Novetta Solutions has been leading the investigation into the threat actor for the last six years, and consulted with Bit9, Cisco, FireEye, F-Secure, iSIGHT Partners, Microsoft, Symantec, Tenable, ThreatConnect, ThreatTrack Security, and Volexity during this process – as documented by SC two weeks ago.
However, in a new report released on Tuesday, the firm went into more detail – specifically on the likelihood that the group is part of Chinese intelligence and that its use of malware varies from the generic to the tailored and custom – with the latter's effect sometimes measurable ‘in years'.
According to the 47-page ‘Operation SMN: Axiom Threat Actor Group Report' (PDF), the security coalition found that the so-called “Axiom” group has been gathering intelligence on an assortment of targets but in particular firms in telecommunications, security and integrated circuits, as well as government agencies that specifically focus on aerospace, humanitarian and environmental issues. Pro-democracy groups and journalists were also sought.
The report details that the team spent months coordinating remediation efforts which included removing the group's malware, issuing public warnings (on 14 and 28 October) and releasing detection signatures to the wider industry.
Axiom is believed to be behind the PlugX and Gh0St RAT malware, as well as the infamous Poison Ivy remote access Trojan (RAT), and Hikit backdoor. During the investigation, researchers also uncovered its use of a new malware family called “Zox” while they also detailed how Axiom used similar tactics (most notably water-holing) to high-profile attacks such as Operation Snowman and Operation Deputy Dog and Ephemeral Hydra.
Security companies found that Axiom malware hit more than 43,000 systems worldwide in total, 180 of which included HiKit – the actor's data exfiltration tool which deploys a backdoor Trojan to maintain access to a victim's computer. A map of HiKit infections shows that the actor was, in particular, targeting those in North America and South Asia, although there also appears to be incidents in the UK and central Europe.
The origin of the threat actor is easier to ascertain. The report notes that the cyber espionage group specifically targeted “pro-democracy non-governmental organisations (NGOs) and other groups and individuals that would be perceived as a potential threat to the stability of the Chinese state” and it goes on to add that Novetta now has “moderate to high confidence that the organisation-tasking Axiom is a part of the Chinese Intelligence Apparatus”.
“This belief has been partially confirmed by a recent FBI flash released to Infragard stating the actors are affiliated with the Chinese government,” reads the report, which adds that the group is “well resourced, disciplined, and sophisticated sub-group of a larger cyber-espionage group that has been directing operations unfettered for over six years.”
Some may see this as a direct link to China's 24-person People's Liberation Army Unit 61398, which most recently attacked three contractors working on Israel's Iron Dome missile defence system to steal 700 files, including those with intellectual property.