05:00 PM
Connect Directly

Cyber Espionage Campaign Reuses Code from China's APT1

US, Canadian organizations in crosshairs of group with apparent links to a Chinese military hacking unit that wreaked havoc several years ago.

Several US organizations appear to be victims of a widespread data reconnaissance campaign involving malware last associated with Comment Crew aka APT1, a Chinese military-linked group that is believed responsible for stealing data from dozens of American companies between 2006 and 2010.

The attack group behind the latest campaign has carried out at least five separate waves of attacks against organizations in various sectors, the latest in June.

Most of the targets have been in South Korea. But security vendor McAfee, which has been tracking the new threat, says its telemetry suggests that multiple organizations within the financial, healthcare communications, and government sectors in the US and Canada have been hit as well.

McAfee has christened the new campaign Oceansalt based on similarities between its malware and the so-called 'Seasalt' malware associated with the Comment Crew/APT1. McAfee's analysis shows that at least 21% of the code is unique to Seasalt and serves a reconnaissance and control function.

The security vendor says it has been unable to determine how Oceansalt might have obtained access to Seasalt's source code. There's no evidence to suggest that the code was leaked or is available through Dark Web channels. That suggests that the Oceansalt and Comment Crew actors have some sort of a code-sharing arrangement, or that the former has privately gained access to source code from someone belonging to the original Comment Crew.

A third possibility, McAfee says, is that another actor is conducting a false flag operation to make it appear like the Comment Crew has resurfaced after dropping out of sight about five years ago following a 2013 Mandiant (now FireEye) expose on the group. In its exhaustive report released along with some 3,000 IoCs, Mandiant had linked Comment Crew, or APT1, directly to a covert cyber operation of China's People's Liberation Army called Unit 61398. At the time, the security vendor estimated that APT1 had systematically stolen hundreds of terabytes of data from 141 organizations across 20 industries.

McAfee this week stopped short of directly describing Oceansalt as being either China-sponsored or a reincarnation of Comment Crew/APT1. "While we can’t confirm this is nation state, this resembles nation-state capabilities," says Raj Samani, chief scientist and Fellow at McAfee. 

"[It suggests] that all enterprises are in the line of fire of nation states looking to promote and push their national strategic objectives at the cost of each of us," he says.

Tiny But Mighty Malware

McAfee this week described Oceansalt as malware that is harder to detect than other malicious code because of its minimal 76KB footprint on disk.  Oceansalt does not appear to be simply a recompilation of Seasalt but more of an evolution of the original malware based on certain differences between the two implants.

Oceansalt, for instance, uses an encoding and decoding mechanism before sending data to the control server — a feature that was not present in the original malware. Similarly, the addresses for the control servers are hardcoded in Oceansalt whereas Seasalt parsed the data from its binary, McAfee said in its report.

Oceansalt is designed to capture the IP address, computer name, the filepath of the implant, and other system and process details on an infected system and send it to an external server. The malware can be used to delete and write files on disk, open and terminate processes, create, operate and close a reverse shell, and to execute other remote commands. The malware, like a lot of malicious software these days, is being distributed via spearphising emails with Excel and Word attachments.

McAfee says its research shows that the implant itself is a first-stage component that can be used to download other malware components on an infected machine. Data from the control servers that are being used in the campaign shows infected machines in the United States, Canada, Costa Rica, and the Philippines.

Mysterious Mission

The group behind Oceansalt has used multiple versions of the malware in the five waves of attacks it has launched so far. The first wave targeted higher educational institutions in South Korea, the second went after public infrastructure projects in the country, and the third was directed at government fund operated by South Korea's export and import bank. Subsequent attacks have targeted what McAfee describes as a relatively limited number of organizations outside South Korea.

Samani says McAfee is not entirely sure of Oceansalt's motivations. "But [it] appears to be first stage reconnaissance to gain a foothold in compromised organizations," he says.

The new campaign is further evidence of the recently heightened threat that many enterprises face from threat groups that are state-sponsored or most likely are state-sponsored.

Many of the groups and campaigns are China-based, according to some security vendors. Just earlier this month for instance, CrowdStrike released a report summarizing its analysis of threat hunting data between January and June this year. The data showed that of the 70 or so intrusions where CrowdStrike was able to actually identify the threat actor, about 40 were likely China-based.

A Feb 2018 report by the U.S. Director of National Intelligence identified several other nations as backing espionage and other malicious cyber activity targeted at US companies. Among them were Russia, Iran, and North Korea.

Related Content:


Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Making the Case for a Cybersecurity Moon Shot
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  2/19/2019
New Free Tool Scans for Chrome Extension Safety
Dark Reading Staff 2/21/2019
Privacy Ops: The New Nexus for CISOs & DPOs
Amit Ashbel, Security Evangelist, Cognigo,  2/18/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-02-21
In Tor before, 0.3.4.x before, 0.3.5.x before, and 0.4.x before, remote denial of service against Tor clients and relays can occur via memory exhaustion in the KIST cell scheduler.
PUBLISHED: 2019-02-21
A vulnerability in the web-based user interface of Cisco Internet of Things Field Network Director (IoT-FND) Software could allow an authenticated, remote attacker to gain read access to information that is stored on an affected system. The vulnerability is due to improper handling of XML External E...
PUBLISHED: 2019-02-21
A vulnerability in field-programmable gate array (FPGA) ingress buffer management for the Cisco Firepower 9000 Series with the Cisco Firepower 2-port 100G double-width network module (PID: FPR9K-DNM-2X100G) could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) conditio...
PUBLISHED: 2019-02-21
Some field types do not properly sanitize data from non-form sources in Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10. This can lead to arbitrary PHP code execution in some cases. A site is only affected by this if one of the following conditions is met: The site has the Drupal 8 core RE...
PUBLISHED: 2019-02-21
In Signiant Manager+Agents before 13.5, the implementation of the set command has a Buffer Overflow.