple other types of malware deployed within the network,” Ludwig said.
He later added that organisations should use Microsoft's Malicious Software Removal Tool (MSRT), which detects Hikit and several other tools used by Axiom. Furthermore, entities are advised to keep their machines patched and AV signatures updated.
Speaking to SCMagazineUK.com shortly after the report was published, Tenable CEO Ron Gula said that the operation is an example of improving information sharing and collaboration.
"The success of Operation SNM is an example of private industry sharing information and taking proactive measures against a major security threat to benefit the greater good,” he said via email.
“The coalition collected and made available to all participants a very large sample set of malware. Tenable's work with the coalition focused on examining the samples for the detection of remote network backdoors. To date, the coalition has removed Axiom malware from more than 43,000 customer systems, and Tenable's participation means more than 25,000 existing Tenable customers are automatically protected from threats associated with the group.”
F-Secure security adviser Sean Sullivan added in an email to SC: “F-Secure Labs has long been a supporter of collaborative research – we're a small company headquartered in northern Europea – clearly it's better for our customers (and everybody else) when we work with others. 'Coopetition' in the security industry is always a win-win. For true research analysts, the real competition is the threat actors.
"This effort was coordinated by Novetta, with a wide array of industry partners. Our role was very similar to everyone else's: we gathered samples and information about the threat and jointly provided analysis and remediation."
On the same subject, Novetta added that it hopes “others within industry will embrace and adopt a similar approach in the future.”
Meanwhile, Andrew Avanessian, EVP of consultancy and technology services at endpoint security firm Avecto, told SC that while this is a good example of industry collaboration, malware proliferates.
“Malware is endemic online. There are thousands of new strands discovered every day and even though this effort to restrict Axiom's malware should be applauded, it doesn't mean we're all suddenly protected,” he told SC.
“Malware writers are increasingly sophisticated and you will always be two or three steps behind them. Even with the most advanced detective technologies you will always be playing a game of cat and mouse.” He urges IT security managers to eliminate excessive privileges, deploy app whitelisting and sandbox dangerous content.