The Chinese government appears to have centralized control over several hacking groups previously believed to be separate threat actors, the BlackBerry Cylance Threat Intelligence security researchers say.
The investigation into the activity of these groups was triggered by a recent Area 1 report (PDF) suggesting that Chinese groups were able to compromise diplomatic cables belonging to the European Union and accessed sensitive information belonging to the United Nations.
Over 100 additional organizations (including foreign and finance ministries, think-tanks and trade unions) were apparently hacked by groups linked to the Chinese government’s Strategic Support Force (SSF), a Chinese military organization, the report revealed.
One of the indicators of compromise in the report was a domain apparently used as a command and control (C&C) server, which the BlackBerry Cylance security researchers have linked to a host of disparate Chinese APT groups.
The researchers also found evidence that different Chinese APT groups have been using the same malware – and in some cases, the same exploit builder.
China’s SSF, the security researchers explain, was created in 2015 after the reorganization of “disparate Chinese military units responsible for space operations, electronic warfare, information operations, psychological operations, espionage, technical reconnaissance, and network warfare.”
The Third Department of the People’s Liberation Army (PLA), which the U.S. Justice Department refers to as the “APT 1” actor, is one of these units. The actor is focused on targeting external entities.
What BlackBerry Cylance found was a connection with other Chinese government efforts to spy on internal groups, a task normally performed by the National Security Commission or the Ministry of State Security.
The MSS, which is also referred to as APT10 or menuPass, was recently named by the U.S. Justice Department in two indictments and was also named by the U.S.-China Economic and Security Review Commission as the actor likely behind the OPM breach.
One of the main targets of the MSS is the groups known informally as the Five Poisons; Uyghurs, Tibetans, Falun Gong, the Chinese democracy movement, and the movement for Taiwan’s independence.
Operations targeting these groups often employed a malware family known as “Reaver,” which was also associated with malware such as SunOrcal and SUTR.
The group behind Reaver, BlackBerry Cylance now says, has used “some of the same infrastructure as the group behind the Area 1 attacks on the European Union and United Nations (ostensibly, the military SSF).”
The researchers linked an IP used by the C&C domain mentioned in the Area 1 report with Reaver activity, including recent malware samples, which feature a different encoding of the relative address string lookup table and configuration data.
The newer Reaver network infrastructure also led the researchers to the discovery of a new type of backdoor deployed in very limited instances, which they call Sparkle. They also discovered a unique Reaver downloader.
One of the manners in which the malware was being delivered was an exploit document leveraging CVE-2017-11882 and using a technique that first became popular in 2014.
After identifying similar documents directly related to the group behind Reaver, they also found documents that had previously been attributed to “Gobelin Panda” and which dropped the “Sisfader RAT.”
Gobelin Panda, a.k.a. Goblin Panda, is known for the targeting of defense, energy, and government organizations in South Asian countries – especially Vietnam.
“Though we are not able to determine whether Gob(e)lin Panda is associated with the MSS or the SSF, it is clear to us that the exploit builder used in the set of samples we have discussed above has been shared across multiple Chinese APT groups, including Leviathan, Temp.Periscope and Kryptonite Panda,” BlackBerry Cylance says.
The observed domains were registered using a generic address for the hosting provider (www.nuo[.]cn), which “has a direct link to the Chinese group or groups using or sharing this infrastructure, going all the way back to 2013.”
“After a close technical analysis of a set of tools and infrastructure used by several suspected Chinese state or state-sponsored actors over nearly a decade, we were able to establish and/or confirm connections between them – connections that provide insight into a dynamic set of actors whose targeting has changed dramatically over the years,” BlackBerry Cylance concludes.