UPDATED 21:12 EDT / MAY 06 2018

INFRA

‘Winnti Umbrella’ groups linked to years of Chinese state-sponsored hacking

Hacks dating back nearly a decade that were previously thought to have originated from separate attack groups are linked to a Chinese government intelligence agency, according to a recently published report.

The report, from the Threat Research & Analysis Team at ProtectWise Inc., links attacks by groups using names such as LEAD, BARIUM, Wicked Panda, GREF and PassCV to a Chinese state intelligence apparatus. They’ve been dubbed the “Winnti Umbrella” after the name of one of the commonly used tools the groups use: the Winnti backdoor.

Along with the use of Winnti itself, the attack groups share much in common. That includes starting attacks via phishing campaigns to gain initial access to a network, before deploying a mix of custom and commercially available malware to steal information.

The attacks have targeted both software and gaming companies in the U.S., Japan, South Korea and, surprisingly, China itself. Later attacks tended to zero in on high-profile targets for either political or technology theft reasons.

As to how the groups have been linked now, despite operating since at least 2009, the researchers said they have made a number of “operational security mistakes during attacks.” Those mistakes have allowed them to “acquire metrics on the success of some Winnti umbrella spear phishing campaigns and identify attacker location with high confidence.”

One of those mistakes includes using command-and-control services that inadvertently access the same machines using internet protocol addresses from China Unicom in the same Beijing district. Another mistake was the use of shared self-signed TLS encryption certificates in an attempt to obscure both malware infections and subsequent data theft.

“While inside knowledge of their operations is quite limited from any external research such as this, we can still assess with confidence that the various groups are functioning in a singular direction for a greater overall mission,” ProtectWise’s Tom Hegel explained. “Evidence suggests that Chinese intelligence agencies are supplying all the necessary resources to members of the Winnti umbrella, including finances and human skills.”

Hacking groups linked to the Chinese government are far from new, despite attempts between both China and the U.S. in 2015 to come to an antihacking agreement. In a case in November, three Chinese nationals linked to the central government were indicted for hacking Moody’s Corp., Siemens AG and Trimble Inc. In an even more serious case, the Chinese military was blamed for hacking the Federal Deposit Insurance Corp. in December 2016.

Photo: Pxhere

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU