APT all the things!

One larger APT links a lot of campaigns

thaddeus t. grugq
Jul 11, 2018 · 4 min read

This article cites a report which links a large number of cyber operation campaigns to the same umbrella group. Essentially, although there are some differences between the campaigns, all the direction and management is from a larger organisation. This is quite interesting, and I’ll look at that more deeply in a follow up post. For now, here’s some quick thoughts about this umbrella group.

Gone phishing, catch you later.

The Winnti umbrella crew has developed a winning playbook and they’ve stuck to it. It is pretty clever in its own right. There are three phases involved in this style of operation.

Phase one

  1. Hit a weak company and steal legit signing certs

Phase Two

  1. Use cloud targeted phishing to access sensitive data (eg network diagrams, logins, whatever)
  2. Target dependent: after dissident groups got hacked so frequently using Microsoft Office they migrated to online document production and handling. The threat from malicious attachments was greatly reduced. To counter this the APTs targeting them switched to phishing logins because exploits were no longer useful. The next phase will be when the dissident groups finally adopt 2FA and mitigate login phishing.
  3. The team then analyses their first stage take and tries to find information that will allow them to breach their target
  4. To reduce their threat profile they use malware signed with legitimate keys, and use living off the land to minimise their forensic traces

The targeting is all very standard stuff in line with Chinese policy. Internal dissidents, external trade partners, etc.

There has been only sporadic reporting on this group, probably because their targeting is internal to China and regional powers.

Now it gets interesting

If they’re the same crew that did Bit9 that would be impressive. The Bit9 attack was essentially a cyber enabled supply chain attack. The real target was protect by Bit9 software that would hinder their standard operational procedures, preventing them from accomplishing their mission goals. The standard “pilfered Korean gaming software cert” wouldn’t work, so they went straight for the jugular. Stole the Bit9 cert to allow them to masquerade as a legitimate piece of infrastructure and conduct their op(s).

This is very cool targeting, one of the things at which Chinese APTs can really excel. For example the collection of OPM, Anthem and United allowed them massive insight into the US government’s personnel. The RSA hack to get access to Lockheed was similar in a sequence “get the key to open the door to reach the target,” the exact same style of operation as the Bit9 hack.

Umbrella group…probably an agency

The “umbrella group”designation implies to me that this is not a single crew operating under a rigid hierarchy, but rather a set of crews with designated responsibilities. Managing this would must require considerable managerial acumen…a functional bureaucracy, basically.

  • Selecting targets for certificate theft,
  • managing which certificates to use and which have been blown;
  • distributing them to the dev crews to prep malware;
  • training and adapting the operators to use new tradecraft;
  • setting up infrastructure, and
  • planning ops themselves.

I can totally believe in discreet units handling roles, along with the management and support personnel. It wouldn’t be a surprise if there were specialised units within this umbrella crew that work on specific campaigns, targets, or operational requirements.

OPSEC fail, meh, it happens

Mistakes are bound to happen, humans make human errors. The root cause of the IP leak that links this umbrella group to a building in China was failure to ensure proper compartmentation regardless of human error. It should not have been possible to contact any operational infrastructure without being properly masked. They failed to build this compartment wall for their OPSEC thus creating a vulnerability in their defences.

The reporting is playing this up as an OPSEC fail (lol, dumb APT) but the real story is a marvel of management. Even the periods of sloppiness might be attributable to new recruits being trained up or new tooling and tradecraft adaptations being adopted. This is a group that has been in continual operation for over a decade. They have adapted their tradecraft to maintain efficacy against improving defences by their targets. They must have brought in new people, had people retire, plus developed new toolsets and tradecraft. There is a lot going on.

The political focus, the good tradecraft and ongoing adaptations suggest this is a professional force. The longevity also indicates it is a professional crew. Most hacker crews fizzle out after a few years. These guys are still changing with the times and still operating.

Finally

As for the OPSEC failure, it is impressive that that they survived a decade without being attributed. Maybe the real lesson here is that surveillance capitalism blows everyone’s privacy.

thaddeus t. grugq

Written by

Information Security Researcher :: keybase.io/grugq :: https://www.patreon.com/grugq