Two Chinese cyber espionage campaigns are working in tandem in hopes of sniffing out trade secrets from surrounding nations.
Researchers from FireEye outlined information about the two attack groups yesterday in advance of a more comprehensive report.
One of the groups, Moafree, operates out of the Guandong Province, in Southern China while the second, DragonOK, works out of the Jiangsu Province, in Northern China. Both groups are based on the coast and are likely targeting intelligence from countries surrounding the South China Sea such as Japan and Taiwan, according to FireEye.
Researchers Thoufique Haq, Ned Moran, Mike Scott and Sai Imkar Vashisht, said in a report on the company’s blog that technically Moafee is targeting government and military operations while DragonOK appears to be targeting “high-tech and manufacturing companies,” going after trade secrets for economic advantage.
The researchers point out that there are several traits the campaigns share, suggesting at least a connection between the two, or perhaps a shared resource between a third, separate group.
For example, both of the campaigns use a series of remote administration tools (RATs) and backdoors to secure access after they’ve gotten into systems by tricking users into clicking on a spear-phishing email.
The two campaigns were also found using similar tools like CT/NewCT/NewCT2, the Trojan Nflog, and the RAT PoisonIvy. Both attacks also used HTRAN, a reverse proxy server used to mask TCP traffic, to disguise their location information.
A third group was actually found using the same set of backdoors and RATs but FireEye refused to outright connect it to Moafree and DragonOK.
“Both groups, while operating in distinctly different regions, either 1) collaborate, 2) receive the same training, 3) share a common toolkit supply chain, or 4) some combination of these scenarios,” the researchers wrote Thursday, likening it almost to a “production line” chain of attacks.
FireEye’s report didn’t specify what kinds of information the groups make have absconded with thus far, but did stress that the region’s “rich natural resources,” in this case intel on the abundance of oil and natural gas in the South China Sea, were the focus.
A similar group of Chinese hackers who go by APT 18 were ultimately connected to last month’s Community Health Systems breach. While the group – somewhat like Moafree and DragonOK – is usually associated with pilfering data on the aerospace, defense, engineering sectors, in this case it stole information regarding medical technology and pharmaceutical manufacturing processes.