Symantec: Chinese Connection to Attacks on Defense Contractors

Friday, January 27, 2012



Symantec researchers have published further evidence that the origins of the Sykipot trojan attacks that targeted multiple companies, particularly those in the defense industry, originated from servers in China operated by one of the nation's largest internet service providers (ISP).

The data Symantec published reinforces evidence from an earlier investigation conducted by security vendor AlienVault, which described an orchestrated sprear-phishing campaign most likely targeting information on US drone technology which utilized malware-infected PDF documents to deliver the Sykipot payload.

"The server is based in the Beijing region of China and was running on one of the largest ISPs in China. Furthermore, on one occasion one of the attackers connected from the Zhejiang province. The server has hosted over a hundred malicious files from the past couple of months, many of which were used in Sykipot campaigns," Symantec reports.

"Some of these domains were compromised and used in the campaign, but most of them were registered for the sole purpose of being a part of the Sykipot infrastructure. On more than one occasion we have seen attackers sending malicious emails from the same server hosting the aforementioned C&C domains," the report continued.

While Symantec stopped short of actually concluding that the attacks were being conducted by the Chinese, the evidence noted clearly shows that the operations have a Chinese connection.

"Based on these insights, the attackers are familiar with the Chinese language and are using computer resources in China," Symantec stated.

In December of 2011, the computer incident response team at defense contractor Lockheed detected an active exploitation of vulnerabilities in Adobe's Reader and Acrobat applications, and the attack was also confirmed by the Defense Security Information Exchange.

The vulnerability involved the application's Universal 3D file format (U3D) and could allow attackers the ability to remotely take over an infected system, cause system crashes, and conduct denial of service exploits.

According to a blog post by Adobe's Brad Arkin, senior director of product security, several versions of the applications were vulnerable, but the only active exploit detected in December was targeting Reader 9.x for Windows, and the company decided to focus on mitigation for that version first.

"The reason for addressing this issue quickly for Adobe Reader and Acrobat 9.4.6 for Windows is simple: This is the version and platform currently being targeted. All real-world attack activity, both in this instance and historically, is limited to Adobe Reader on Windows," Arkin wrote.

Adobe released critical patch updates for several product versions addressing most of the vulnerabilities in early January.

In late December, AlienVault's Jamie Blasco published analysis of the spear-phishing campaign that asserted the attacks may be geared towards pilfering information related to the U.S. military's highly advanced unmanned aerial spy drones.

"The modus operandi is simple, they send emails with a malicious attachment or link, sometimes using a zero-day exploit to key employees of different organizations. Once again the payload dropped was Sykipot, a known malware that has appeared several times in combination with zero-day exploits and has been used to launch targeted attacks since 2007," Blasco wrote.

"After analyzing most of the campaigns, we discovered a group of samples connecting to the same C&C server that attracted our attention because of the media displayed after the infection... all the content is related with US UCAVs (unmanned combat air vehicle)," Blasco noted.

AlienVault continued their investigation in an effort to pinpoint the most likely source of the phishing operation, and the circumstantial evidence - though not conclusive by any means - seemed to point to China.

"After a short investigation on the Netbox webserver, we learnt that it is a windows based webserver that allows developers to compile and deploy ASP web applications into a stand-alone executable file. We also checked Shodan and discovered that there were only a couple of thousand servers running the webserver and nearly the 80% of the servers were located on China," Blasco explains.

"With this information, we thought that there was a good chance to localize these servers on Chinese network ranges. So we began to search Netbox servers running SSL on port 443 with a certificate issued to on the main Chinese ISP providers. After some time, we confirmed our suspicion and we found 7 ip addresses belonging to “China Unicom Beijing province network”  that matched our criteria. Six of them were pointing to the same webserver (same certificate, same headers, timestamps) so it appears that they are using that machines to proxy the connections as well but we don’t know if one of them was the last C&C server," Blasco concluded.

Many security experts point out the difficulty involved in accurate attribution. Proxies, routing tricks, compromised machines, and spoofed IP addresses can be easily coordinated to give the appearance that an attack is originating far from the actual source.

In many cases, it is nearly impossible to clearly determine the origin of an attack, and even more difficult to ascertain if the event was state-sponsored or instigated by individual actors.

But, based on the information AlienVault has uncovered in their investigation, Blasco seems comfortable that there is in fact some level of Chinese involvement - though he stops short of openly accusing China.

"We shouldn’t jump to assumptions but whoever is behind Sykipot is massively collecting information from targeted victims that covers dozens of industries... On the other hand, we have identified at least six Chinese ip addresses that are used to proxy or host the C&C servers...In some of the samples it contains some Chinese message errors...Apart from this, the “Netbox” ( webserver used in the C&C servers is mainly used by those who speak Chinese. In fact all the documentation to setup and learn the framework is only available in Mandarin," Blasco pointed out.

The combination of the data uncovered by Symantec and AlienVault provides strong evidence that Sykipot is indeed a Chinese-based data exfiltration campaign.

Possibly Related Articles:
Adobe China malware Defense Shodan Symantec Headlines report Espionage ISP spear-phishing Lockheed AlienVault trojan Sykipot Jamie Blasco Brad Arkin
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.