The Path to Mass-Producing Cyber Attacks

Lines of people, lines of parts. The modern production line is composed of individuals contributing to a larger process. This common manufacturing approach is efficient, effective, and profitable.

Now it appears cyber attack groups in the world’s largest manufacturing country are using a similar approach to infiltrate targeted networks and compromise data – collaborating for increased efficiency and effectiveness.

FireEye Labs have published a report – Operation Quantum Entanglement – that details two attack campaigns by different groups in separate regions of China, apparently operating in parallel.

The first group, named Moafee, appears to operate from the Guandong Province. Its targets include the military organizations and governments of countries with national interests in the South China Sea, including some within the U.S. defense industrial base. Moafee may have chosen its targets based on the rich resources of South China Sea region – the world’s second business sea-lane, according to Wikipedia – including rare earth metals, crude oil, and natural gas.

The second group, known as DragonOK, targets high-tech and manufacturing companies in Japan and Taiwan. This may indicate they’re acquiring trade secrets for a competitive economic advantage in the area. DragonOK appears to operate out of China’s Jiangsu Province.

It seems that both groups, while operating in distinctly different regions, either 1) collaborate, 2) receive the same training), 3) share a common toolkit supply chain, or 4) some combination of these scenarios, which means they are employing a ‘production line’-type approach to initiating cyber attacks to breach defenses.

Mirroring Each Other

Both campaigns use similar tools, techniques and procedures (TTPs) – including custom-built backdoors and remote-administration tools (RATs) to infiltrate their targets’ networks.

Moafee and DragonOK both use a well-known proxy tool – HUC Packet Transmit Tool (HTRAN) – to disguise their geographical locations. Both utilize password-protected documents and large file sizes to disguise their attacks. These approaches, along with other similarities in TTPs we’ll review below, seem to indicate the groups are affiliated in some way and have at least some commonality in their attack campaigns.

quantum1

A third, separate group also appears to be using the same TTPs, including the same custom backdoors and RATs; however, FireEye researchers do not have enough insight to reliably report a definitive connection to the Moafee and DragonOK groups.

Hidden from Sight

Both Moafee and DragonOK favor spear-phishing emails as an attack vector, often employing a decoy to deceive the victim. The emails are well crafted and audience specific, even written in the intended victim’s native language.

Attachments are typically sent as an executable file embedded in a ZIP archive or a password-protected Microsoft Office document. We also observed both groups using decoy documents that are presented to the victim while the malware runs in the background.

The groups both use common, and multiple, methods to hide their activities. Employing sandbox environments, antivirus software and gateway firewalls, they do their best to remain unobtrusive. Methods include:

  • checking for the number of core processors (and quitting if only one is detected);
  • attaching password-protected documents and providing a password in the email contents; and
  • sending large files padded with unnecessary null bites to slide past network- and host-based AV engines that can’t scan larger files.

Tools of the Trade 

The two different operators seem to share backdoors and RATs – some of which are custom; others are publicly available. Overlapping tools include:

  • CT/NewCT/NewCT2
  • Mongall
  • Nflog
  • PoisonIvy

We observed Moafee running HTRAN proxies on their multiple Command and Control (C2) servers – all operated on CHINANET, and hosted in Guangdong Province.

Like the Moafee group, we observed DragonOK running HTRAN to proxy their C2 servers, which are also operated on CHINANET but are hosted in the Jiangsu Province.

Summary

Primarily focused on governments and military operations of countries with interests in the South China Sea, Moafee likely chooses its targets based on region’s rich natural resources. By targeting high-tech and manufacturing operations in Japan and Taiwan, DragonOK may be acquiring trade secrets for a competitive economic advantage.

While their targets and missions appear different, our researchers found enough linking evidence to demonstrate a relationship between Moafee and DragonOK, and perhaps even a third attack group. By sharing TTPs and coordinating joint attacks, these advanced threat actors are leveraging China’s supply chain economic expertise to perform extensive worldwide espionage.