Delaware, USA – May 7, 2018 – Last week, security researchers from ProtectWise 401TRG published a report about cyber attacks and campaigns of Chinese hacker groups. Analysis of the infrastructure and targets of the attackers’ operations makes it possible to state with high confidence that some of the previously considered independent cyberespionage groups work together and are connected with the Chinese government. The experts dubbed them “Winnti umbrella”, by the name of the APT group Winnti (also known as the APT17), whose infrastructure and techniques the rest of the groups used. In 2018, adversaries switched to IT companies in the US, Japan and South Korea and changed the methods and targets of attacks. Winnti umbrella practically abandoned using malware to minimize risks of detection and failure of operations. Instead, they use spear-phishing to gain access to employee accounts and use them to penetrate the company network. Then the adversaries use legitimate software installed on the compromised system for lateral movement. In extremely rare cases, they can leverage Cobalt Strike or Metasploit penetration testing tools. The primary aim of these attacks is to steal code signing certificates, technical documentation and source codes. Experts suggest that cybercriminals are preparing for attacks using the backdoored legal software. Last year, Chinese cybercriminals carried out such attack: they injected trojans into NetSarang software and replaced the legitimate software on company’s download servers.
It is tough to detect traces of Winnti umbrella’s active campaign since attackers don’t use malware to achieve their goals. To mitigate this threat, you can use your SIEM with Sysmon Framework and Windows Security Monitor use cases that help detect suspicious activity on Windows hosts needed to be investigated.