A coordinated Chinese intelligence network has been linked to the increasing sighting of the malware that was said to be used to attack a Vietnamese gaming company previously, and other links to different attacks have been concluded to be part of Chinese state intelligence operations from 2009 to 2018, cybersecurity researcher said.
In May 2018, Tom Hegel from AT&T Alien Lab, a cybersecurity research firm have established a connection between the different previously unconnected publicly disclosed cyber attacks using the Winnti malware and said that it was part of a coordinated intelligence effort originating from China.
“The purpose of this report is to make public previously unreported links that exist between several Chinese state intelligence operations. These operations and the groups that perform them are all linked to the Winnti umbrella and operate under the Chinese state intelligence apparatus. Contained in this report are details about previously unknown attacks against organizations and how these attacks are linked to the evolution of the Chinese intelligence apparatus over the past decade,” the study reads about the purpose of the research.
Results of the study reveal that initial attacks software and gaming organizations in United States, Japan, South Korea, and China but later, albeit bigger, attacks were said to be politically motivated and are targeted towards high-profile technology companies.
While the organization experiment with other forms of break-in, new tooling, and attack methodologies often, the study suggested that the use of the Winnti umbrella has been very consistent throughout the attacks linked to the Chinese organization.
“The theft of code signing certificates is a primary objective of the Winnti umbrella’s initial attacks, with potential secondary objectives based around financial gain,” the researcher said in the publication of his results.
According to the study, the Winnti umbrella has been used in different cyber attacks since 2009, with some reports stating that it could originate in 2007. The researcher was very specific to calling the malware as an “umbrella” as it refers explicitly to the “overarching entity consists of multiple teams/actors whose tactics, techniques, and procedures align, and whose infrastructure and operations overlap.”
One of the most alarming results about the study is how they were able to build connections among the different attacks. The research showed that while the primary goal of the said attacks was economic, their long-term objective is politically motivated; thus linking the umbrella to the Chinese intelligence network.
“It’s important to note that not all publicly reported operations related to Chinese intelligence are tracked or linked to this group of actors. However, TTPs, infrastructure, and tooling show some overlap with other Chinese-speaking threat actors, suggesting that the Chinese intelligence community shares human and technological resources across organizations,” the study reads.
According to the Twitter post of Hegel, the attacks associated with the malware umbrella starts with an email phishing attack. Once in, theft of internal technical docs, theft of code signing certs, and sometimes source code modification, and even seeking cryptocurrency, happen.
Recent Winnti Sighting
A week ago, researchers also found a Linux version of the Winnti malware. The discovery was made by researchers from the Chronicle, Alphabet’s cybersecurity department. The researchers revealed that they found a Linux variant of the Winnti malware that works as a backdoor on infected hosts, granting attackers access to compromised systems. It was the malware used by Chinese hackers in the high-profile cybercrime against a Vietnamese game company in 2015.
Chronicle researchers said that they discovered the malware following the news that Bayer, one of the biggest pharma company in the world, had been hit by Chinese hackers, and the Winnti malware was discovered on its servers.
After the team scanned Bayer’s system using its VirusTotal platform, they found what appeared to be a Linux variant of the Winnti, dating back to 2015 when it was first used by Chinese hackers to attack a Vietnamese gaming company.
“As with other versions of Winnti, the core component of the malware doesn’t natively provide the operators with distinct functionality. This component is primarily designed to handle communications and the deployment of modules directly from the command-and-control servers. During our analysis, we were unable to recover any active plugins. However, prior reporting suggests that the operators commonly deploy plugins for remote command execution, file exfiltration, and socks5 proxying on the infected host. We expect similar functionality to be leveraged via additional modules for Linux,” said the researchers in their comprehensive report.