Towards the end of 2017, Chinese cyber-spies have engaged in a hacking spree that targeted at least four US think tanks and an additional two non-governmental organizations (NGOs), researchers from US firm Crowdstrike revealed in a report published last week.
The attacks started in late October and were carried out in a similar manner, by infecting targets and deploying the Mimikatz credentials harvester and China Chopper web shell on affected servers.
Attackers collected the emails of employees, stole credentials, and deployed second-stage malware. Intruders also used malware to search and steal documents containing terms such as "china,” “cyber,” “japan,” “korea,” “chinese,” and “eager lion” (codename of a US military exercise).
"Think tank" is a term used predominantly in the US to describe organizations that perform research concerning topics such as social policy, political strategy, economics, military, technology, and culture.
In the US geo-political landscape, government agencies hire think tanks to explore military and political scenarios and devise possible outcomes for upcoming government decisions and world events. Think tanks also often run fictive war games.
An attacker with access to research carried out by think tanks will learn of the government's future plans or the type of political and military scenarios the government is currently exploring.
"China’s renewed interest in targeting Western think tanks and NGOs is hardly surprising given President XI Jinping’s call to improve China’s think tanks, a response to myriad new strategic problems facing China as it seeks greater influence as a global player," Crowdstrike researcher Adam Kozy notes.
Kozy says attackers were particularly interested in the "communications of foreign personnel involved in Chinese economic policy research and the Chinese economy, as well as users with noted expertise in defense, international finance, U.S.-Sino relations, cyber governance, and democratic elections."
In one particular case, Chinese hackers targeted a think tank organization working on an ongoing military research project for four days without success.
As with many of the currently observed Chinese targeted intrusions, the adversary attempted to use China Chopper for reconnaissance and lateral movement after logging in via an account compromised by spear phishing. As is prevalent among CrowdStrike customers, webshell blocking was enabled in the Falcon platform, which prevented the actor from using the webshell to run any commands.
The operator attempted to access the server using the China Chopper shell for four days in a row, showing particular dedication to targeting this endpoint. The actor attempted several whoami requests during normal Beijing business hours. On the fourth day, after repeated failures, subsequent access attempts occurred at 11 p.m. Beijing time. This after-hours attempt was likely conducted by a different operator, or possibly someone called in to troubleshoot the webshell. After a quick series of tests, the activity ceased and no attempts were made over the weekend. Except for the 11 p.m. login, the observed activity suggests that the adversary is a professional outfit with normal operating hours and assigned tasks.
On the following Monday, the actors returned, logging into the same user account and attempting a different shell, however, this attempt was also quickly staunched by CrowdStrike Services. After being forced out again, the actor appeared to switch tactics and returned via the same account to conduct a SQL injection on the web server. When the attempt failed yet again, the user signed out and a separate host began conducting a low-volume DDoS attack on the think tank’s website.
This attack and the entire campaign overall surprised Crowdstrike researchers due to the manner it was carried out, with a focus on stealth and a smaller number of targets, showing a high degree of persistence and dedication in trying to compromise a pre-determined organization.
For years, Chinese Chinese cyber-espionage groups operated by a tactic described as "smash-and-grab." Chinese state hackers compromised everything and everyone and stole anything that they could get their hands on.
In the past, Chinese groups have rarely been seen putting so much effort in compromising a narrow set of targets, but this seems to have changed this year.
In the grand scheme of things, the attacks and modus operandi that Crowdstrike discovered fits with reports from other cyber-security firms, who also noticed that Chinese cyber-spies shifted from smash-and-grab to targeted attacks.