.svg?width=185&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Home"){kind=logo}
.svg?width=13&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Top Navigation - Sign in - Icon")
- Author: Dell SecureWorks Counter Threat Unit™ Threat Intelligence
- Date: August 5, 2015
Summary
Dell SecureWorks Counter Threat Unit(TM) (CTU) researchers investigated activities associated with Threat Group-3390[1] (TG-3390). Analysis of TG-3390's operations, targeting, and tools led CTU researchers to assess with moderate confidence the group is located in the People's Republic of China. The threat actors target a wide range of organizations: CTU researchers have observed TG-3390 actors obtaining confidential data on defense manufacturing projects, but also targeting other industry verticals and attacking organizations involved in international relations. The group extensively uses long-running strategic web compromises[2] (SWCs), and relies on whitelists to deliver payloads to select victims. In comparison to other threat groups, TG-3390 is notable for its tendency to compromise Microsoft Exchange servers using a custom backdoor and credential logger.
CTU researchers divided the threat intelligence about TG-3390 into two sections: strategic and tactical. Strategic threat intelligence includes an assessment of the ongoing threat posed by the threat group. Executives can use this assessment to determine how to reduce risk to their organization's mission and critical assets. Tactical threat intelligence is based on incident response investigations and research, and is mapped to the kill chain. Computer network defenders can use this information to reduce the time and effort associated with responding to TG-3390.
Key points
Explanations of how CTU researchers identify attribution and gauge confidence levels are available in the Appendix A.
- CTU researchers assess with moderate confidence that TG-3390 is based in the People's Republic of China.
- CTU researchers have evidence that the threat group compromised U.S. and UK organizations in the following verticals: manufacturing (specifically aerospace (including defense contractors), automotive, technology, energy, and pharmaceuticals), education, and legal, as well as organizations focused on international relations. Based on analysis of the group's SWCs, TG-3390 operations likely affect organizations in other countries and verticals.
- TG-3390 operates a broad and long-running campaign of SWCs and has compromised approximately 100 websites as of this publication. Through an IP address whitelisting process, the threat group selectively targets visitors to these websites.
- After the initial compromise, TG-3390 delivers the HttpBrowser backdoor to its victims. The threat actors then move quickly to compromise Microsoft Exchange servers and to gain complete control of the target environment.
- The threat actors are adept at identifying key data stores and selectively exfiltrating all of the high-value information associated with their goal.
- CTU researchers recommend the following practices to prevent or detect TG-3390 intrusions:
- Search web log files for evidence of web server scanning using the URIs listed in the Exploitation section and evidence of exfiltration using the User-Agent in the Actions on objective section.
- Require two-factor authentication for all remote access solutions, including OWA.
- Audit ISAPI filters and search for web shells on Microsoft Exchange servers.
Strategic threat intelligence
CTU researchers assess the threat posed by a threat group by reviewing intent and capability (see Figure 1). Threat groups pose varying threats to different organizations, and even a very capable group may pose a low threat if it does not have the intent to target a particular organization.
Figure 1. Threat is based on a threat group's intent and capability. (Source: Dell SecureWorks)
Intent
CTU researchers infer intent by aggregating observations, analyzing a threat group's activity, and placing the information in a wider context.
Like many threat groups, TG-3390 conducts strategic web compromises (SWCs), also known as watering hole attacks, on websites associated with the target organization's vertical or demographic to increase the likelihood of finding victims with relevant information. CTU researchers assess with high confidence that TG-3390 uses information gathered from prior reconnaissance activities to selectively compromise users who visit websites under its control. Most websites compromised by TG-3390 actors are affiliated with five types of organizations around the world:
- large manufacturing companies, particularly those supplying defense organizations
- energy companies
- embassies in Washington, DC representing countries in the Middle East, Europe, and Asia, likely to target U.S.-based users involved in international relations
- non-governmental organizations (NGOs), particularly those focused on international relations and defense
- government organizations
Based on this information, CTU researchers assess that TG-3390 aims to collect defense technology and capability intelligence, other industrial intelligence, and political intelligence from governments and NGOs.
Attribution
To assess attribution, CTU researchers analyze observed activity, third-party reporting, and contextual intelligence. For the following reasons, CTU researchers assess with moderate confidence that TG-3390 has a Chinese nexus:
- The SWC of a Uyghur cultural website suggests intent to target the Uyghur ethnic group, a Muslim minority group primarily found in the Xinjiang region of China. Threat groups outside of China are unlikely to target the Uyghur people.
- TG-3390 uses the PlugX remote access tool. The menus for PlugX's server-side component are written exclusively in Standard Chinese (Mandarin), suggesting that PlugX operators are familiar with this language.
- CTU researchers have observed TG-3390 activity between 04:00 and 09:00 UTC, which is 12:00 to 17:00 local time in China (UTC +8). The timeframe maps to the second half of the workday in China.
- The threat actors have used the Baidu search engine, which is only available in Chinese, to conduct reconnaissance activities.
- CTU researchers have observed the threat group obtaining information about specific U.S. defense projects that would be desirable to those operating within a country with a manufacturing base, an interest in U.S. military capability, or both.
CTU researchers recognize that the evidence supporting this attribution is circumstantial. It is possible that TG-3390 is false-flag operation by a threat group outside of China that is deliberately planting indications of a Chinese origin.
Capability
To assess a threat group's capability, CTU researchers analyze its resources, technical proficiency, and tradecraft.
Resources
TG-3390 has access to proprietary tools, some of which are used exclusively by TG-3390 and others that are shared among a few Chinese threat groups. The complexity and continual development of these tools indicates a mature development process. TG-3390 can quickly leverage compromised network infrastructure during an operation and can conduct simultaneous intrusions into multiple environments. This ability is further demonstrated by analysis of interactions between TG-3390 operators and a target environment. CTU researchers found no evidence of multiple operators working simultaneously against a single organization. This efficiency of operation (a 1:1 ratio of operator to observed activity) suggests that TG-3390 can scale to conduct the maximum number of simultaneous operations. These characteristics suggest that the threat group is well resourced and has access to a tools development team and a team focused on SWCs.
Technical proficiency
TG-3390's obfuscation techniques in SWCs complicate detection of malicious web traffic redirects. Malware used by the threat group can be configured to bypass network-based detection; however, the threat actors rarely modify host-based configuration settings when deploying payloads. CTU researchers have observed the threat actors installing a credential logger and backdoor on Microsoft Exchange servers, which requires a technical grasp of Internet Information Services (IIS). TG-3390 uses older exploits to compromise targets, and CTU researchers have not observed the threat actors using zero-day exploits as of this publication. The threat actors demonstrated the ability to adapt when reentering a network after an eviction, overcoming technical barriers constructed by network defenders.
Tradecraft
In addition to using SWCs to target specific types of organizations, TG-3390 uses spearphishing emails to target specific victims. CTU researchers assess with high confidence that the threat actors follow an established playbook during an intrusion. They quickly move away from their initial access vector to hide their entry point and then target Exchange servers as a new access vector. As of this publication, CTU researchers have not discovered how TG-3390 keeps track of the details associated with its compromised assets and credentials. However, the threat actors' ability to reuse these assets and credentials, sometimes weeks or months after the initial compromise, indicates the group is disciplined and well organized. After gaining access to a target network in one intrusion analyzed by CTU researchers, TG-3390 actors identified and exfiltrated data for specific projects run by the target organization, indicating that they successfully obtained the information they sought. Data exfiltration occurred almost four weeks after the initial compromise and continued for two weeks (see Figure 2).
Figure 2. Data exfiltration timeline. (Source: Dell SecureWorks)