clockwise from upper left: Sun, Wen, Wang, Huang, Gu
5-19-14 Defendants : Wang Dong, Sun Kailiang, Wen Xinyu, Huang Zhenyu, and Gu Chunhui, who were officers in Unit 61398 of the Third Department of the Chinese People’s Liberation Army (PLA). The indictment alleges that Wang, Sun, and Wen, among others known and unknown to the grand jury, hacked or attempted to hack into U.S. entities named in the indictment, while Huang and Gu supported their conspiracy by, among other things, managing infrastructure (e.g., domain accounts) used for hacking.
Victims : Westinghouse Electric Co. (Westinghouse), U.S. subsidiaries of SolarWorld AG (SolarWorld), United States Steel Corp. (U.S. Steel), Allegheny Technologies Inc. (ATI), the United Steel, Paper and Forestry, Rubber, Manufacturing, Energy, Allied Industrial and Service Workers International Union (USW) and Alcoa Inc.
Time period : 2006-2014. Crimes : Thirty-one counts as follows (all defendants are charged in all counts).
https://www.justice.gov/opa/pr/us-charges-five-chinese-military-hackers-cyber-espionage-against-us-corporations-and-labor
Each provided his individual expertise to an alleged conspiracy to penetrate the computer networks of six American companies while those companies were engaged in negotiations or joint ventures or were pursuing legal action with, or against, state-owned enterprises in China. They then used their illegal access to allegedly steal proprietary information including, for instance, e-mail exchanges among company employees and trade secrets related to technical specifications for nuclear plant designs. Gu tested malicious e-mail messages and also managed the domain accounts used by the others.https://www.fbi.gov/wanted/cyber/gu-chunhui
Wen controlled victim computers. https://www.fbi.gov/wanted/cyber/wen-xinyu
.......................................................................................................................................................
5-21-14 The economic cost of cyber attacks to the US has been estimated to range up to a hundred billion dollars, and the US needs to find ways to stem the steady theft of information. ‘Our economic security and our ability to compete fairly in the global marketplace are directly linked to our national security’, said US Attorney General Eric Holder. https://www.aspistrategist.org.au/enough-is-enough-united-states-v-chinese-hackers/
.......................................................................................................................................................
9-28-16 Assistant Attorney General John Carlin confirmed the company’s findings that attacks were less voluminous but more focused and calculated. Chinese hackers may have shifted their focus to other targets. Kaspersky Labs reported Chinese hacking of Russian defense, nuclear, and aviation industries rose nearly threefold in the first seven months of 2016
A month after signing the agreement with the United States, China inked a similar deal with the United Kingdom, and, in November 2015, China, Brazil, Russia, the United States, and other members of the Group of Twenty accepted the norm against conducting cyber-enabled theft of intellectual property. The United States and China have also held two round of cyber talks between the U.S. Department of Homeland Security (DHS) and Chinese Ministry of Public Security (MPS), the first in December 2015, the second in June 2016. At these meetings, Washington and Beijing agreed on the guidelines for requesting assistance on cybercrime, discussed establishing a hotline, and conducted tabletop exercises. In August, the Ministry of Public Security reported that the hotline between DHS and MPS was up and running. https://www.cfr.org/blog/us-china-cyber-espionage-deal-one-year-later
.......................................................................................................................
4-28-17 U.S. cybersecurity firms witnessed a surge in computer intrusions affiliated with APT10 last summer — beginning around June 2016 — subsequently leading to a wider spread of victims and the discovery of new hacking tools and other capabilities apparently used by the group.
APT10 continues to be active. Most of the group’s recent intrusions have begun with a carefully crafted phishing email, experts say.
“Over the last year, they’ve hacked into organizations in Scandinavia, Brazil, South Korea and Japan to do economic espionage and for national security purposes,” said John Hultquist, director of cyber espionage analysis at iSIGHT Partners. https://www.cyberscoop.com/u-s-warns-emerging-global-cyber-espionage-campaign-chinese-hackers/
...............................................................
11-26-17 The Department of Justice charged three Chinese nationals working for an internet security firm in China with hacking three companies and stealing hundreds of gigabytes of data and trade secrets from Siemens AG, Moody’s Analytics and GPS maker Trimble between early 2011 and May 2017. Both the malware and the organization to which defendants Wu Yingzhuo, Dong Hao and Xia Lei belonged have previously been linked to the Chinese government.
Soo C. Song, acting U.S. Attorney for Western Pennsylvania, charged the Chinese men with conspiracy to commit computer fraud and abuse, conspiracy to steal trade secrets, wire fraud, and aggravated identity theft. Yingzhuo, Hao and Lei, according to the Justice Department, worked to steal “hundreds of gigabytes of data regarding the housing finance, energy, technology, transportation, construction, land survey, and agricultural sectors.” ...
“The three Chinese hackers work for the purported China-based Internet security firm Guangzhou Bo Yu Information Technology Company Limited (a/k/a ‘Boyusec’).” Boyusec, according to the anonymous group Intrusion Truth, was a front for APT3, aka Gothic Panda, Buckeye, UPS Team and TG-0110. The group traced domain name registration data from APT3 tools and domains to Wu Yingzhuo.
In May 2017, the security firm Recorded Future agreed that Boyusec is a Chinese government contractor linked to the APT3 group. The company attributed “APT3 to the Chinese Ministry of State Security and Boyusec with a high degree of confidence.”https://www.csoonline.com/article/3238828/security/us-charges-3-chinese-security-firm-hackers-with-corporate-cyber-espionage.html
..............................................................................................................
4-26-17 APT3 – also known as Gothic Panda, Buckeye, UPS Team and TG-0110 – was first reported in 2010 by FireEye in their report Hupigon Joins The Party. It is blamed for using a Remote Access Trojan named Pirpi in attacks against the US and UK. The Trojan is usually delivered through malicious attachments or links in spear-phishing e-mails and the group have a history of innovating new browser-based zero-day exploits. FireEye claim that it is one of the most sophisticated threat groups tracked by their Threat Intelligence arm. https://www.theregister.co.uk/2017/11/28/chinese_security_consultants_gps_siemens_moodys/
..................................................................................................................................
12-1-17 This hack was allegedly executed in conjunction with the Advanced Persistent Threat 3 hacking group who uploaded malware onto an ASIO employee’s laptop. The “ups” and “exeproxy” malware allowed the hackers to search for and copy private business information as well as user information. This was one of several attacks on data, where APT3 hackers are said to have penetrated Moody’s Analytics, Siemen’s Pittsburgh office and GPS company Trimble. https://thewarrencentre.org.au/asio-hacker-trio-charged-by-the-us/
......................................................................................................
Another target was the industrial conglomerate Siemens, and the phishing campaign netted at least two major staffers in the US in 2014. Using stolen login credentials Dong is accused of stealing 407GB of proprietary information from its energy, technology and transport departments.
The following year the trio is accused of accessing the servers of engineering firm Trimble, which is working on the GPS satellite network's hardware. The firm had spent millions and three years developing a new kind of antenna for commercial global positioning satellites, and it appears this technology was the target.
Last January, Wu got into the Trimble servers, it is claimed, and prepared a 252MB .zip archive containing trade secrets. The file contained 773 pages of technical specifications, business documents and design blueprints, as well as plans to bring the new hardware to market, we're told.
The firm suffered two more intrusions that month, with smaller amounts of data being stolen, including subscriber information, it is claimed. In all around 275MB of material was removed.
"The fruits of these cyber intrusions and exfiltration of data represent a staggering amount of dollars and hours lost to the companies in terms of research, development, testing, trade secrets and the cost to remediate these cyber intrusions," said Soo Song. https://www.theregister.co.uk/2017/11/28/chinese_security_consultants_gps_siemens_moodys/
..............................................................................................................................
7-4-17 BERLIN (Reuters) - Germany is a big target of spying and cyber attacks by foreign governments such as Turkey, Russia and China, a government report said on Tuesday, warning of “ticking time bombs” that could sabotage critical infrastructure.
Industrial espionage costs German industry billions of euros each year, with small- and medium-sized businesses often the biggest losers, the BfV domestic intelligence agency said in its 339-page annual report. https://www.reuters.com/article/us-germany-espionage/germany-big-target-of-cyber-espionage-and-attacks-government-report-idUSKBN19P0UC.
.............................................................................................................................
10-16-17 The cyber espionage group known as Bronze Butler and Tick continues to target Japan using custom-built malware. Evidence found by researchers suggests that the actor is based in China.
The first report on Tick was published in April 2016 by Symantec. However, the security firm pointed out at the time that the threat group had likely been active for at least a decade prior to its activities being discovered.
Tick has been known to use a downloader tracked as Gofarer and a data-stealing Trojan dubbed Daserf. A report published by Palo Alto Networks earlier this year linked the custom-built Daserf malware – based on command and control (C&C) servers – to a threat known as Minzen, XXMM, Wali and ShadowWali.
The first Tick attacks detailed by Symantec focused on technology, aquatic engineering, and broadcasting firms in Japan. Palo Alto Networks reported seeing campaigns aimed at defense and high-tech organizations in Japan and South Korea.
A new report published last week by SecureWorks links Tick to China based on several pieces of evidence. For example, the group uses T-SMB Scan tools created by a Chinese developer, an early version of the Minzen backdoor used Chinese characters in a service name, and there are links between Daserf and the NCPH group, which has been tied to the Chinese military.
Experts also pointed out that Tick activity has typically decreased during Chinese national holidays, and targeting intellectual property and economic intelligence from competing countries is something China has been known to do.
The attacks observed by the security firm were aimed at Japanese organizations in the critical infrastructure, manufacturing, heavy industry and international relations
sectors....Once it no longer needs any information from a target, Tick attempts to remove all evidence of its activities on the compromised networks. https://www.securityweek.com/tick-cyber-espionage-group-linked-china
.....................
5-2-17 A cyber espionage group has targeted analysts working at major financial firms using a recently patched Microsoft Office vulnerability, Proofpoint reported last week.
The threat actor, tracked by the security firm as TA459, has been active since at least 2013 and it’s believed to be operating out of China. The cyberspies have been known for using malware such as NetTraveler (aka TravNet), PlugX, Saker, Netbot, DarkStRat, and ZeroT in attacks aimed at organizations in Russia and neighboring countries.
Proofpoint recently detailed a series of attacks launched by the group against military and aerospace organizations in Russia and Belarus.
On April 20, researchers spotted a campaign aimed at global financial firms operating in Russia and neighboring countries. Given that the attacks were apparently aimed at analysts covering the telecommunications industry, experts believe this latest operation is likely a continuation of a similar campaign first analyzed in the summer of 2015.
In the recent attacks, TA459 sent out spear-phishing emails containing a Word document set up to exploit a recently patched remote code execution vulnerability tracked as CVE-2017-0199. The attackers started leveraging this flaw just days after Microsoft released a fix.
When the malicious document is opened, an HTML application (HTA) file disguised as an RTF document is downloaded. PowerShell is then used to download and execute a script that fetches and runs the ZeroT downloader. https://www.securityweek.com/china-linked-spies-use-recent-zero-day-target-financial-firms
............................
7-24-17 A China-linked cyber espionage group tracked by security firms as Lotus Blossom, Elise, Esile and Spring Dragon has used more than 600 malware samples in its attacks over the past years, according to Kaspersky Lab.
Spring Dragon has been around since at least 2012, but there is some evidence suggesting that it may have been active since 2007. The state-sponsored threat group has mainly targeted military and government organizations in Southeast Asia.
Kaspersky Lab learned recently from a research partner in Taiwan of new attacks launched by the group. Data collected by the security firm indicates that the APT actor has also targeted political parties, universities and other educational institutions, and companies in the telecommunications sector.
The cyberspies appear to focus on countries around the South China Sea, including Taiwan, Indonesia, Vietnam, the Philippines, Hong Kong, Malaysia and Thailand.
The threat actor has been using a wide range of tools, including backdoors that can download other files to the compromised machine, upload files to a remote server, and execute files and commands. Kaspersky Lab has identified a total of more than 600 malware samples used over the past years. https://www.securityweek.com/over-600-malware-samples-linked-chinese-cyberspy-group
................................................................................................
9-1-17 A recently observed KHRAT remote access Trojan (RAT) infection campaign uses updated spear phishing, download and execution techniques, Palo Alto Networks security researchers warn.
KHRAT is a backdoor associated with the China-linked cyber espionage group known as DragonOK, which has been previously known to use malware such as NetTraveler (akaTravNet), PlugX, Saker, Netbot, DarkStRat, and ZeroT in attacks against organizations in Russia and other surrounding countries. The recent campaign featuring the RAT targets victims located in Cambodia.
The malware was designed to register victims using their machine’s username, system language and local IP address, while also providing attackers with the typical set of RAT features, including remote access to the victim system, keylogging, screenshot taking capabilities, remote shell access, and the like. https://www.securityweek.com/china-linked-khrat-operators-adopt-new-delivery-techniques
...........................................................................................................................................
6-4-13
Led by a group researchers have codenamed Red Star, the campaign is focused on stealing information related to aerospace, nanotechnology, nuclear power cells, lasers, drilling, manufacturing in extreme conditions, and radio wave weapons, Costin Raiu, senior security researcher and director of the Global Research and Analysis Team at Kaspersky Lab, told attendees at the Kaspersky Lab Government Cybersecurity Forum in Washington, DC this morning. Vast amounts of sensitive data have already been compromised from over 350 organizations in over 40 countries, including the United States, United Kingdom, and Canada, Raiu said.
The attack campaign, codenamed Operation NetTraveler, relied on spear phishing to trick targeted individuals into opening a booby-trapped Word document. Once opened, the malicious code established communication with the command-and-control servers to download additional malware and transferred stolen information.
It appears the campaign was focused on cyber-espionage, not sabotage, Raiu said, noting that the malware infected both the private and public sectors, such as embassies, research centers, military contractors, oil and gas companies, and even activists.
The malicious documents targeted the CVE 2012-0158 and CVE-2010-3333 vulnerabilities, both of which have already been patched by Microsoft. These vulnerabilities are popular among various attack groups, and have been used in several recent attacks, Raiu said....
Raiu said researchers found hints linking Red Star to another hacking group with the same name known to have over 80 thousand members. Kaspersky Lab is not sure yet if there is a relationship between these two groups.
There is a common misperception that all these cyber-espionage campaigns are disconnected and operate independently, Raiu said. In reality, all these groups are interconnected.
“There is just one big ugly gorilla with a thousand heads, and we haven't seen them all yet,” Raiu said. https://www.securityweek.com/chinese-hacking-group-linked-nettraveler-espionage-campaign
This comment has been removed by the author.
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteThis comment has been removed by the author.
ReplyDelete