Apparently, the hackers have struck as recently as March in a campaign that used phishing emails in an attempt to access corporate-sensitive Office 365 and Gmail accounts. However ,the last attack was a bit of a stuff up where they made some serious operational security errors that revealed key information about their targets and possible location.
This has made it possible to see them as behind the LEAD, BARIUM, Wicked Panda, GREF, PassCV, Axiom, and Winnti outbreaks. Until this last attack ,the researchers assumed the groups were distinct and unaffiliated. According to a 49-page report published Thursday, all of the attacks are the work of Chinese government's intelligence apparatus, which the report's authors dub the Winnti Umbrella.
Researchers from 401TRG, the threat research and analysis team at security company ProtectWise, based the attribution on some network infrastructure, tactics, techniques, and procedures used in the attacks as well as operational security mistakes that revealed the possible location of individual members.
Attacks associated with Winnti Umbrella have been active since at least 2009 and possibly date back to 2007. In 2013, antivirus company Kaspersky Lab reported that hackers using computers with Chinese and Korean language configurations used a backdoor dubbed Winnti to infect more than 30 online video game companies over the previous four years. The attackers used their unauthorized access to obtain digital certificates that were later exploited to sign malware used in campaigns targeting other industries and political activists.
"The purpose of this report is to make public previously unreported links that exist between some Chinese state intelligence operations", The ProtectWise researchers wrote. "These operations and the groups that perform them are all linked to the Winnti Umbrella and operate under the Chinese state intelligence apparatus."
The researchers said their report contains details about previously unknown attacks against organisations and how these attacks are linked to the evolution of the Chinese intelligence apparatus over the past decade.
"Based on our findings, attacks against smaller organisations operate with the objective of finding and exfiltrating code-signing certificates to sign malware for use in attacks against higher-value targets. Our primary telemetry consists of months to years of full-fidelity network traffic captures. This dataset allowed us to investigate active compromises at multiple organisations and run detections against the historical dataset, allowing us to perform a large amount of external infrastructure analysis."
The groups often use phishing to gain entry into a target's network. In earlier attacks, the affiliated groups then used the initial compromise to install a custom backdoor. More recently, the groups have adopted so-called living-off-the-land infection techniques, which rely on a target's own approved access systems or system administration tools to spread and maintain unauthorized access.
The domains used to deliver malware and command control over infected machines often overlap as well. The attackers usually rely on TLS encryption to conceal malware delivery and command-and-control traffic. In recent years, the groups rely on Let's Encrypt to sign TLS certificates.
The groups hack smaller organizations in the gaming and technology industries and then use their code-signing certificates and other assets to compromise primary targets, which are primarily political. Primary targets in past campaigns have included Tibetan and Chinese journalists, Uyghur and Tibetan activists, the government of Thailand, and prominent technology organisations .