Threat Intelligence, Incident Response, Malware, TDR

Coalition sheds more light on Hikit threat, Axiom spy group

In a new report, a coalition of major tech and security firms detailed the tools and tactics used by a cyberespionage group, called “Axiom.”

The threat actor – known for using a long list of malware, such as PlugX, Gh0st Rat and the infamous remote access trojan (RAT) Poison Ivy – also strategically deploys a backdoor trojan, called Hikit, on targeted organizations' machines worldwide to maintain access to victims, which include academic institutions in the U.S., and Asian and Western government agencies responsible for law enforcement, auditing and internal affairs, and space and aerospace research.

Energy firms, pharmaceutical companies, telecommunications firms and software and electronics manufacturers are also among those targeted by Axiom, the coalition, led by advanced analytics firm Novetta, revealed.

The 47-page report (PDF), released Tuesday, explained that Axiom targets “pro-democracy non-governmental organizations (NGO) and other groups and individuals that would be perceived as a potential threat to the stability of the Chinese state.”

The malicious activity of Axiom, a Chinese state-sponsored group, appears to be that of a “well resourced, disciplined, and sophisticated subgroup of a larger cyberespionage group that has been directing operations unfettered for over six years,” the report revealed.

Once Hikit is dispatched, the report continued, it is a sure indication for organizations that attackers have held long term access to their network – and intend to maintain their foothold.

Andre Ludwig, senior technical director at Novetta, told in a Tuesday interview that Hikit is often used for reconnaissance that verifies whether attackers' previous findings “are still relevant.”

“[Hikit] has technical capabilities that are rather sophisticated, but the telling part of seeing Hikit on the network, is that it has been employed where the attacker has tremendous [access], such admin credentials, other user account credentials, and multiple other types of malware deployed within the network,” Ludwig said.

“This would suggest that they are very comfortable in that environment and are masters of their domain, so to speak,” he added later.

Ludwig noted that the coalition (which includes major players like Microsoft, Cisco, FireEye, Symantec and iSIGHT Partners) uncovered a new malware family, called “Zox,” through its remediation efforts.

Other noteworthy findings in the report were that tactics, techniques and procedures (TTPs) used by Axiom were used in other high-profile attacks, like Operation Deputy Dog, Operation Ephemeral Hydra and Operation Snowman. In all of those campaigns, attackers used watering hole attacks (where trusted or legitimate websites frequented by targets are compromised) as an infection vector.

The VOHO campaign, uncovered in 2012 by RSA, was also noted in the paper as exhibiting similar TTPs. In that campaign, watering hole attacks resulted in around 32,000 individual hosts worldwide visiting attack sites.

In his interview with, Ludwig advised organizations to employ Microsoft's freely available Malicious Software Removal Tool (MSRT), which detects Hikit and a number of other tools used by Axiom. Furthermore, entities should be vigilant in keeping their machines patched, as well as AV signatures updated, he added.

In the report, companies collaborated to publish Yara signatures and Malware hashes linked to Axiom's malicious toolset.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.