Operation Beebus, another chinese cyber espionage campaign

Security Firm FireEye revealed to have discovered an APT campaign targeting companies in the defense and aerospace sector and that has been originated from China to steal intellectual property and industrial secrets from US companies.

In this period many other attacks have been linked to China such as the cyber espionage campaign against NYT and Washington Post, this time the hackers demonstrated particular interest in the design of Unmanned Aerial Vehicles (UAVs) and other robotic aircraft.

FireEye named the last campaign ‘Operation Beebus’ from the name of an initial sample in this campaign (MD5: 7ed557921ac60dfcb295ebabfd972301), which was originally submitted to VirusTotal on April 12, 2011

The schema adopted for the attack is a basic spear phishing, the hackers in fact uses both email and drive-by downloads to targeted victims exploiting common vulnerabilities in PDF and DOC files to install a Trojan backdoor.

Last March FireEye registered suspicious activities against its clients operating in aerospace and defense sector, continuous waves of attacks that are repeated over time.

The principal evidence against China for the attack is related to many similarities with past attacks linked to Beijing, the reuse of the command and control infrastructure (C&C) connected to APT attack on RSA’s SecurID token system occurred in 2011. The researchers discovered the following “Beebus” traffic pattern:

GET /s/asp?XAAAAM4w5jmIa_kMZlr67o8jettxsYA8dZgeNAHes-Nn5p-6AFUD6yncpz5AL6wAAA==p=1 HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; )

Accept: */*

Host: 68.96.31.136

where the IP address 68.96.31.136 was another C2 node reported by Dell SecureWorks as hosting the HTran proxy infrastructure.  Dell’s security team reported that the authors of the malware were Chinese and it dated malware creation back to 2003, Dell Securwork post on the agent states:

“HTran (aka HUC Packet Transmit Tool) is a rudimentary connection bouncer, designed to redirect TCP traffic destined for one host to an alternate host. The source code copyright notice indicates that HTran was authored by “lion”, a well-known Chinese hacker and member of “HUC”, the Honker Union of China. The purpose of this type of tool is to disguise either the true source or destination of Internet traffic in the course of hacking activity.

Source code can be readily found on the Internet:

http://read.pudn.com/downloads199/sourcecode/windows/935255/htran.cpp__.htm

FireEye recorded 261 separate attacks on its clients in 2012, 123 of which were on UAV or UAS (Unmanned Aerial Systems) vendors.

In total the C&C had reached 214 servers with 60 unique IP addresses, a large investment in time and effort.

The attackers identified by FireEye used the same techniques and tools of the RSA attack, according to McAfee, one of the major tools used by these hackers was the use of obfuscated or encrypted HTML comments embedded in otherwise benign websites, in order to indirectly control compromised endpoints.

“Obfuscated/encrypted HTML comments has been also widely reported in the media as associated with the nation state group called “Comment Group” or “Comment Team,” which is believed to be associated with the Chinese government.“

Darien Kindlund, senior staff scientist at FireEye declared:

“We have enough evidence that points heavily in that direction” “We knew this was being done on behalf of a nation state,” “we believe the attack was largely successful.”

It ‘clear that to deal with the phenomenon of cyber espionage requires a structured approach, the threat has grown in complexity in recent years and in many cases the attackers were able to evade the main security mechanisms for long periods.

On the one hand therefore be thought of a new model of dynamic defense which however cannot be separated by a major level of awareness of users, in majority of cases the exposure is caused by wrong human behavior.

You must know the threat to mitigate it.

Pierluigi Paganini