Attacks/Breaches

10/18/2018
05:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Cyber Espionage Campaign Reuses Code from China's APT1

US, Canadian organizations in crosshairs of group with apparent links to a Chinese military hacking unit that wreaked havoc several years ago.

Several US organizations appear to be victims of a widespread data reconnaissance campaign involving malware last associated with Comment Crew aka APT1, a Chinese military-linked group that is believed responsible for stealing data from dozens of American companies between 2006 and 2010.

The attack group behind the latest campaign has carried out at least five separate waves of attacks against organizations in various sectors, the latest in June.

Most of the targets have been in South Korea. But security vendor McAfee, which has been tracking the new threat, says its telemetry suggests that multiple organizations within the financial, healthcare communications, and government sectors in the US and Canada have been hit as well.

McAfee has christened the new campaign Oceansalt based on similarities between its malware and the so-called 'Seasalt' malware associated with the Comment Crew/APT1. McAfee's analysis shows that at least 21% of the code is unique to Seasalt and serves a reconnaissance and control function.

The security vendor says it has been unable to determine how Oceansalt might have obtained access to Seasalt's source code. There's no evidence to suggest that the code was leaked or is available through Dark Web channels. That suggests that the Oceansalt and Comment Crew actors have some sort of a code-sharing arrangement, or that the former has privately gained access to source code from someone belonging to the original Comment Crew.

A third possibility, McAfee says, is that another actor is conducting a false flag operation to make it appear like the Comment Crew has resurfaced after dropping out of sight about five years ago following a 2013 Mandiant (now FireEye) expose on the group. In its exhaustive report released along with some 3,000 IoCs, Mandiant had linked Comment Crew, or APT1, directly to a covert cyber operation of China's People's Liberation Army called Unit 61398. At the time, the security vendor estimated that APT1 had systematically stolen hundreds of terabytes of data from 141 organizations across 20 industries.

McAfee this week stopped short of directly describing Oceansalt as being either China-sponsored or a reincarnation of Comment Crew/APT1. "While we can’t confirm this is nation state, this resembles nation-state capabilities," says Raj Samani, chief scientist and Fellow at McAfee. 

"[It suggests] that all enterprises are in the line of fire of nation states looking to promote and push their national strategic objectives at the cost of each of us," he says.

Tiny But Mighty Malware

McAfee this week described Oceansalt as malware that is harder to detect than other malicious code because of its minimal 76KB footprint on disk.  Oceansalt does not appear to be simply a recompilation of Seasalt but more of an evolution of the original malware based on certain differences between the two implants.

Oceansalt, for instance, uses an encoding and decoding mechanism before sending data to the control server — a feature that was not present in the original malware. Similarly, the addresses for the control servers are hardcoded in Oceansalt whereas Seasalt parsed the data from its binary, McAfee said in its report.

Oceansalt is designed to capture the IP address, computer name, the filepath of the implant, and other system and process details on an infected system and send it to an external server. The malware can be used to delete and write files on disk, open and terminate processes, create, operate and close a reverse shell, and to execute other remote commands. The malware, like a lot of malicious software these days, is being distributed via spearphising emails with Excel and Word attachments.

McAfee says its research shows that the implant itself is a first-stage component that can be used to download other malware components on an infected machine. Data from the control servers that are being used in the campaign shows infected machines in the United States, Canada, Costa Rica, and the Philippines.

Mysterious Mission

The group behind Oceansalt has used multiple versions of the malware in the five waves of attacks it has launched so far. The first wave targeted higher educational institutions in South Korea, the second went after public infrastructure projects in the country, and the third was directed at government fund operated by South Korea's export and import bank. Subsequent attacks have targeted what McAfee describes as a relatively limited number of organizations outside South Korea.

Samani says McAfee is not entirely sure of Oceansalt's motivations. "But [it] appears to be first stage reconnaissance to gain a foothold in compromised organizations," he says.

The new campaign is further evidence of the recently heightened threat that many enterprises face from threat groups that are state-sponsored or most likely are state-sponsored.

Many of the groups and campaigns are China-based, according to some security vendors. Just earlier this month for instance, CrowdStrike released a report summarizing its analysis of threat hunting data between January and June this year. The data showed that of the 70 or so intrusions where CrowdStrike was able to actually identify the threat actor, about 40 were likely China-based.

A Feb 2018 report by the U.S. Director of National Intelligence identified several other nations as backing espionage and other malicious cyber activity targeted at US companies. Among them were Russia, Iran, and North Korea.

Related Content:

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
'PowerSnitch' Hacks Androids via Power Banks
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/8/2018
Windows 10 Security Questions Prove Easy for Attackers to Exploit
Kelly Sheridan, Staff Editor, Dark Reading,  12/5/2018
Starwood Breach Reaction Focuses on 4-Year Dwell
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/5/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: I guess this answers the question: who's watching the watchers?
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20029
PUBLISHED: 2018-12-10
The nxfs.sys driver in the DokanFS library 0.6.0 in NoMachine before 6.4.6 on Windows 10 allows local users to cause a denial of service (BSOD) because uninitialized memory can be read.
CVE-2018-1279
PUBLISHED: 2018-12-10
Pivotal RabbitMQ for PCF, all versions, uses a deterministically generated cookie that is shared between all machines when configured in a multi-tenant cluster. A remote attacker who can gain information about the network topology can guess this cookie and, if they have access to the right ports on ...
CVE-2018-15800
PUBLISHED: 2018-12-10
Cloud Foundry Bits Service, versions prior to 2.18.0, includes an information disclosure vulnerability. A remote malicious user may execute a timing attack to brute-force the signing key, allowing them complete read and write access to the the Bits Service storage.
CVE-2018-15805
PUBLISHED: 2018-12-10
Accusoft PrizmDoc HTML5 Document Viewer before 13.5 contains an XML external entity (XXE) vulnerability, allowing an attacker to read arbitrary files or cause a denial of service (resource consumption).
CVE-2018-16635
PUBLISHED: 2018-12-10
Blackcat CMS 1.3.2 allows XSS via the willkommen.php?lang=DE page title at backend/pages/modify.php.