Posts Taged china

Surely we can find, and stop, high-tech spies

It’s rumored that the U.S. intelligence community has commissioned The Eagles to rewrite some of their famous lyrics to serve as a deterrent to Russia and China. The hope is that this new song will stop the apparently unabated espionage activities occurring in the National Capital Region, known as the NCR. It’s called “You Can’t Hide Your Spyin’ Eyes.”

BY MORGAN WRIGHT

Concerns about enhanced technical espionage have circulated for a long time. A very provocative technology, currently being used by law enforcement and our military, is a cell-site simulator. Known as an IMSI-catcher, or commercially as a Stingray, it’s a box about the size of an oversized pair of sneakers.

 

IMSI stands for International Mobile Subscriber Identity. This is how the Global System for Mobile Communications (GSM) finds you, regardless of country, and delivers a call to you or allows you to make one to a destination of your choice. Several reports surfaced in 2017 that showed the Department of Homeland Security was worried about IMSI catchers. 

 

In a Nov. 17, 2017, letter, Sen. Ron Wyden (D-Ore.) asked the DHS National Protection and Programs Directorate if there was any evidence of foreign IMSI catchers operating in the National Capital Region. A pilot study had been conducted from January to November of the same year. The short answer was yes. The longer, typical government response was:

“The Department of Homeland Security’s (DHS) National Protection and Programs Directorate (NPPD) has observed anomalous activity in the National Capital Region (NCR) that appears to be consistent with International Mobile Subscriber Identity (IMSI) catchers. NPPD has not validated or attributed such activity to specific entities or devices. This information was reported to our Federal partners at the time it was observed.”

Now that it’s been established that nefarious electronic hijinks abound in the NCR, surely there must be a way to find it and stop it. Right? The short answer is no. The government answer is even more terrifying:

“NPPD is not aware of any current DHS technical capability to detect IMSI catchers. To support such a capability, DHS would require funding to procure, deploy, operate and maintain the capability, which includes the cost of hardware, software, and labor.”

The previous statement might make you think this is a newly discovered problem of which DHS is just becoming aware. But our Canadian neighbors found the same activity near their Parliament in 2017. In 2014, the Harvard Journal of Law and Technology said that “Hostile foreign intelligence services can and, almost certainly, are using the technology in this country for espionage.”

About two weeks ago, the Senate passed a spending bill that included language directing the Pentagon to divulge the use of IMSI catchers near U.S. bases and facilities. It’s not the first time the use of electronics has caused security concerns. A 20-year-old Australian student discovered the location of several military bases overseas by simply looking at the heatmap posted by Strava of running routes that had been shared.

You’d have to go back almost another 20 years to find when the threat of IMSI catchers became a real issue. The notorious hacker Kevin Mitnick was captured in 1996 using the same technology DHS is worried about in 2018. The hacking victim who helped the FBI track Mitnick down — Tsutomu Shimomura — was very well acquainted with the technology.

“Later that night, the FBI radio surveillance team from Quantico, Virginia, arrived at the Sprint cellular telephone switch office. The team talked to me a little about the technology they had toted along in the station wagon, especially something called a cell-site simulator, which was packed in a large travel case. The simulator was a technician’s device normally used for testing cell phones, but it could also be used to page Mitnick’s cell phone without ringing it, as long as he had the phone turned on but not in use. The phone would then act as a transmitter that they could home in on with a Triggerfish cellular radio direction-finding system that they were using.”

This wasn’t Shimomura’s first brush with cell phones. In 1993, in front of a congressional oversight committee, he showed how easy it was to use a software hack to listen in on the calls of nearby cellular phones. The problem isn’t new. In fact, it’s quite old.

If you take DHS’s response at face value, it appears NPPD does not have its own technical capability. If DHS has no organic ability, how did it detect anything in the first place? With a little help from other solutions. Project Overwatch, for example.

According to the RSA presentation, “Project Overwatch has been a multinational effort between USA, Germany, and Australia to create a solution leveraging GSMK’s patented Baseband Firewall technology.” This began six years ago.

In February 2017, at the RSA Security Conference in San Francisco, a demonstration of Project Overwatch showed the detection of rogue IMSI catchers — the same technology DHS used, but did not disclose, in its letter to Sen. Wyden.

The warnings were there. The threat was there. Six years ago, we worked with our allies to develop a solution to counter this growing form of technical espionage. So why is Congress just now worried about this?

It’s inconceivable that this electronic eavesdropping that targeted the White House, Congress, our federal law enforcement and intelligence agencies, and who knows what else, should have gone on for this long without a warning to the relevant oversight committees. And the public.

When it comes to our national security, no one should be allowed to, as The Eagles might say, “Take It Easy.”

Morgan Wright is an expert on cybersecurity strategy, cyberterrorism, identity theft and privacy. Previously Morgan was a senior advisor in the U.S. State Department Antiterrorism Assistance Program and senior law enforcement advisor for the 2012 Republican National Convention. Follow him on Twitter @morganwright_us.

Chinese peeping Tom installed secret cameras to film couples in love hotels and sell footage online

Man accused of selling footage through popular social media platform

by Nectar Gan

A man has been arrested in southwest China on suspicion of installing webcams in hotels to film couples having sex and then selling the footage online, according to local media reports.

When the couple went to bed they looked up and saw a hole in the ceiling, which they examined and found a camera had been hidden inside pointing directly at the bed.

The two immediately called the police, who soon arrived and took out the camera.

Police found no memory cards inside so concluded it was a real-time webcam that sent footage to another platform.

“My whole body just froze up,” said the woman, who then decided to spend the night sleeping in the car with her husband.

The next day, the couple went to the hotel to demand an explanation, but the hotel said it was not aware the camera was there.

After further investigation, a second webcam was found in a room on the same floor.

Hotel staff told police they remembered that a man had booked two rooms at the hotel in March and checked in on his own. The two rooms he had booked turned out to be the ones that had the cameras installed.

A month later, police seized the suspect in his flat, and found two hard drives totalling 3 terrabtyes of memory containing the sex tapes he had recorded.

The man was reported to have told police he came up with the idea because he was broke and wanted to earn some quick money by selling the clandestine footage.

He first installed cameras in hotels in his home county about 100km (60 miles) away from Chengdu, but the people who checked in to the hotels were “not ideal”, he said.

Following suggestions from his customers, he decided to install cameras in more expensive hotels in the provincial capital, and bought a fake identity card online.

Through mobile apps, he located love hotels popular among young couples. But the first camera he installed in January was soon discovered by a hotel staff member and thrown away.

Not ready to give up, he tried again in March.

The two cameras he is accused of installing then had been connected to the power strip in the ceiling and could be automatically turned on when the customers plugged in the room key.

The report said footage was directly sent to the man’s phone and then uploaded to a computer.

Police believe the man created a chat group on QQ, a popular social media platform, and started to absorb “members” who would pay a monthly fee for unlimited access to the footage.

In just a few months, the monthly fee rose from 400 yuan (US$60) per month to 2,000 yuan. He had about 10 “members” in total and made 15,000 yuan, he said.

The man has now been officially arrested on the charge of spreading obscene articles. There was no word on whether police would seek to take action against his subscribers.

Burning Umbrella: An Intelligence Report on the Winnti Umbrella and Associated State-Sponsored Attackers

goo.gl Public Analytics

• We assess with high confidence that the Winnti umbrella is associated with the Chinese state intelligence apparatus, with at least some elements located in the Xicheng District of Beijing.

• A number of Chinese state intelligence operations from 2009 to 2018 that were previously unconnected publicly are in fact linked to the Winnti umbrella.

• We assess with high confidence that multiple publicly reported threat actors operate with some shared goals and resources as part of the Chinese state intelligence apparatus.

• Initial attack targets are commonly software and gaming organizations in United States, Japan, South Korea, and China. Later stage high profile targets tend to be politically motivated or high value technology organizations.

• The Winnti umbrella continues to operate highly successfully in 2018. Their tactics, techniques, and procedures (TTPs) remain consistent, though they experiment with new tooling and attack methodologies often.

• Operational security mistakes during attacks have allowed us to acquire metrics on the success of some Winnti umbrella spear phishing campaigns and identify attacker location with high confidence.

• The theft of code signing certificates is a primary objective of the Winnti umbrella’s initial attacks, with potential secondary objectives based around financial gain.

Report Summary

The purpose of this report is to make public previously unreported links that exist between a number of Chinese state intelligence operations. These operations and the groups that perform them are all linked to the Winnti umbrella and operate under the Chinese state intelligence apparatus. Contained in this report are details about previously unknown attacks against organizations and how these attacks are linked to the evolution of the Chinese intelligence apparatus over the past decade. Based on our findings, attacks against smaller organizations operate with the objective of finding and exfiltrating code signing certificates to sign malware for use in attacks against higher value targets. Our primary telemetry consists of months to years of full fidelity network traffic captures. This dataset allowed us to investigate active compromises at multiple organizations and run detections against the historical dataset, allowing us to perform a large amount of external infrastructure analysis.

Background

The Winnti umbrella and closely associated entities has been active since at least 2009, with some reports of possible activity as early as 2007. The term “umbrella” is used in this report because current intelligence indicates that the overarching entity consists of multiple teams/actors whose tactics, techniques, and procedures align, and whose infrastructure and operations overlap. We assess that the different stages of associated attacks are operated by separate teams/actors, however in this report we will show that the lines between them are blurred and that they are all associated with the same greater entity. The Winnti and Axiom group names were created by Kaspersky Lab and Symantec, respectively, for their 2013/2014 reports on the original group. The name “Winnti” is now primarily used to refer to a custom backdoor used by groups under the umbrella. Multiple sources of public and private threat intelligence have their own names for individual teams. For example, LEAD is a common alias for the group targeting online gaming, telecom, and high tech organizations. Other aliases for groups related include BARIUM, Wicked Panda, GREF, PassCV, and others. This report details how these groups are linked together and serve a broader attacker mission. The many names associated with actors in the greater intelligence mission are due to the fact that they are built on telemetry of the intelligence provider which is typically unique and dependent on their specific dataset. This report focuses heavily on networking related telemetry.

We assess with high confidence that the attackers discussed here are associated with the Chinese state intelligence apparatus. This assessment is based on attacker TTPs, observed attack infrastructure, and links to previously published intelligence. Their operations against gaming and technology organizations are believed to be economically motivated in nature. However, based on the findings shared in this report we assess with high confidence that the actor’s primary long-term mission is politically focused. It’s important to note that not all publicly reported operations related to Chinese intelligence are tracked or linked to this group of actors. However, TTPs, infrastructure, and tooling show some overlap with other Chinese-speaking threat actors, suggesting that the Chinese intelligence community shares human and technological resources across organizations. We assess with medium to high confidence that the various operations described in this report are the work of individual teams, including contractors external to the Chinese government, with varying levels of expertise, cooperating on a specific agenda.

In 2015 the People’s Liberation Army of China (PLA) began a major reorganization which included the creation of the Strategic Support Force (SSF / PLASSF). SSF is responsible for space, cyber, and electronic warfare missions. Some of the overlap we observed from groups could potentially be related to this reorganization. Notably, key incident details below include attacker mistakes that likely reveal the true location of some attackers as the Xicheng District of Beijing.

Tactics Techniques and Procedures (TTPs):

Though the TTPs of the attacking teams vary depending on the operation, their use of overlapping resources presents a common actor profile. Key interests during attacks often include the theft of code signing certificates, source code, and internal technology documentation. They also may attempt to manipulate virtual economies for financial gain. While unconfirmed, the financial secondary objective may be related to personal interests of the individuals behind the attacks.

Initial attack methods include phishing to gain entry into target organization networks. The group then follows with custom malware or publicly available offensive tooling (Metasploit/Cobalt Strike), and may use a number of methods to minimize their risk of being detected. Such techniques include a particular focus on “living off the land” by using a victim’s own software products, approved remote access systems, or system administration tools for spreading and maintaining unauthorized access to the network.

We have observed incidents where the attacker used other victim organizations as a proxy for unauthorized remote access. In these cases, organization 1 had been compromised for a long period of time, and the attacker accessed victim organization 2 via the organization 1 network.

Delivery and C2 domains routinely have subdomains which resemble target organizations. Additionally, their C2 domains are used across many targets, while subdomains tend to be created and removed quickly and are unique to a particular target or campaign. Also noteworthy is that the actors set their domains to resolve to 127.0.0.1 when not in use, similar to what was originally reported on by Kaspersky Lab (see below).

The actor often uses TLS encryption for varying aspects of C2 and malware delivery. As noted in the “Infrastructure Analysis” section of this report, the actor primarily abuses Let’s Encrypt to sign SSL certificates. We also observed many cases in which self-signed certificates were used in attacks.

Overall, the Winnti umbrella and linked groups are lacking when it comes to operational security. However, some activities linked to these groups follow better operational security and infrastructure management approaches. This may be a clue to the division of responsibilities by team and skill level within the broader organization.

Targets:

The Winnti umbrella and linked groups’ initial targets are gaming studios and high tech businesses. They primarily seek code signing certificates and software manipulation, with potential financially motivated secondary objectives. These targets have been identified in the United States, Japan, South Korea, and China.

Based on the infrastructure, links to previous reporting, and recently observed attacks, the broader organization’s main targets are political. Historically this has included Tibetan and Chinese journalists, Uyghur and Tibetan activists, the government of Thailand, and prominent international technology organizations.

One example of a politically focused lure by the Winnti umbrella and linked groups is an end of 2017 document titled “Resolution 2375 (2017) Strengthening Sanctions on DPR of KOREA” which is a malicious file associated with the C2 infrastructure described here – see MD5: 3b58e122d9e17121416b146daab4db9d.

Some Key Public Reports:

2013:
Kaspersky Lab publicly reported on the original Winnti group, technical details around the Winnti samples, and various honeypot analysis methods. Most noteworthy is the Winnti umbrella’s targeting of gaming organizations in search of code signing certificates, virtual currencies, and updating mechanisms which could potentially be used to attack victims’ clients. Interestingly, this was the first identified trojan for the 64-bit Microsoft Windows operating system with a valid digital signature as noted by the author. The abuse of signed applications is a very effective attack approach that the entity continues to use.

2014:
Novetta released an outstanding report detailing “Operation SMN,” in which they collaborated with a number of private organizations on a large scale malware eradication operation which is linked to the original Winnti group by the malware being delivered. In the report, the actor is named Axiom. Novetta reported links to publications from as far back as 2009 that also link the group to the Chinese state intelligence apparatus with high confidence. Links exist to various known attacks and actor groups, such as “Operation Aurora,” Elderwood Group’s successful 2010 attack against Google and many other organizations. Another link exists to the successful compromise of the security organization Bit9 in 2013, where their own product was used to sign and spread malware to their customers. In addition, FireEye’s “Operation DeputyDog” detailed attacks on Japanese targets from the same attacker infrastructure. Many other incidents are detailed in the Operation SMN report. Following all of these details back in time, we can see an overlap in TTPs and targets from the APT1 report by Mandiant, which serves as a great historical example of Chinese intelligence cyber operations in their most basic form.

2016:
Cylance released a blog post reporting on digitally signed malware used in targeted attacks against gaming organizations in China, Taiwan, South Korea, Europe, Russia, and the United States. Cylance refers to the attacking entity as “PassCV” in their reporting. Cylance successfully identified a large quantity of malware binaries which were signed with valid certificates stolen from a number of gaming studios in East Asia. In addition to detailing the individual certificates and signed malware, they identified a significant amount of network infrastructure which contain various interesting links to our own findings.

2017 – March/April:
Trend Micro reported on attacks that abused GitHub for use in malware command and control, which they attributed to the original Winnti group. Amusingly, Trend Micro later reported on an individual linked to the group and the attacks who happens to be a fan of pigs.

2017 – July 5th:
Citizen Lab reported on attacks against journalists by an actor mimicking China-focused news organizations HK01, Epoch Times, Mingjing News, and Bowen Press. As Citizen Lab noted, these news organizations are blocked in China for their political views. The report notes that malware used in these attacks was linked to a stolen code signing certificate mentioned in the Cylance PassCV post. That overlap, in addition to infrastructure links from a Palo Alto Unit 42 blog post, strongly links this attack to the previously mentioned reports as well as to our own. As Unit 42 reports, the attacks against entities in the government of Thailand used the “bookworm” trojan.

2017 – July/October:
ProtectWise 401TRG published our own findings and an update on LEAD using open source and public tooling in attacks against Japanese gaming organizations. These attacks are linked with high confidence to ongoing operations in the United States and East Asia.

Other Noteworthy Events:
In 2017, multiple supply-chain attacks occurred which had some similarities to the Winnti umbrella and associated entities. For example, Kaspersky reported on ShadowPad, a large-scale compromise of NetSarang, which resembles the Winnti and PlugX malware. In addition, Kaspersky and Intezer identified notable code similarities to the Winnti umbrella and APT17 in the compromise of Piriform, which allowed attackers to sign and spread altered versions of the CCleaner software to a large customer base.

Analysis of Attacks on Initial Targets

Throughout 2017 and 2018, ProtectWise 401TRG was involved in a number of detection and incident response engagements with our customers that linked back to the Winnti umbrella and other closely associated entities. Through the analysis of public and private intelligence, we have successfully identified similar attacks, which allow us to assess with high confidence that the details below follow a global attack trend as the Chinese intelligence operations have evolved over time.

2017 Operations:
One of the most common tactics used by the Winnti umbrella and related entities is phishing users whose credentials may provide elevated access to a target network. We have observed spear-phishing campaigns that target human resources and hiring managers, IT staff, and internal information security staff, which are generally very effective.

In 2017 the entity focused most of its efforts around technical job applicant email submissions to software engineering, IT, and recruiting staff, which we originally reported on at our 401trg.pw blog. The phishing lures used multiple languages, including Japanese as in the below example:

The approximate translation is as follows:

I saw your job posting. My main languages are Object-C, JAVA, and Swift, and I have 7 years experience with Ruby and 6 years experience with PHP. I have 5 years experience developing iOS apps, as well as Android apps, AWS, Jenkins, Microsoft Azure, ZendFramework, and smartphone application payment processing. I also have 5 years experience with MSSQL, Mysql, Oracle, and PostgreSQL. Please see here: [malicious link]


The process that followed a target clicking the malicious link evolved as the attacker progressed through the campaigns. The links consistently sent the victim to a fake resume, but the exact format of that resume changed over time; we have observed resumes being delivered as DOC, XLS, PDF, and HTML files. Once opened, the fake resumes performed various actions in an effort to download malware onto the victim host. During the same time period, we also observed the actor using the Browser Exploitation Framework (BeEF) to compromise victim hosts and download Cobalt Strike. In this campaign, the attackers experimented with publicly available tooling for attack operations. During this infection process, the actor was known to check the target operating system and deliver malware, signed by a previously stolen key, for the appropriate host environment. In some cases, valid Apple certificates stolen from victims were used in this process, which linked the attack to additional victim organizations.

Post-compromise actions by the attacker followed a common pattern. First they attempted to spread laterally in the network using stolen credentials and various reconnaissance efforts, such as manually examining shares and local files. The primary goal of these attacks was likely to find code-signing certificates for signing future malware. The secondary goals of the attackers depended on the type of victim organization, but were often financial. For example, gaming organizations tended to fall victim to manipulation or theft of in-game virtual currencies. Non-gaming victims may have experienced theft of intellectual property such as user or technology data.

2018 Operations:
More recently, various attack campaigns from the Winnti umbrella and associated groups have been very successful without the use of any exploits or malware. Phishing remains the initial infection vector but the campaign themes have matured. In 2018, the campaigns have largely been focused on common services such as Office 365 and Gmail.

It is important to note that attackers likely have additional information on their target organizations’ preferred email solutions based on previous incidents or open source intelligence.

In more recent phishing campaigns conducted by the Winnti umbrella and associated groups, URL shortening services have been used. For example, Google’s URL shortening service goo.gl was used over the past weeks, allowing us to gain insight into the scale of this campaign using publicly available analytics.

As you can see from the above screenshot, this particular phishing campaign ran from March 20th to March 28th, 2018. Notably, the link was created on February 23rd, 2018, indicating roughly three weeks of preparation for the attacks. These metrics allow us to gain insight into who clicked the link in a phishing email and was directed to a phishing or malware delivery landing page. According to Google analytics, there were a total of 56 clicks. 29 were from Japan, 15 from the United States, 2 from India, and 1 from Russia. 33 of the clicks were from Google Chrome, and 23 were from Safari. 30 were from Windows OS hosts, and 26 were macOS hosts.

In general, the attackers phish for credentials to a user’s cloud storage, and would be expected to later attempt malware delivery in the cases of a failed credential phish or valueless cloud storage.

In cases where the victim uses O365 and/or G-suite for enterprise file storage, the attackers manually review the contents for data of value. If code signing certificates are stored here, the primary mission has been accomplished, as they may be easily downloaded. In other cases, the attackers attempt to use other files and documentation in the cloud storage to help them traverse or gain privileges on the network. The targets in 2018 include IT staff, and commonly sought out files include internal network documentation and tooling such as corporate remote access software.

Once the attackers gain remote access to the network via malware or stolen remote access tooling and credentials, the operation continues as we’ve seen, though their post-compromise actions have become more efficient and automated. Internal reconnaissance is performed by scanning the internal network for open ports 80, 139, 445, 6379, 8080, 10022, and 30304. The choice of ports by the attacker indicates a strong interest in internal web and file storage services. An interesting addition is the use of 30304, which is the peer discovery port for Ethereum clients.

In the attackers’ ideal situation, all remote access occurs through their own C2 infrastructure, which acts as a proxy and obscures their true location. However, we have observed a few cases of the attackers mistakenly accessing victim machines without a proxy, potentially identifying the true location of the individual running the session. In all of these cases, the net block was 221.216.0.0/13, the China Unicom Beijing Network, Xicheng District.

Visualizing Attacker Infrastructure

Based on the various incidents we have been involved in, in addition to past public reporting and open-source intelligence, we can construct a map representing the infrastructure most closely associated with the Winnti umbrella and closely related entities. For the sake of producing an accurate representation of the infrastructure, we are excluding any shared infrastructure (such as hosting provider IPs used for many unrelated domains) and low confidence indicators. Please note this is not an exhaustive list of all active infrastructure in use by the group.

As detailed below, this infrastructure spans at least eight years of activity by the Winnti umbrella and related groups. Please note, as this section heavily references the “Some Key Public Reports” section, above, we recommend reading that first. Indicators are provided in Appendix A of PDF (see top of page).

1. The area of the map labeled #1 is the phishing, malware delivery, fake resume, and C2 infrastructure. This includes domains, IPs, malware hashes, SSL certificates, and WHOIS information. In this section of the infrastructure, we primarily observe the network and file indicators which would be used against targets valued for code signing certificates, software manipulation, and potential financial manipulation. The indicators detailed in the 2017 & 2018 Initial Target section of this report are located in #1. Infrastructure in this area is currently in use and not entirely historical.

2. This area is a network that we assess is associated with the umbrella with low confidence. The most interesting findings here are the large number of Let’s Encrypt SSL certificates in use and the overlap with attacker exclusive infrastructure. This proposed relationship is generated by infrastructure links alone, as no malicious activity has been confirmed to or from region #2. Infrastructure in this area is currently in use and not historical.

3. Area #3 is linked to the initial attack infrastructure (#1) by domain WHOIS details, likely from operational security mistakes. We assess with high confidence that these infrastructures are linked. Based on the lax structure and naming of this section, it is highly probable that it is used for attacker experimenting and development. Some examples include domains such as “nobody.will.know.whoami[.]la”, “secret.whoami[.]la”, and “no.ip.detect.if.using.ipv6[.]la”. Infrastructure in this area is currently in use and not historical.

4. This area has various links to #3 in which an individual software developer is identified. We asses this connection with low to medium confidence and will refrain from publicly sharing details in this report. This area contains many personally operated domains and SSL certificates. Infrastructure in this area is currently in use and not historical.

5. Area #5 of the map is part of what Novetta reported on as Operation SMN in 2014. Infrastructure in this area is purely historical and based on Novetta’s reporting, which we can link to area #1 via known umbrella infrastructure. The vast majority of indicators in this area are the many associated hashes, combined with their C2 destination domains and IPs.

6. This area of the map is what Cylance reported on as PassCV in 2016. The vast majority of infrastructure and indicators here are stolen code signing certificates, malware signed with the certificates, and C2 domains. This area contains information on many victims of campaigns related to area #1. Infrastructure in this area is historical. We assess that this area is linked to the Winnti umbrella with high confidence.

7. This section represents infrastructure identified by Citizen Lab in their July 5th 2017 reporting on attacks against journalists. As they originally identified, one of the NetWire binaries was signed with a stolen certificate linked to #6, the Cylance PassCV report. We were able to further expand this section by pivoting off of additional domain WHOIS information.

8. Lastly is area #8, which links back with high confidence to #7 (Citizen Lab reporting) and #6 (PassCV). This area consists of domains, IPs, MD5 file hashes, and further WHOIS operational security mistakes. This area is similar in functionality to #1 and #3, serving as infrastructure for both high-value politically focused attacks and developer personal use. This section links to the online identities of an individual we asses to be associated with the Winnti umbrella or a closely related group at a medium to high confidence. Infrastructure in this area is currently in use and not historical. One example of malicious activity in this area was the document detailing the strengthening of sanctions against North Korea, above. These activities are similar to the type of politically motivated targeted attacks Citizen Lab reported on. Some infrastructure in this area is currently in use and is not completely historical.

Investigative Findings

Based on incident response engagements, research into the associated attacker infrastructure, and previously reported research, we can summarize our findings as follows:

1. The Chinese intelligence apparatus has been reported on under many names, including Winnti, PassCV, APT17, Axiom, LEAD, BARIUM, Wicked Panda, and GREF.

2. The overlap of TTPs and infrastructure between the Winnti umbrella and other groups indicates the use of shared human and technology resources working towards an overarching goal. Operational security mistakes allow the linking of attacks on lower value targets to higher value campaigns. Reuse of older attack infrastructure, links to personal networks, and observed TTPs play a role in this overlap.

3. The attackers behind observed activity in 2018 operate from the Xicheng District of Beijing via the net block 221.216.0.0/13.

4. Initial attack targets are commonly software organizations in the United States, Japan, South Korea, and China. Later stage high profile targets tend to be political organizations or high-value technology companies.

5. The attackers grow and learn to evade detection when possible, but lack operational security when it comes to the reuse of some tooling. Living off the land and adaptability to individual target networks allow them to operate with high rates of success.

Conclusion

We hope the information we’ve shared in this report will help potential targets and known victims in addition to the greater information security community. Though they have at times been sloppy, the Winnti umbrella and its associated entities remain an advanced and potent threat. We hope that the information contained within this report will help defenders thwart this group in the future.

We’d like to extend a special thank you to all the victims, targets, researchers, and security vendors who have shared their own findings over the years.

Indicators

Indicators can be found in the PDF version of this report and our GitHub Detection IOC repository. Enjoy!

Source: 401 TRG

China’s ZTE says is trusted partner after U.S. concern

BEIJING (Reuters) – Chinese telecoms equipment group ZTE Corp hit back on Thursday against concerns from U.S. lawmakers that it is a vehicle for Chinese espionage, saying it was a trusted partner of its U.S. customers, state news agency Xinhua reported.

China is trying to gain access to sensitive U.S. technologies and intellectual properties through telecommunications companies, academia and joint business ventures, U.S. senators and spy chiefs warned on Tuesday.

Republican Senator Richard Burr, chairman of the Senate Intelligence Committee, said he was concerned about the ties to the Chinese government of Chinese telecoms companies like Huawei Technologies Co Ltd and ZTE.

“ZTE is proud of the innovation and security of our products in the U.S. market,” Xinhua cited a ZTE spokesman as saying.

The company takes cybersecurity and privacy seriously, has always adhered to laws and remains a trusted partner of U.S. suppliers and customers, the company added.

“As a publicly traded company, we are committed to adhering to all applicable laws and regulations of the United States, work with carriers to pass strict testing protocols, and adhere to the highest business standards,” it said.

Last week, Republican Senator Tom Cotton and Republican Senator Marco Rubio introduced legislation that would block the U.S. government from buying or leasing telecoms equipment from Huawei or ZTE, citing concern the companies would use their access to spy on U.S. officials.

In 2012, Huawei and ZTE were the subject of a U.S. investigation into whether their equipment provided an opportunity for foreign espionage and threatened critical U.S. infrastructure – something they have consistently denied.

Allegations of hacking and internet spying have long strained relations between China and the United States. In 2014 then FBI Director James Comey said Chinese hacking likely cost the U.S. economy billions of dollars every year.

China has strongly denied all U.S. accusations of hacking attacks.

Reporting by Ben Blanchard; Editing by Stephen Coates

Source: Reuters

U.S. senators concerned about Chinese access to intellectual property

WASHINGTON (Reuters) – China is trying to gain access to sensitive U.S. technologies and intellectual properties through telecommunications companies, academia and joint business ventures, U.S. senators and spy chiefs warned on Tuesday at a Senate hearing.

Republican Senator Richard Burr, chairman of the Senate Intelligence Committee, said he worried about the spread in the United States of what he called “counterintelligence and information security risks that come prepackaged with the goods and services of certain overseas vendors.”

“The focus of my concern today is China, and specifically Chinese telecoms (companies) like Huawei (Technologies Co Ltd [HWT.UL]) and ZTE Corp, that are widely understood to have extraordinary ties to the Chinese government,” Burr said.

 
Chinese firms have come under greater scrutiny in the United States in recent years over fears they may be conduits for spying, something they have consistently denied.

A Huawei spokesman said the company is aware of “U.S. government activities seemingly aimed at inhibiting Huawei’s business in the U.S. market.” He also said the firm is trusted by governments and customers in 170 countries and poses no greater cyber security risk than other vendors.

ZTE officials did not immediately respond to a request for comment.

 
Burr said he worried that foreign commercial investment and acquisitions might jeopardize sensitive technologies and that U.S. academic research and laboratories may be at risk of infiltration by China’s spies.

Several of the U.S. spy agency chiefs who testified at the committee’s annual worldwide threats hearing cited concerns raised by what they called China’s “all of society” approach toward gaining access to technology and intellectual property.

“The reality is that the Chinese have turned more and more to more creative avenues using non-traditional collectors,” said FBI Director Christopher Wray in response to a question about student spies.

Senator Mark Warner, the committee’s Democratic vice chairman, said he worried about commercialization of surveillance technologies as well as the close relationship between the Chinese government and companies.

“Some of these Chinese tech companies may not even have to acquire an American company before they become pervasive in our markets,” Warner said.

Wray said the United States needed a more “strategic perspective on China’s efforts to use acquisitions and other types of business ventures.”

Under questioning from Republican Senator Tom Cotton, none of the Intelligence officials said they would use a Huawei or ZTE product.

Last week, Cotton and Republican Senator Marco Rubio introduced legislation that would block the government from buying or leasing telecoms equipment from Huawei or ZTE, citing concern the companies would use their access to spy on U.S. officials.

In 2012, Huawei and ZTE were the subject of a U.S. investigation into whether their equipment provided an opportunity for foreign espionage and threatened critical U.S. infrastructure – something they have consistently denied.

 
“Chinese cyber espionage and cyber attack capabilities will continue to support China’s national security and economic priorities,” said Dan Coats, the director of national intelligence.

Speaking in Beijing, Chinese Foreign Ministry spokesman Geng Shuang said the United States was the world’s most powerful country.

“If even the United States thinks it is surrounded by threats, what should other countries do?” Geng told reporters.

“I don’t know where the United States’ sense of insecurity comes from. But I want to emphasize that in this world there is no such thing as absolute security. One country’s security can’t be put before another country’s security.”

Reporting by Patricia Zengerle and Doina Chiacu; Additional reporting by Michael Martina in BEIJING; Editing by Frances Kerry, Rosalba O’Brien, Susan Thomas & Simon Cameron-Moore

Source. Reuters

African Union says has no secret dossiers after China spying report

BEIJING (Reuters) – The African Union does not have any secret dossiers and nothing to spy on, a senior official said in Beijing on Thursday, rejecting a report in French newspaper Le Monde that Beijing had bugged the regional bloc’s headquarters in Addis Ababa.

Le Monde, quoting anonymous AU sources, reported last month that data from computers in the Chinese-built building had been transferred nightly to Chinese servers for five years.

After the massive hack was discovered a year ago, the building’s IT system including servers was changed, according to Le Monde. During a sweep for bugs after the discovery, microphones hidden in desks and the walls were also detected and removed, the newspaper reported.

 
Speaking to reporters with Chinese Foreign Minister Wang Yi at his side, head of the African Union Commission Moussa Faki Mahamat said the allegations in the paper were false.

“What I can assure you of is that the relations between China and Africa, as I described, are unwavering. No manoeuvres of this type can distract us from our objectives,” Faki said.

 
“The African Union is an international political organisation. It doesn’t process secret defence dossiers. We are an administration and I don’t see what interest there is to China to offer up a building of this type and then to spy,” he said.

“So these are totally false allegations and I believe that we are completely disregarding them.”

The $200 million headquarters was fully funded and built by China and opened to great fanfare in 2012. It was seen as a symbol of Beijing’s thrust for influence in Africa, and access to the continent’s natural resources.

Wang said that he appreciated Faki’s comments, and called the headquarters a symbol of China-Africa friendship.

“It cannot be tarnished by any person or any force,” Wang said.

China-Africa relations had withstood decades of ups and downs and changes in the international arena, he added.

“Perhaps some people or forces are unwilling to help Africa themselves and have a feeling of sour grapes about the achievements of China’s cooperation with Africa,” Wang said.

 
“Any rumours are powerless, and any sowing of discord won’t succeed.”

As in the Ethiopian capital, China’s investments in road and rail infrastructure are highly visible across the continent. At a 2015 summit in South Africa, Chinese President Xi Jinping pledged $60 billion (£43.3 billion) in aid and investment to the continent, saying it would continue to build roads, railways and ports.

Separately, Wang announced that China would hold another summit with African leaders this September, in Beijing.

Former CIA officer arrested on Espionage Act charge

Jerry Chun Shing Lee had long been suspected of helping China neutralize US spying operations.

A former Central Intelligence Agency officer long suspected of helping China neutralize U.S. spying operations on its soil has been arrested on a charge that he kept and traveled with notebooks containing classified information, including the real names of covert CIA employees.

Jerry Chun Shing Lee, 53, who has been living in Hong Kong in recent years, was taken into custody Monday night as he arrived at John F. Kennedy International Airport in New York, the Justice Department said in a statement.

Lee’s arrest came after more than six years of investigation led by the FBI that also involved his former employer and other U.S. agencies. The top-secret mole-hunting probe was launched in 2012 or earlier, after U.S. intelligence officials concluded that China had somehow figured out the identities of many of their prized assets in country and detained them.

In a criminal complaint filed Saturday, Lee was charged with one felony count of retaining national defense information, a violation of the Espionage Act.

Although that charge does not relate to the long-running U.S. investigation into Lee, his suspected actions on behalf of the Beijing government likely resulted in the deaths or arrests of numerous informants that the United States had cultivated to help it spy on China, according to one former senior U.S. counterespionage official familiar with the case.

“There is no doubt that he had a big part in the problems with the sources,” the former counterespionage official told POLITICO on Tuesday night. “It definitely wasn’t just him but he had a big piece of it, given his background and what he did” as an Asia-based spy for the CIA.

Court papers said Lee, a naturalized U.S. citizen, served in “various overseas position and locations” for the CIA from 1994 to 2007. The agency referred all questions about the case to the Justice Department. The FBI also declined to comment on the case.

The New York Times, which first reported Lee’s suspected role in the case Tuesday, reported last year that China had killed or imprisoned 18 to 20 such informants since 2010, possibly using tips from a mole familiar with U.S. espionage operations.

However, the initial, public court filings in the case make no reference to that crackdown and do not allege that Lee actually disclosed anything to anyone.

“If, indeed, Mr. Lee was working for the Chinese, he was in a position to do great damage,” a former senior official at the CIA responsible for China, Dennis Wilder, told POLITICO. “The turning of a CIA officer is very rare, in part, because of the stringent screening and reinvestigation process for all officers.”

Investigators clearly have had Lee, also known as Zhen Cheng Li, under scrutiny for some time. The criminal charge stems from court-ordered searches of Lee’s luggage in Hawaii and Northern Virginia hotels in 2012.

During those searches, which appear to have been conducted surreptitiously, FBI agents found two small books determined to contain information classified up to the “top secret” level that pertained to Lee’s CIA work.

“The datebook contained handwritten information pertaining to, but not limited to, operational notes from asset meetings, operational meeting locations, operational phone numbers, true names of assets, and covert facilities,” FBI special agent Kellie O’Brien said in an affidavit submitted Saturday to a federal magistrate judge in Alexandria, Virginia. “The address book contained true names and phone numbers of assets and covert CIA employees, as well as the addresses of CIA facilities.”

O’Brien said the information in the books mirrored details in classified CIA cables that Lee wrote discussing his interactions with CIA “assets.”

The former U.S. counterespionage official said that while there was substantial proof of Lee’s complicity in aiding China, U.S. officials worked aggressively for years to gather enough evidence for prosecution, but found Lee to be a very savvy and difficult target given his extensive training in counter-spy defensive maneuvers.

But that former official and others said there were other complicating factors, including indications that China discovered at least some of its turncoats by intercepting and monitoring highly classified communications channels.

And even if Lee was engaged in espionage on behalf of China, the FBI and Justice Department would be extremely reluctant — as would the CIA — to disclose the evidence it had in a criminal prosecution, and how it was obtained, for fear of tipping off China to its sources and methods, according to Wilder and the former U.S. official.

Wilder also said investigators clearly suspected Lee of espionage, but might not have the proof to bring such a charge.

“If the information he had was provided to a foreign power, it would be very damning …”

Dennis Wilder, former CIA senior official

“That is the kind of thing that a covert officer would only collect in that way, to sell to somebody,” he said. “But the fact that they did not arrest him on espionage charges means that they did not have direct evidence of espionage with a foreign power. It doesn’t mean he wasn’t involved in that. But those cases are very hard to make. You need to have a very high standard [of evidence] to charge that. You need to demonstrate contact with a foreign power, the passing of information, you have to have proof that he took this information and that he gave it to somebody else.”

O’Brien’s affidavit suggests that the FBI waited at least eight months after the searches before interviewing Lee in May and June of 2013. He apparently then returned to Hong Kong. It’s unclear whether he has been in and out of the United States between 2013 and his arrest Monday night.

Wilder said the delay in arresting Lee suggested that the FBI was trying to put together more evidence but ultimately couldn’t.

“They obviously sensed that he was doing wrong,” Wilder said. “Waiting until 2018 to arrest him, I imagine that they were hoping to build a strong espionage case against him … If the information he had was provided to a foreign power, it would be very damning, whether it was connected to Beijing or not.”