Study: Chinese Hackers Are Savvy, Surgical

A clandestine group of sophisticated Chinese hackers have infected scores of sites on the Web and stolen documents from industrial and government organizations with surgical precision, according to a Dell SecureWorks study released last week.

Dubbed “Threat Group 3390,” the cybergang has used infected websites of some 100 organizations across the globe — in Iran, Iraq, Zambia, Italy, Afghanistan, Qatar and Ecuador, as well as in other parts of Europe, South America, the Middle East and Africa — to trap their targets.

The group placed code on each site that redirected visitors to a malicious site, according to the report. A site visitor who had an IP address that was of interest to the hackers would be served an exploit kit upon returning to the site.

To avoid detection, the hackers did not always use the compromised sites to serve code, the report notes. They would stop using a specific site altogether for a time in order to stay under the radar.

“All around the globe, they found websites that were related to topics of interest to their targets,” said Aaron Hackworth, SecureWorksCounter Threat Unit special operations team leader.

“Then they would find vulnerabilities in those websites and modify them to either directly deliver an exploit or redirect visitors to a website where the exploit could be delivered,” he told TechNewsWorld.

China Connection

Several factors support the assertion that TG3390 is a Chinese operation, the report notes. One of the favorite tools of the group is PlugX, which has a server side component written exclusively in Mandarin Chinese.

The gang also uses the Chinese Baidu search engine for reconnaissance.

In addition, a primary target of the group has been the Uyghur cultural website. The Uyghurs — a Muslim minority group located primarily in the Xinjiang region of China — have been in conflict with the Chinese government. Targeting the Uyghurs is not likely to be a priority for threat groups outside of China.

What’s more, the cyberposse was active between 4:00 and 09:00 UTC time, or 12:00 to 17:00 local time in China, which maps to the second half of the workday there.

“Any one of those things by itself wouldn’t have been enough for us to say we have a moderate degree of confidence in the China connection, but in aggregate, we can say it’s an active group operating out of China,” Hackworth said.

“As far as who is controlling them, who’s pulling their strings, we can’t determine that,” he added.

Malware-Averse Behavior

Once TG3390 penetrates a network, it spends a good deal of time getting comfortable with its surroundings before actually stealing any data.

“Only after preparing for eviction and orienting themselves with a network would they start looking for the data they were targeting,” Hackworth said.

A common trait TG3390 shares with other savvy cybergangs is an aversion to malware.

“A lot of these more sophisticated groups will use malware initially but as quickly as they can, they get rid of the malware and use stolen credentials, Web shells or things that are much less likely to be detected by endpoint security controls,” Hackworth explained.

“At some point, defenders will detect malware and remove it,” he added. “They’re less likely to detect folks using methods that don’t show up on traditional endpoint security solutions.”

After thorough reconnaissance and foundation preparation, TG3390 sets about stealing data, the study notes. The Web robbers focus on a particular project or projects a target organization is working on. Then they steal every related file.

“They are more surgical than some of the other groups we’ve observed in the past. There are groups that come in and just take everything and hope they can get some value out of it,” Hackworth said.

“That level of surgical targeting shows a level of maturity and discipline in this group that has not been seen in other groups,” he pointed out.

Russians Ransack Pentagon

The Chinese aren’t alone in engaging in data theft, as the Pentagon highlighted last week, when it blamed Russian hackers for ransacking the unclassified mail system of the Joint Chiefs of Staff.

The breach was detected about July 25, according to a report in The Washington Post.

The Pentagon immediately disabled the email system, which is used by about 4,000 military and civilian personnel, in an attempt to contain the damage, the paper said.

The attack was similar to one last fall that enabled hackers to rifle through the unclassified email systems at the White House and the State Department. Those intrusions also were blamed on Russians.

In this latest intrusion, which was launched through a spearphishing campaign that enticed targets to click on infected links in emails, only unclassified emails were exposed, and the damage did not appear to be significant, Pentagon officials said.

The Joint Chiefs’ classified networks were unaffected, they noted.

Alarming Puzzle

“The Russians clearly knew what they were looking for, which implies this was a precision attack,” said Richard Blech, CEO of Secure Channels.

“The hackers gathered highly sensitive data in a very short time,” he told TechNewsWorld. “Considering the high-level target, this is just a small piece of a bigger puzzle that should be leaving everyone alarmed.”

While the public should be relieved that the classified systems weren’t compromised, there is still room for concern, observed Tellagraff CEO Mark Graff, former CISO at Nasdaq and Lawrence Livermore Labs.

“As someone who has used classified systems, you can’t be sure that there is no classified material on the unclassified network,” he told TechNewsWorld. “It’s very easy to bleed over and have classified material put on the unclassified system.”

Moreover, even unclassified material can be valuable to the intruders.

“If you can get in and rummage around in an email system, you can use that information for more spear phishing,” Graff said.

“You can also get information on staffing dispositions, logistics, personnel and political intrigue — competition among groups in the Pentagon and the White House,” he added.

Breach Diary

  • Aug. 3. Public statements issued by organizations in response to data breaches and other Internet-related issues rose by 19.6 percent in the second quarter compared to the first quarter of the year, CrisisResponsePro reports. At current release rate, close to 300 statements could be issued by year’s end.
  • Aug. 3. Mount Desert Island, Maine, a town of some 10,000 people, adopts data breach response policy.
  • Aug. 3. Siouxland Pain Clinic in South Dakota warns an unspecified number of patients that their medical information was compromised in a data breach earlier this year. There is no evidence that any of the exposed data was misused, an attorney for the clinic says.
  • Aug. 4. Two lawsuits filed in federal district court in Fort Wayne, Indiana, against medical software company Medical Informatics Engineering for data breach placing at risk private information of some 3.9 million people.
  • Aug. 4. U.S. Department of Labor’s Inspector General releases report critical of agency’s cybersecurity. DoL had serious control deficiencies over Personal Identity Verification cards used to access its systems, lacked a feature to lock out a person after multiple unsuccessful login attempts, and had lax monitoring of contractors and other outside groups who had access to the department’s systems, IG noted.
  • Aug. 5. Google announces it will push out Over The Air security updates for its Nexus phones on a monthly basis.
  • Aug. 5. U.S. Appeals Court three-judge panel in Virginia rules a warrant is required to obtain location information generated by the operation of a cellphone or other mobile device.
  • Aug. 6. Russian hackers launched a sophisticated cyberattack on the Pentagon’s Joint Chiefs of Staff unclassified mail system, NBC News reports. The attack occurred around July 25 and affected some 4,000 military and civilian personnel.
  • Aug. 6. Electronic Frontier Foundation releases Privacy Badger 1.0, a browser extension that blocks data collection from ads and other kinds of Web-surfing trackers.
  • Aug. 6. Mozilla Foundation patches Firefox browser vulnerability that searches a user’s computer for sensitive files and uploads them to a server in Ukraine.
  • Aug. 6. Check Point reveals Certifi-gate vulnerability in virtually all Android devices, which allows malicious applications to gain unrestricted access to a device silently, elevate their privileges to allow access to user data, and perform a variety of actions usually available only to a device owner.
  • Aug. 7. Online airline reservation system Sabre and American Airlines have suffered data breaches by same hackers that stole data from medical service provider Anthem and the U.S. Office of Personnel Management, Bloomberg reports.

Upcoming Security Events

  • Aug. 19. How to Stay Off of the Data Breach Chopping Block. 2 p.m. ET. Webinar sponsored by ID Experts. Free with registration.
  • Aug. 24-25. Gartner Security & Risk Management Summit. Hilton Hotel, 488 George St., Sydney, Australia. Registration: prior to June 27, AU$2,475; after June 26, AU$2,875; public sector, AU$2,375.
  • Aug. 26. DDoS Readiness, Response, and Impact in the Financial Services Industry. 8 a.m. ET. Webinar sponsored by Arbor Networks. Free with registration.
  • Sept. 12. B-Sides Augusta. GRU Harrison Education Commons Building, 1301 R.A. Dent Blvd., Augusta, Georgia. Free.
  • Sept. 12-21. SANS Network Security 2015. Caesars Palace, Las Vegas, Nevada. Long Courses: $3,145 – $6,295. Short Courses: $1,150 – $2,100.
  • Sept. 16. ISMG Data Breach Prevention and Response Summit. The Westin San Francisco Airport, 1 Old Bayshore Highway, Millbrae, California. Registration: $695.
  • Sept. 16-17. SecureWorld Detroit. Ford Motor Conference & Event Center, Detroit. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.
  • Sept. 18. B-Sides Cape Breton. The Verschuren Centre, Cape Breton University, Sydney, Nova Scotia, Canada. Free.
  • Sept. 22-23. SecureWorld St. Louis. America’s Center Convention Complex, St. Louis. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.
  • Sept. 28-Oct. 1. ASIS 2015. Anaheim Convention Center, Anaheim, California. Through May 31: member, $895; nonmember, $1,150; government, $945; student, $300. From June 1 through Aug. 31: member, $995; nonmember, $1,250; government, $1,045; student, $350. From Sept. 1 through Oct. 1: member, $1,095; nonmember, $1,350; government, $1,145; student, $400.
  • Oct. 2-3. B-Sides Ottawa. RA Centre, 2451 Riverside Dr., Ottawa, Canada. Free with registration.
  • Oct. 6. SecureWorld Cincinnati. Sharonville Convention Center, 11355 Chester Rd., Sharonville, Ohio. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.
  • Oct. 9-11. B-Sides Warsaw. Pastwomiasto, Anders 29, Warsaw, Poland. Free with registration.
  • Oct. 12-14. FireEye Cyber Defense Summit. Washington Hilton, 1919 Connecticut Ave. NW, Washington, D.C. Registration: before Sept. 19, $1,125; after Sept. 18, $1,500.
  • Oct. 15. SecureWorld Denver. The Cable Center, 2000 Buchtel Blvd., Denver, Colorado. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.
  • Oct. 19-21. CSX Cybersecurity Nexus Conference. Marriott Wardman Park, 2660 Woodley Rd. NW, Washington, D.C. Registration: before Aug. 26, $1,395 (member), $1,595 (nonmember); before Oct. 14, $1,595 (member), $1,795 (nonmember); after Oct. 14, $1,795 (member), $1,995 (nonmember).
  • Oct. 28-29. SecureWorld Dallas. Plano Centre, 2000 East Spring Creek Parkway, Plano, Texas. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.
  • Nov. 4. Bay Area SecureWorld. San Jose Marriott, 301 South Market St., San Jose, California. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.
  • Nov. 11-12. Seattle SecureWorld. Meydenbauer Center, 11100 NE 6th St., Bellevue, Washington. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Cybersecurity

Technewsworld Channels