Chinese cyberspies are evolving their tactics, focusing on IT staffers, relying more and more on spear-phishing instead of malware, and gathering code signing certificates from hacked software companies in the preparation of future supply-chain attacks.
Experts analyzed the TTPs (tactics, techniques, and procedures) used across the years by a group previously referred to as Winnti, after the name of one of its main tools, the Winnti backdoor.
Now, 401TRG analysts refer to the group as Winnti Umbrella, a generic term to describe a large part of the entire Chinese intelligence apparatus, as several previously separate cyber-espionage groups appear to use the same tactics and infrastructure of the original Winnti group (also known in some reports as Axiom or APT17).
After years of observing operation mistakes and seeing reuse of older attack infrastructure, researchers say that previously separate advanced persistent threats (APTs) such as BARIUM, Wicked Panda, GREF, and PassCV, now appear to share Winnti techniques and some of their infrastructure.
"TTPs, infrastructure, and tooling show some overlap with other Chinese-speaking threat actors, suggesting that the Chinese intelligence community shares human and technological resources across organizations," 401TRG experts say. "We assess with medium to high confidence that the various operations described in this report are the work of individual teams, including contractors external to the Chinese government, with varying levels of expertise, cooperating on a specific agenda."
Nowadays, the APTs part of the Winnti Umbrella group appear to be operating following a common hacking/operational pattern.
First and foremost, attackers appear to favor spear-phishing individual targets, preferring to collect credentials and then entering accounts without utilizing malware for establishing an initial foothold.
"We have observed spear-phishing campaigns that target human resources and hiring managers, IT staff, and internal information security staff, which are generally very effective," 401TRG experts said about the 2017 campaigns.
Hackers focus on collecting network credentials and then spreading laterally inside a company.
Attackers then use a technique known as "living off the land," which refers to the use of locally installed apps for malicious purposes. Tools often used in these intrusions include standard Windows utilities, but also penetration testing utilities such as Metasploit and Cobalt Strike. Malware is only deployed if necessary, attackers fearing detection, which often implies losing their foothold on a target's network.
In 2018 tactics only slightly shifted, attackers focusing their efforts primarily on hacking into Gmail and Office 365 accounts, but hackers continued to focus on IT staffers.
The targeting of IT employees suggests the group is looking for workstations with greater access to internal networks.
"Key interests during attacks often include the theft of code signing certificates, source code, and internal technology documentation," researchers said.
"They also may attempt to manipulate virtual economies for financial gain. While unconfirmed, the financial secondary objective may be related to personal interests of the individuals behind the attacks," researchers added.
But code signing certificates appear to be the primary goal of all the different APTs operating under the "shared goals" of the Winnti Umbrella.
The targeting of code signing certificates is also why hackers also focus a lot of their attacks on software and gaming organizations in
United States, Japan, South Korea, and China, organizations that are more likely to possess such certificates.
This suggests Winnti Umbrella groups are gathering resources and planning for a supply-chain attack to poison official software with malware —where a valid code signing certificate is crucial for hiding the compromise as long as possible. Such attacks have been all the rage in 2017, observed during the NotPetya and CCleaner incidents.
Still, Chinese hackers also know a few things about supply-chain attacks themselves. In 2017, Chinese cyberspies compromised NetSarang, a South Korean software maker, and hid a backdoor in some of its software packages.
Another report also highlighted their increased focus on hacking cloud providers for the same reason —to gain access to cloud-based applications that would allow them easy access to corporate data and internal networks.