Security Experts:

Serious Breach Linked to Chinese APTs Comes to Light

Several major organizations may have been affected by a breach suffered by an IT services and software provider. The attack, linked to threat actors believed to be located in China, took place in 2015, but it has only now come to light.

A report published earlier this month by RSA describes Kingslayer, a supply chain attack that apparently targeted system administrators in some large organizations. The attackers breached the systems of a company that offers event log analyzers and replaced a legitimate application and its updates with a backdoored version.

The malicious version of the software was delivered between April 9 and April 25, 2015, and it was downloaded by at least one Windows system administrator working for a defense contractor.

While it’s unclear exactly how many organizations downloaded the backdoored software in the April 9-25 timeframe, RSA said the portal that hosted it had numerous subscribers, including four major telecoms providers, over ten western military organizations, more than two dozen Fortune 500 companies, five major defense contractors, and tens of IT solutions providers, government organizations, banks and universities.

While RSA has not named the company whose systems were compromised, investigative journalist Brian Krebs determined that it was Canada-based Altair Technologies Ltd. The company offers firewall log analyzers, a Windows event monitoring product, and a repository of troubleshooting information related to Windows event log messages (EventID.Net).

The EventID.Net website hosted EvLog, the software hijacked by the attackers. A notice posted on the site on June 2016 provides some details on the incident and recommendations for potentially affected users.

However, as Krebs pointed out, the advisory does not appear to have been shared on social media and there was no link to it from anywhere on the site – a link was added this week after the journalist contacted Altair Technologies. The company told Krebs it had no way of knowing who downloaded the software so potential victims were not notified directly either.

While Altair representatives said they don’t expect large organizations to use the EvLog tool, the company’s main website claims the EventID.Net portal has helped millions of users worldwide. SecurityWeek has reached out to Altair Technologies for clarifications.

RSA pointed out that the defense contractor targeted by Kingslayer was attacked only 11 weeks after the breach of Altair’s systems, which suggests that the attackers may have focused on other targets in those 11 weeks.

Evidence uncovered by RSA suggests that the attack was linked to Shell Crew, aka Deep Panda, and Codoso, aka Sunshop Group. Both Shell Crew and Codoso are advanced persistent threat (APT) groups believed to be operating out of China.

RSA also pointed to similarities with another supply chain attack known as the 2014 Monju incident, which targeted a nuclear facility in Japan. That attack was also linked to China.

UPDATE. Altair Technologies has provided the following statement to SecurityWeek:

Our software is available for download anonymously. We do not require registration - anyone can download it and install it. We had no way to identify who were the EvLog users that downloaded or decided to update their software within the 2 weeks when the compromised update was online. The software doesn't update by itself, it requires a manual request for update.

 

There seems to be a deliberate "confusion", in order to give this incident a much bigger scope, between the list of companies from where our subscribers come and EvLog users. We had a list of some organizations that had at least one subscriber to our site for subscriptions between 2001 and 2009 and because it was already big enough it had not been updated since then. EvLog 3 has been published in Jan 2015 and the update process compromised for 2 weeks in April 2015. Does this mean that a large number of companies that accessed our site for the troubleshooting articles were compromised? Absolutely not. We use Google Analytics and the reports show that the average user spends only a few minutes on site, and 99.99% just on the page with the troubleshooting information for a specific topic.

[...]

What is coming as a shock to us is the allegation that we buried the breach notification in the "thick" of our website. Our site is not thick and the notification is still there, on the product page. There is an unreasonable expectation that for years and years from now on, we would post a large red banner across our site warning the users about this breach. We would like to see another product homepage that has a security notice about a security notice about a breach from almost 2 years back. To use RSA as an example, there is nothing on the breach of their SecurId product on its product page, let alone on RSA's homepage. Yahoo, they sent a notification 3 years after a breach and there is nothing highly visible on their site to warn everybody about it. The list can continue. 


It is also sad to see a journalist like Brian Krebs blaming us for the fact that the breach was not in the news and took it upon himself a blow out of proportions a small breach (compared with the large ones involving big companies). Our answer to him was that it was not in the news because it wasn't newsworthy and it probably did not involve a big company. A big company would've had to make a (very) public statement about a breach. RSA sat on this for months, but they decided is not newsworthy at the time and waited for their conference to present it as one of their whitepapers. There are hundreds maybe thousands of breaches every month but only now and then some make headlines due to the visibility of the involved parties. We are victims as well and now we are being demonized over the fact that the breach notification is allegedly not easy to find almost 2 years after the fact even though the threat was eliminated last year.

Related: Chinese Cyberspies Target Russia With New Malware

Related: Cyberspies Target Taiwan Government, Energy Sector

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.