Try not to imagine security folk in lycra
By John Leyden
Security firms are claiming credit for putting the skids under a Chinese cyber-espionage crew thought to have been operating for at least six years.
The so-called Axiom Threat Actor Group allegedly victimised pro-democracy non-governmental organisations (NGO) and other groups and individuals that would be perceived as a potential threat to the stability of the Chinese state.
The group also got involved dabbling in industrial espionage. In particular, Axiom targeted organisations influential environmental and energy policy as well as information technology firms including chips makers, telecommunications equipment manufacturers, and infrastructure providers.
Axiom used phishing attacks and bespoke malware to carry out its work, in common with many state-sponsored hacking types. All this malfeasance eventually attracted the attention of security firms who teamed up to thwart the threat.
Months of cooperation by the cyber security coalition, led by analytics technology firm Novetta and including Bit9, Cisco, FireEye, F-Secure, iSIGHT Partners, Microsoft, Tenable, ThreatConnect, ThreatTrack Security, Volexity and other unnamed partners culminated in a takedown operation earlier this month.
On Tuesday, October 14, 2014, the security coalition took its first public action related to Operation SMN via Microsoft’s Coordinated Malware Eradication campaign and announced the teaming of security industry leaders to execute coordinated, effective remediation and disruption of activities tied to several families of malware used by advanced threat actor groups across the globe.Following these actions, the coalition received and shared a substantial amount of technical information relating to the removal of these malware tools across the coalition’s customer set. To date, over 43,000 separate installations of Axiom-related tools have been removed from machines protected by Operation SMN partners; 180 of those infections were examples of Hikit, the late stage persistence and data exfiltration tool that represents the height of an Axiom victim’s operational lifecycle.
The Hikit tool has previously been linked to the so-called DeputyDog attack,, which used an IE zero day current in September 2013 and targeted Asian firms.
The Axiom group seems to have largely stayed under the radar apart from that but it appears to be a more capable grouping compared to the infamous Shanghai-based and PLA-affiliated APT1 crew outed by FireEye last year.
The Axiom threat group is a “well resourced, disciplined, and sophisticated subgroup of a larger cyber espionage group that has been directing operations unfettered for over six years”, according to Novetta.
In a statement, Novetta said it had “moderate to high confidence” that Axiom was acting on behalf of a Chinese government intelligence apparatus.
“This coordinated effort by security industry leaders is the first of its kind and has had a quantifiable impact on state-sponsored threat actors,” said Novetta chief exec Peter B. LaMontagne. “The Axiom threat group is a well resourced, disciplined, and sophisticated cyber espionage group operating out of mainland China.”
Diplomatic row
Beijing has denied having anything to do with Axiom. Chinese Embassy spokesman Geng Shuang told the Washington Post that “judging from past experience, these kinds of reports or allegations are usually fictitious.” He restated China’s oft-stated insistence that it’s more sinned against than sinning when it comes to cyber-espionage.
“China is a victim of these kinds of attacks, according to the Snowden revelations,” he said.
News of the Axiom takedown, released on Tuesday, comes two weeks before President Obama is due to visit Beijing for talks where cybersecurity features high on the agenda. Secretary of State John Kerry is due to visit China in a week, paving the way for the presidential summit days later.
Washington has been attempting to pressurise Beijing over the issue of cyber-espionage for around two years but has lost the moral high-ground on the issue, largely as a result on the Snowden disclosures.
Novetta hopes that the coalition’s disruptive action will act as a model for future take-down ops. They don’t make any claims to have infected a knock-out blow against Axiom, which is wise considering past evidence suggests they’ll be back.
The comparable outing of APT1 caused the group to go into hiatus for around three months before it returned to active service. Axiom, since it’s more capable, might be back even sooner – although it may have rethink its tools and tactics in the interim.
The coalition has put together a report on the tactics, techniques, and procedures of the Axiom group that provides an overview of malware families associated with the group. A recent FBI flash released to Infragard stated the Axiom group are affiliated with the Chinese government.
A 31 page executive summary of the op against Axiom can be found here (PDF). ®
