Non-Government Organization in Support of Government Hopes

Red Team analysis is the process of viewing a situation from the perspective of an adversary thus providing insights beyond those that might otherwise be limited by normative biases. This blog provides an assessment of one company’s foray into the popular APT outing trend in the context of China’s cyber buildup and what that could mean for future U.S. cyber espionage endeavors.

Got APT?

Outing state-sponsored cyber activities has become commonplace over the last few years since the release of Mandiant’s watershed APT1 report. As researchers across a diverse pool of companies disclose apparent state-sponsored activities, there has been a dearth of U.S. state-sponsored disclosures – until recently.

Prior to last year, the only substantive revelations of possible U.S. cyber activity came when Stuxnet was first discovered in mid-2010, marking a red line shift in public knowledge of what state-sponsored threats were actually capable of doing. However, flash forward to 2015, and Kaspersky published the first full-on overview of “Equation Group” espionage activity presumed to be U.S. state-sponsored.  It didn’t take long before media outlets and other security companies were combing through Kaspersky Lab’s research and the infamous Snowden Leaks to find possible links between the two. Kaspersky Labs, along with FireEye, Symantec, TrendMicro and PaloAlto Networks, are global leaders when it comes to trendy APT reports.

China Enters the Scene – Establishing a New Cyber Presence

China has long endeavored to keep up with the United States and Russia in most aspects of warfare. In 1993, China began a systematic long-term effort to modernize their military and close the gap with the other world powers. In 2011, laws governing conscription were changed, allowing for college grads to more effectively serve. Moving cyber forward, in 2014, China established their Cyberspace Administration (CAC). CAC is in charge of all censorship, oversight and general control of the Chinese Internet for the PRC. Keeping in stride with major reform, China completely overhauled its military structure, beginning anew on December 31, 2015. This overhaul saw the creation of a more centralized military cyber engagement element called the Strategic Support Force (SSF).

Finally, continuing their aggressive charge to invigorate their cyber operations and possibly outpace their perceived adversaries, China created the CyberSecurity Association of China (CSAC) in March 2016. This newest element in the cyber arena was established as a non-profit organization underneath the CAC and designed to be an industry association bridging the gap between Government and Industry. Additionally, the organization will provide China a seemingly non-government face for use in handling international cybersecurity issues as seen early this year with GitHub. Their official mandates include:

  • “Laws and regulations helping to build out the new information and communications technology (ICT) legal regime,
  • Technology support helping to boost the domestic ICT industry,
  • Public opinion supervision to help in information control and propaganda,
  • Security and stability of information systems, products, and services (conventional cybersecurity),
  • Protecting core Chinese interests under globalization, and promoting globally competitive Chinese IT companies.”

CSAC board members consist of thirteen individuals from prominent Chinese organizations. Included in this leadership board is the proverbial ‘Father of the Great Firewall of China’, Fang Bingxing and individuals from Antiy Labs, Qihoo 360, Baidu, Alibaba, Xian Jiatong University, Tencent, Huawei, and a few additional faces. The makeup of this leadership implies an inherent focus on information access and defense specialties.

Antiy Labs – A New Mouthpiece?

Until recently, U.S. companies and Russian Kaspersky Labs have mostly led the charge in exposing APT related activities with a few other, predominately European, companies following suit. A Chinese anti-virus company, Antiy Labs, has now joined the party.   They recently published a purported Equation Group APT related disclosure. Antiy Labs has published a limited amount of APT related research articles over the past three years but have not received the level of international press coverage that their western counterparts have.

Looking at the report, Antiy researchers claimed to have found Equation Group related malware. The research is fairly in-depth, but researchers provided no hash values, limiting efforts to validate their findings by outside analysts. However, using the data provided, some of their research initially seems to correlate with prior Equation Group data first disclosed by Symantec, focused on the now infamous Grayfish malware.

Antiy Labs is a very prominent company in China’s network defense. They have dabbled in APT related research in the past but, as mentioned previously, they were limited in quantity and exposure. If not previously established, Antiy now has the potential to generate more broad information sharing procedures within the confines of the mandates governing the CSAC. The formation of the CSAC has officially brought together major communications partners and potentially large-scale data sharing access with companies looking to discover and disclose state-sponsored activities.

The formation of the CSAC and the evolving involvement of prominent Chinese companies such as Antiy in APT research likely signals an escalation of efforts from China to find and expose state-sponsored cyber operations working within China, especially those from U.S. or Russia.  It is also extremely likely that other Chinese companies will follow suit bringing additional APT research to light.

Dismantling a Nuclear Bot

Dennis Schwarz

A recent tweet mentioned that a new banking malware called “Nuclear Bot” has started to appear for sale on underground marketplaces. Its price starts around $2500 which is more than double the price of another recent entry to the market. This post dismantles a sample of this malware to determine whether we need to take […]

On the Economics, Propagation, and Mitigation of Mirai

ASERT team

By Kirk Soluk and Roland Dobbins In late November of 2016, a new Mirai variant emerged that leveraged a propagation mechanism different from the Telnet-based brute forcing mechanism originally provided in the leaked Mirai source code. This new variant exploits vulnerable implementations of the TR-064/TR-069 protocol used by ISPs to remotely manage their customer’s broadband […]

Analysis of CryptFile2 Ransomware Server

Curt Wilson

Download ASERT Threat Intelligence Report 2016-06 here This report describes several elements of a ransomware staging system using the Nemucod malware to deliver CryptFile2 (aka Hydracrypt.A and Win32/Filecoder.HydraCrypt.C) ransomware, an ongoing threat since at least mid-March of 2016. This report reveals TTP’s (tactics, techniques, procedures) of threat actors, including insight derived from limited interactions via e-mail. […]

Diving Into Buhtrap Banking Trojan Activity

Curt Wilson

Cyphort recently published an article about the Buhtrap banking trojan [], targeting users of Russian and Ukrainian banks as reported in March of 2016 by Group-IB []. Cyphort’s insightful article analyzes the compromise chain from the website eurolab[.]ua, directing users via an apparently injected HTML script src attribute to rozhlas[.]site which served exploit code for […]

FlokiBot: A Flock of Bots?

Dennis Schwarz

In early October, Flashpoint released an analysis of an underground forum advertisement for a new malware family known as FlokiBot. It took some time before a sample was found in the wild, but a researcher known as hasherezade flagged one on VirusTotal in early November. She also wrote an analysis of its dropper here. This […]

Flying Dragon Eye: Uyghur Themed Threat Activity

Curt Wilson

DOWNLOAD FULL REPORT HERE DOWNLOAD INDICATORS OF COMPROMISE (IOCs) HERE This paper documents attempted exploitation activity aimed at Uyghur interests outside of China. Exploitation is being attempted via the usual tactic of spear phishing containing malicious attachments to targets. The exploit code attached used for dropping the malware is older – CVE-2012-0158 – and from […]

Mirai IoT Botnet Description and DDoS Attack Mitigation

Changes from previous version:  Removed erroneous Mirai bot backdoor reference (miscommunication regarding Mirai C&C API listener on TCP/101); added Dyn post-mortem link; refined descriptive verbiage. Authors:  Roland Dobbins & Steinthor Bjarnason Since its inception in August of 2016, the Mirai ‘Internet-of-Things’ (IoT) botnet, comprised largely of  Internet-enabled digital video recorders (DVRs), surveillance cameras, and other Internet-enabled embedded devices, has […]

TrickBot Banker Insights

ASERT team

A new banking trojan, TrickBot, has seemingly risen from the ashes left behind by the November 2015 takedown of Dyreza/Dyre infrastructure and the arrests of threat actors identified by Russian authorities. Dyreza was used to target customers of over 1000 U.S. and U.K. banks and other companies during the peak of operations. Researchers at Threat Geek […]

Annual Security Survey – Call for Participation

ASERT team

It’s that time again! Arbor Networks is opening its 12th annual Worldwide Infrastructure Security Report survey. Findings from this survey are compiled and analyzed to provide insights on a comprehensive range of issues from threat detection and incident response to staffing, budgets and partner relationships.  A copy of the report will be sent to all participants. We […]