A sophisticated threat actor gained illegal access into the networks of high-tech and aviation companies by initially hacking into their cloud-based services. Attacker dwell time on the secretly infiltrated networks sometimes lasted as long as three years.
The effectiveness of this operation serves as a reminder of the risks of openly sharing and storing plain-text network credentials or sensitive VPN/network access instructions on internet-accessible apps or servers.
In a recently released report, the NCC Group and its subsidiary Fox-IT said researchers encountered this threat actor during numerous incident response engagements between October 2019 through April 2020. But the initial infections preceded this timeframe, in at least one case dating back to 2017.
"The three-year dwell time is much longer than what we typically see during incident response investigations, which is often weeks or months," said Christo Butcher, global lead of threat intelligence at Fox-IT, and head of the Fox-IT Research and Intelligence Fusion Team (RIFT), in an interview with SC Media. This is significant, he added, "because it indicates the actor was intent on securing long-term access to their victim. This long-term focus was also apparent in their somewhat stealthy modus operandi, including use of unobtrusive persistence techniques and custom information gathering tools for intelligence benefit."
According to the researchers, the malicious hackers used credential stuffing, password spraying and brute-force techniques to initially compromise companies’ webmail, storage drives or other cloud-based services from providers like Microsoft and Google. The attackers would then peruse the cloud-based data for intel on how to access those victim companies’ VPNs, Citrix offerings, or other remote networking services.
"In one specific case, the adversary... was able to access a document stored in SharePoint Online, part of Microsoft Office 365," the report states. "This specific document described how to access the internet-facing company portal and the web-based VPN client into the company network. Within an hour after grabbing this document, the adversary accessed the company portal with the valid account." Although the VPN was protected by multi-factor authentication, the attackers got around this by changing account configurations, and adding their own phone number to which the SMS-based verification text would be sent.
After gaining network access, the attackers would check permissions of the hijacked account. If it was not a high-privilege account, the actors would then look for related local or domain admin accounts that they could compromise with additional password-spraying techniques. Or they would moved laterally to another system in which an admin was already logged in.
Once they controlled an admin account, they would use the red-team tool Cobalt Strike for multiple purposes such as beaconing, command-and-control, persistence, and lateral movement to domain controllers and other servers.
“During this process, the adversary identifies data of interest from the network of the victim,” the report states. “This can be anything from file and directory-listings, configuration files, manuals, email stores in the guise of OST- and PST-files, file shares with intellectual property (IP), and personally identifiable information (PII) scraped from memory.” This data is later exfiltrated.
When targeting airlines, the attackers appear to have specifically sought passenger name records. “How this PNR data is obtained likely differs per victim, but we observed the usage of several custom DLL files used to continuously retrieve PNR data from memory of systems where such data is typically processed, such as flight booking servers,” the report notes.
"In the high-tech/semiconductor industry, information of interest generally consists of intellectual property regarding technology and research; for example, designs for new and upcoming products, or research results that may form the basis for future generations of technology," said Butcher. "And in the airline industry, information of interest to nation-state actors may include transport and travel details; for example, who has traveled or is planning to travel where and when."
Fox-IT did not outright confirm if the operation was the work of a state-sponsored group, but an earlier report from CyCraft on this same actor described the culprit as a China-based APT threat actor called Chimera that has been known to target Taiwan’s semiconductor industry.
Butcher said that since ridding victimized networks of the threat actor in April 2020, the company has not observed any additional signs of the actor engaging in activity, "nor have we attributed any subsequent incident response cases to this threat actor."
He also said the attacks demonstrate the "value of collecting extensive telemetry and, where possible, storing it for as long as possible. This ensures that when an incident is discovered there is data which can allow the organization to investigate the root cause and understand the where, when and what."