26 September 2023

Under attack: Chinese cyberspies expanding their tactics

Start the conversation

Catalin Cimpanu* says a new report suggests the tactics of Chinese cyberspies are evolving to focus on targeting IT staff and code-signing certificates.


Chinese cyberspies are evolving their tactics, focusing on IT staffers, relying more and more on spear-phishing instead of malware, and gathering code-signing certificates from hacked software companies in the preparation of future supply-chain attacks.

These are some of the main points of a 45-page report released last week by 401TRG, the Threat Research & Analysis Team at ProtectWise.

Experts analysed the tactics, techniques, and procedures (TTPs) used across the years by a group previously referred to as Winnti, after the name of one of its main tools, the Winnti backdoor.

Chinese APTs are becoming one big melting pot

Now, 401TRG analysts refer to the group as Winnti Umbrella, a generic term to describe a large part of the entire Chinese intelligence apparatus, as several previously separate cyber-espionage groups appear to use the same tactics and infrastructure of the original Winnti group (also known in some reports as Axiom or APT17).

After years of observing operation mistakes and seeing reuse of older attack infrastructure, researchers say that previously separate advanced persistent threats (APTs) such as BARIUM, Wicked Panda, GREF, and PassCV, now appear to share Winnti techniques and some of their infrastructure.

“TTPs, infrastructure, and tooling show some overlap with other Chinese-speaking threat actors, suggesting that the Chinese intelligence community shares human and technological resources across organisations,” 401TRG experts say.

“We assess with medium to high confidence that the various operations described in this report are the work of individual teams, including contractors external to the Chinese Government, with varying levels of expertise, cooperating on a specific agenda.”

Chinese hackers focus on IT staffers

Nowadays, the APT part of the Winnti Umbrella group appears to be operating following a common hacking/operational pattern.

First and foremost, attackers appear to favour spear-phishing individual targets, preferring to collect credentials and then entering accounts without utilising malware for establishing an initial foothold.

“We have observed spear-phishing campaigns that target human resources and hiring managers, IT staff, and internal information security staff, which are generally very effective,” 401TRG experts said about the 2017 campaigns.

Hackers focus on collecting network credentials and then spreading laterally inside an organisation.

Attackers then use a technique known as “living off the land”, which refers to the use of locally installed apps for malicious purposes.

Tools often used in these intrusions include standard Windows utilities, but also penetration testing utilities such as Metasploit and Cobalt Strike.

Malware is only deployed if necessary, attackers fearing detection, which often implies losing their foothold on a target’s network.

In 2018 tactics only slightly shifted, attackers focusing their efforts primarily on hacking into Gmail and Office 365 accounts, but hackers continued to focus on IT staffers.

The targeting of IT employees suggests the group is looking for workstations with greater access to internal networks.

Hackers go after code-signing certificates

“Key interests during attacks often include the theft of code-signing certificates, source code, and internal technology documentation,” researchers said.

“They also may attempt to manipulate virtual economies for financial gain.”

“While unconfirmed, the financial secondary objective may be related to personal interests of the individuals behind the attacks,” researchers added.

But code-signing certificates appear to be the primary goal of all the different APTs operating under the “shared goals” of the Winnti Umbrella.

The targeting of code-signing certificates is also why hackers focus a lot of their attacks on software and gaming organisations in the US, Japan, South Korea, and China — organisations that are more likely to possess such certificates.

This suggests Winnti Umbrella groups are gathering resources and planning for a supply-chain attack to poison official software with malware — where a valid code-signing certificate is crucial for hiding the compromise as long as possible.

Such attacks were all the rage in 2017, observed during the NotPetya and CCleaner incidents.

Still, Chinese hackers also know a few things about supply-chain attacks themselves.

In 2017, Chinese cyberspies compromised NetSarang, a South Korean software maker, and hid a backdoor in some of its software packages.

Another report also highlighted their increased focus on hacking cloud providers for the same reason — to gain access to cloud-based applications that would allow them easy access to corporate data and internal networks.

* Catalin Cimpanu is the Security News Editor for Bleeping Computer. He tweets at @campuscodi.

This article first appeared at www.bleepingcomputer.com.

Start the conversation

Be among the first to get all the Public Sector and Defence news and views that matter.

Subscribe now and receive the latest news, delivered free to your inbox.

By submitting your email address you are agreeing to Region Group's terms and conditions and privacy policy.