Incident Response, Malware, Network Security, TDR

Security, tech firm coalition fights Hikit actors, other advanced groups

An advanced analytics firm has assembled a number of the world's top security firms and technology providers to thwart the spread of malware used by advanced threat actors.

This week McLean, Va.-based Novetta announced the coalition, which includes Microsoft, Cisco, FireEye, Symantec, F-Secure, iSIGHT Partners, Tenable, ThreatTrack Security, and a number of other firms, some of which have opted to remain anonymous contributors in the threat sharing effort.

Started as a initiative to combat Hikit, a backdoor trojan previously known for targeting a small number of defense contractors in the U.S., the coalition intends to expand its endeavors to analyze and mitigate other attack tools used by advanced threat groups.

First, however, the coalition plans to publish a comprehensive report on the Hikit threat Oct. 28, which will include technical details and “insight into attribution,” according a Novetta release.

Novetta's CEO Peter LaMontagne, told in a Friday interview that, over the years, his firm (which historically provided data analytics support to national security and other agencies) has increasingly served the needs of commercial enterprises, which have in some respect followed the public sector's lead in addressing advanced threats.

“What's really interesting to me, as I've been involved in national security for 20 years, is we're finding when we engage with commercial clients today, large scale enterprises are building risk monitor centers that are similar to what we've had on the federal side for years,” LaMontagne said.

He continued, saying the cyber security coalition provided a unique grassroots initiative led by technology and security experts working together. 

“We really need to do a better job of providing cyber security practitioners with as much information as possible,”  LaMontagne said. By assembling AV and routing equipment providers, as well as experts in advanced analytics, malware reverse engineering and incident response, for instance, the coalition will be able to “collect telemetry from our customers,” and release information that will give them a “better understanding of the threat actor.”

In an executive summary report (PDF) describing the coalition, participating members highlighted the efforts a cyber espionage group, dubbed “Axiom,” that has “been operating unfettered for at least four years,” using a long list of backdoors, which include Hikit, PlugX Gh0st Rat, and the infamous remote access trojan (RAT) Poison Ivy.

In a Friday interview with, FireEye analyst Ned Moran, explained how Hikit malware, in particular, has evolved over the years.

Back in 2012, researchers at Mandiant (a firm since acquired by FireEye) said APT threat Hikit had been used to conduct industrial espionage and steal sensitive data from defense contractors. As Hikit was launched as just one of many pieces of malware by attackers, Mandiant warned that the malware could go undetected for several years, due to the size and complexity of most victims' corporate networks and the attacker's ability to rely on stolen credentials to maintain access to targeted systems.

Hikit runs commands on targeted servers, and transfer files to retrieve data and redirect traffic within other systems of the victims' internal network.

“The malware has gone through some evolution,” Moran said in his Friday interview. “There's multiple variants of it out there, generally used by the same actor but against a number of different industries. By and large, this actor will use Hikit as a persistence tool to remain inside an organization.”

Moran added that the coalition invokes a large scale version of the collaboration efforts typically occurring amongst private sector organizations to combat threats.

“We were communicating amongst ourselves, since we have a number of large customers,” Moran said of the participating companies. “By allowing us to sharpen and hone our detection capability, we can deploy more effective signatures. And to do that, we don't need law enforcement because we have the infrastructure in place to block and remove that [threat] from our customers,” he said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.