Ten cyber-security companies have cooperated to pool intelligence and combat Chinese APT actors.
Previous joint efforts have focused on cyber criminals, but the security heavyweights – who include Microsoft, Cisco, Symantec and FireEye – have targeted the Axiom group of Chinese state hackers and the malware tools they use.
The results of their ‘Operation SMN' counter-offensive are detailed in a report released on Tuesday by cyber analytics firm Novetta, which led the group.
The report says Axiom has operated from within China for at least four years, conducting “sophisticated cyber espionage operations” in support of China's strategic national interests, and targeting global Fortune 500 companies, journalists, environmental groups and public sector organisations worldwide.
The report ties the Axiom group to other APT campaigns identified by researchers in the past, including Operation Aurora, HiddenLynx, DeputyDog and Ephemeral Hydra.
But it says: “While these actors overlap, we are unable to conclusively associate them as a single operational group at this time.”
The range of APT group names underlines the until-now fragmented nature of individual security firms' investigations. The report confirms: “Because the initial research and analysis of the incidents was insular, details were often poorly shared amongst the security industry which generated confusion and debate.”
In response, Operation SMN is one of the first products of the Co-ordinated Malware Eradication (CME) scheme, launched by Microsoft to bring cyber-security and other organisations together “to change the game against malware”.
Novetta CEO Peter LaMontagne described it as “akin to an ‘open source software' approach for cyber-threat mitigation – the adversaries share and retool their malware, we need to do the same on the defensive side”.
He added: “We felt it was important to take action proactively in co-ordination with our coalition security industry partners. The cumulative effect of such co-ordinated approaches could mitigate some of the threat activity that plagues the joint customer base of this coalition.”
The firms involved are Cisco, FireEye, F-Secure, iSIGHT Partners, Microsoft, Symantec, Tenable, ThreatConnect, ThreatTrack Security, Volexity and a number of other threat researchers who wish to remain anonymous.
In an email to SCMagazineUK.com, Stephen Doherty of Symantec's response team confirmed: “We have come together to share intelligence and roll out more efficient protections which have in turn disrupted sophisticated hacking organisations, such as the Chinese-based cyber-espionage group Hidden Lynx.
“This is the first time a significant effort to disrupt the activities of an APT has been made, and we are excited to be involved. Through effective collaboration, we can help ensure that target organisation will be better protected in the future.”
But Tim Holman, president of the ISSA-UK security professionals association and CEO of security firm 2-sec, called for Operation SMN's findings to be shared more widely across the security community.
He said in an email to SCMagazineUK.com: “Coalition, or cartel? Anti-malware vendors highly prize their research and signature sets, after all, it's what keeps them in business.
“Rather than sharing signatures with the community, I'd suspect that signatures would be shared with key collaborators that can help improve profits, rather than reduce the security risk of those organisations whom perhaps can't afford the top-end technology these guys produce.”
According to the Operation SMN report, Axiom's victims have included:
* Journalists and media organisations in the US, Europe and Japan.
* US and Japanese government organisations responsible for HR management.
* South East Asian law enforcement agencies and Ministries of Justice.
* Public and private sector organisations focused on environmental protection, energy and climate policy issues and green technology.
* International law firms.
* A Ministry of Finance and an identified regional East Asian Finance Supervisory Commission.
The report also says Axiom used a rogue's gallery of malware tools – including Poison Ivy, Gh0st Rat, PlugX, ZXShell, DeputyDog/Fexel and Derusbi, mostly delivered via the Hikit family.
Hikit was the main initial focus of Operation SMN, and Symantec says in a 14 October blog on the initiative that most Hikit infections have been in the US (33 percent) and Japan (27 percent), although one percent of victims were in the UK.
Doherty told SC: “Attackers using Hikit have focused against organisations associated with the government, technology, research, defence and aerospace sectors among other targets.”
Symantec said Hikit has been used by at least two Chinese-based APT groups – Hidden Lynx/Aurora and Pupa/Deep Panda. It describes Hidden Lynx as a highly capable and well-resourced group of 50-100 attackers in China, capable of carrying out hundreds of simultaneous attacks against diverse targets.
The group appears to offer ‘hackers for hire'-type services, said Symantec, “mounting attacks on demand as directed by its paymasters”. Hidden Lynx used Hikit during its compromise of Bit9's trusted file-signing infrastructure in 2012, which targeted US companies using Bit9 software.
The Operation SMN firms have co-ordinated the release of security products tackling the Axiom threat, all on 14 October.
They include the October release of Microsoft's MSRT malware removal tool, which remediates against Hikit and related malware such as Mdmbot, Moudoor, PlugX, Sensode and Derusbi.
The coalition group plan to release a more comprehensive technical report on Axiom by 28 October.
This article was first published in the SC UK Magazine on 15th October 2014