As targeted Chinese espionage campaigns are disclosed, it’s easy to get caught up in the immediate impact and details with regard to the compromised site or malware samples involved. It’s also simple to discount them as separate endeavors, one-off projects targeting the secrets held so precious by manufacturers, software companies or government officials.
But what if they weren’t one-offs? What if there was a connection between major APT-style intrusions aside from the country of origin?
Security company FireEye thinks they’ve found connections between at least 11 different espionage campaigns linked to China that happened during the last two years that suggest to them that there is a centralized operations organization supplying attackers with malware, builder tools, stolen digital certificates and many more artifacts.
“We think, based off the data we collected, based off the timing of events and what we believe the data means in terms of the sharing of the tools, we think that can be more reasonably explained by a more formal apparatus that sits underneath the intrusion operators,” said Ned Moran, a senior malware researcher at FireEye.
Moran pointed to a number of clues that distinguish the suppliers from the attackers, most notably, the existence of a builder tool that allows the attackers to quickly create new malware variants. Typically, such builders are created by developers, rather than an attacker skilled in intrusions, Moran said, adding that this aspect of specialization brings efficiency and speed to an operation.
“The reason for producing the builder is so that you could have someone who’s not necessarily a coder simply press and click buttons on a screen to create new malware,” Moran said. “We think that builder is good evidence of the fact there is specialization; there are people who build these tools and people who use these tools.”
Some of the malware tools found in APT attacks, such as the McRAT variant known as Trojan.APT.9002 exploiting the most recent Internet Explorer zero-day vulnerability, are exclusive to these operations and are not available for sale in the underground, as are the Poison Ivy or Gh0stRAT malware also used among the 11 campaigns. So are the suppliers and attackers part of the same operation, or is a buyer-seller relationship?
“We don’t know if within the clusters we document if they are buying the tool, or sharing it among themselves, or if there’s a formal apparatus that delivers it,” Moran said. “If you’re in the infantry, you don’t have buy your M16, they give it to you from the armory. We’re not sure how it works. All we know for sure is that the tool is not available for purchase in the cybercriminal underworld. We can deduce from that, that it’s privately held.”
FireEye proposes three answers: A) that this “quartermaster” as they put it exists and supports multiple APT campaigns via a shared development and logistics operation focusing on cyberespionage; B) that a single attacker group is behind all 11 APT campaigns; or C) that rather than having a centralized operation, the attackers behind the 11 campaigns are merely sharing artifacts.
Moran thinks there is enough evidence to suggest that a “quartermaster” of sorts is in place supplying artifacts that support these campaigns.
Kurt Baumgartner, senior security researcher with the Global Research and Analysis Team at Kaspersky Lab, said APT groups do share tools and techniques, but relationships between the groups are complex.
“Some of the groups jealously guard custom made components of their attacks, but share lots of other stuff,” Baumgartner said. “This includes research that leads to custom development of offensive components, like rootkit components and exploit code, and kits to crank out backdoors and spearphish attachments. It’s quite possible that individuals move between groups too.”
Moran said FireEye’s suspicions were raised with the emergence of the Sunshop watering hole attacks, reported in May. Analysis of the campaign revealed connections to others targeting high tech companies, financial services institutions, telecommunications companies, and energy and utilities. They all had different techniques, tactics and procedures, FireEye said, but shared a common development infrastructure. They shared portable executable resources, digital certificates, API import tables, compile times and dates, and command and control infrastructure.
FireEye was able to capture 110 unique binaries, 70 of them were APT.9002; 47 were signed with any of six digital certificates, including those stolen from Microsoft and gaming companies, including MGame, used in the Winnti campaign identified by Kaspersky. The certificates are now either revoked or expired. Moran also said 64 of the 100 samples were also packed with almost identical PE resources and share common compile times, the most common being Dec. 19, 2012.
“We have seen much of this sort of crossover as well. For example, the Winnti stolen certificates have made their way around to several groups and campaigns. We have also seen many other backdoors and exploits being shared between groups,” Baumgartner said. “It’s interesting that these crews are off to the races with the recently publicized CVE-2013-3906, targeting a Windows TIFF handling vulnerability. Multiple groups have been using that one in particular, including Winnti, a likely Indian group behind Operation Hangover, and the Taidoor attackers.”