New Chinese Intelligence Unit Linked to Massive Cyber Spying Program
Axiom likely a Ministry of State Security spy unit
BY:
A Chinese intelligence unit carried out a massive cyber espionage program that stole vast quantities of data from governments, businesses and other organizations, security analysts who uncovered the operation said Thursday.
The activities of the Chinese unit called the Axiom group began at least six years ago and were uncovered by a coalition of security firms this month.
Cyber sleuths traced Axiom attacks to the 2009 cyber operation against Google in China and other U.S. companies known as Operation Aurora. The group was also linked to a Chinese hacking program that targeted dissidents and opposition groups known as GhostNet. More recent Axiom attacks took place against Japan, the U.S. Veterans of Foreign Wars, and U.S. think tanks.
In the past two weeks, 43,000 computer networks at nearly 1,000 organizations were cleaned of multiple types of cyber espionage spyware from Axiom cyber spies, including 180 highly sophisticated computer penetrations at key Chinese targets that employed a program called Hikit that specializes in automated data theft.
Investigators found that the Chinese used up to four different types of malicious software in a single information-stealing operation, and a total nine different types of spying malware overall, ranging from rudimentary to very sophisticated.
The group conducting the attacks is “a truly advanced hacker,” said Zachery Hanif, a cyber security expert with Novetta, a Virginia-based company that was one of the first to identify Axiom cyber attacks.
“We believe they are a highly sophisticated and very prolific cyber espionage team,” Hanif said in an online briefing for reporters. “We certainly have a moderate to high degree of confidence that the [Axiom] tasking is part of the Chinese intelligence apparatus.”
An FBI alert issued Oct. 15 bolsters the commercial findings. The alert states that the Bureau has high confidence that the new unit is “a group of Chinese government affiliated cyber actors who routinely steal high value information from U.S. commercial and government networks through cyber espionage.”
The FBI said the new group differs from the Chinese military hacking unit known as PLA Unit 61398 by operating in an “exceedingly stealthy and agile” fashion, compared to the military unit.
“This Chinese government affiliated group previously documented by private sector reports by the names of Operation Deputy Dog, Snowman, Ephemeral Hydra, APT17, Bit9, Google security alerts and parts of Hidden Lynx, has heavily targeted the high tech information technology industry including microchip, digital storage and networking equipment manufacturers, as well as defense contractors in multiple countries and multinational corporations,” the FBI said.
Hanif said attributing the Axiom spying to a specific Chinese intelligence agency is difficult because of problems involved in making direct attributions in cyberspace to specific actors.
But during the briefing Hanif said indicators of Axiom revealed activities that were aligned with Chinese government five-year economic and technological development plans.
Hanif said detailed analysis of software and digital attack methods of the group against specific targets reveals the activities are “heavily aligned with what’s been published as strategic interests for the Chinese government.”
China’s targets included Asia and western governments, specifically communications agencies, aerospace and space research, law enforcement, personnel management, and government auditing and internal affairs.
Using proxy servers in Hong Kong, Taiwan, Japan, South Korea, the United States and Europe, Axiom cyber spies sought data and technology form the following targets:
♦ Electronics and integrated circuits
♦ Network equipment manufacturers
♦ Internet service companies
♦ Software vendors
♦ News media and journalism organizations
♦ Non-governmental organizations
♦ International consulting and analysis firms
♦ International law firms
♦ Telecommunications firms
♦ Manufacturing conglomerates
♦ Venture capital firms
♦ Energy companies
♦ Meteorological services
♦ Cloud computing firms
♦ Pharmaceutical firms; and
♦ U.S. academic institutions
Axiom is the first published disclosure of civilian Chinese cyber spying.
A Chinese military intelligence group known as the Third Department of the People’s Liberation Army has been identified in the past as directing major Chinese cyber spying units in U.S. cyber attacks.
Analysis of Axiom’s activities reveals that new unit is likely a part of China’s Ministry of State Security (MSS), the powerful Communist Party-controlled political police and intelligence service that was modeled after the Soviet Union’s KGB.
A Novetta report on Axiom said the group conducted cyber operations against perceived opponents of the Beijing regime located both abroad and in China–key indicators of MSS sponsorship.
The report did not identify specific victims but published reports going back to 2009, as well as the attacks on Google and other U.S. companies, reveal that many of the companies were Fortune 500 firms.
U.S. government agencies that were hacked by the Chinese also were not identified.
To highlight the sophistication of the group, the Novetta report reveals Axiom employed six different types of cyber intelligence specialties: reconnaissance specialists, initial cyber break-in experts, specialists who navigated within targeted networks, experts who set up special systems inside compromised networks, information specialists who identified and stole data, and those who helped maintain clandestine access over long periods of time.
Brian Bartholomew, a cyber security expert with iSight Partners, a company that took part in a coalition of security firms that exposed and countered Axiom operations, said beginning in mid-October that the group launched an effort to expunge Axiom’s malware in an effort to degrade the group’s activities.
“The hope was to throw a large wrench into their engine, and cause them to take the time to basically take a step back and hit the reboot button and spend a large amount of resources to fix things and get back up and running,” Bartholomew said.
Security firms involved in the counter-Axiom effort, dubbed Operation SMN, included the security firms Bit9, Cisco Systems, F-Secure, FireEye, Tenable, ThreatConnect, ThreatTrack, and Volexity, in addition to Novetta and iSight.
The joint efforts of the group effort were successful in rooting out a lot of Axiom malware, Bartholomew said.
As a result, the Chinese cyber unit is now being forced to develop new malware and to find new compromised networks that it can use as proxies, along with developing new victims to target, he said.
The companies and entities that were infected by the Chinese malware were notified of the Axiom attack.