OCTOBER 1 – 4, 2018 | WASHINGTON, D.C.

Red Line Redrawn:China APTs ResurfaceCristiana Brafman Kittner (@criskittner )Ben Read (@bread08)

©2018 FireEye

§ Principal Analyst, Cyber Espionage Analysis

§ Sr. Manager, Cyber Espionage Analysis

Ben ReadWho We AreCristiana Brafman Kittner

©2018 FireEye

Key Points

§ Decline in 2014

§ Gap in Activity

§ Return in 2016 - 2018

§ Revealing Changes

§ What this means for you

3

©2018 FireEye

Background

4

Red Line Drawn

§ Released June 2016

§ Intended to measure the impact of Xi-Obama Agreement Sept. 2015

§ Showed that the decline in events was real and pre-dated the agreement

©2018 FireEye

Trends in Chinese APT Operations:China Recalculates its use of Cyber Espionage

§ Since mid-2014, there has been a notable decline in overall intrusion activity, likely a result of:

– Ongoing Chinese military reforms– Widespread exposure of Chinese

cyber operations– Actions taken by USG

©2018 FireEye

Sept. 2015 Obama-Xi Agreement§ Leading up to Agreement, in May 2014, US

Department of Justice issued charges against 5 3PLA individuals for carrying out cyber-espionage against US companies

§ September 2015 Agreement stated “Neither country would engage in cyber economic espionage.”– Agreement covers the theft of IP but not national security

information

§ The cybertheft of IP which preceded the Agreement was described by former National Security Agency Dir. Keith Alexander as "the greatest transfer of wealth in history".

Chinese Cyber Forces Reorganize

©2018 FireEye

Chinese APT Ecosystem

Source: South China Morning Post

§ People’s Liberation Army (PLA)

– Regional commands§ Ministry of State Security (MSS)

– Intelligence Organization§ Contractors

– Various levels of control and affiliation

©2018 FireEye

Chinese Cyber Forces Reorganize§ Attempt to modernize and improve

cohesiveness across regions and services

§ March 2014 – PLA Reform discussed

§ September 2015 – Official announcement at Military Parade in Beijing

– Helps centralize Xi’s control§ December, 2015 - Establishment Ceremony for

creation of PLA Strategic Support Forces (PLASSF)

©2018 FireEye

Establishment of PLA Strategic Support Forces (PLASSF)

§ SSF is charged with overseeing Chinese military space, cyber, and electronic warfare(EW)

§ Composed of former General Staff Department (GSD), General Armament Department (GAD) 3PLA, and 4PLA units

§ Creates:

– Space Systems Department (�(����) 57 to carry out space missions

– Network Systems Department (�����) 58 to carry out the SSF’s cyber and EW missions

§ Reports directly to the CMC headed by President Xi

©2018 FireEye

April 2017 PLA Restructuring

§ In April 2017, further information was officially disclosed by the Ministry of Defense, of an even more drastic reorganization.

– Entire PLA was streamlined

§ New organization reflects Xi’s desire to strengthen PLA joint operations capabilities—on all domains, including cyber

What FireEye has seen

©2018 FireEye

©2018 FireEye

Data

§ Data Sources– Malware compile times from incident responses, device

detections, public repositories

§ Compile time set when a malicious tool is created

– Attacker Activity seen at Incident Responses

– Spear Phishes Detected by FireEye Devices

§ Caveats– Manipulation of compile times

– Gaps in visibility

– Changes in tools

§ Possible errors in individual data points, but the broad trend is clear

©2018 FireEye

©2018 FireEye

©2018 FireEye

©2018 FireEye

Case Studies

©2018 FireEye

©2018 FireEye

APT10 (MenuPass)

APT10 Before After

ToolsPHOTO, POISONIVY,

KABOB, SOGU, COOKBOOK, GH0ST

BUGJUICE, HAYMAKER, SNUGRIDE,

SPOOLSPOUT, DILLJUICE,

QUASARRAT

Target Countries Worldwide Worldwide

Target Industry Broad spectrum Broad spectrum

§ Now leveraging trusted third parties to pivot to networks of interest

§ Reuse of infrastructure across industries in initial compromise

§ New communications infrastructure detected in recent activity

§ Associated to contractors more closely than PLA, thus unique dormant time

©2018 FireEye

©2018 FireEye

APT19 (Codoso)

§ Primarily targets US, and Western based organizations

§ In May and June 2017 reemerged targeting global law and financial firms for intelligence collection operations

§ Recent activity suggests that the group is increasingly integrating commercially available toolsets

– June 2016, APT19 starts leveraging Cobalt Strike BEACON payload

APT19 Before After

Tools STALEMATE, BARMAID, GEMINI, ESKC2, TESTFAC

EMPIRE, COLDSTEEL,

HTRAN, BEACON

Target Countries

US, Brazil, Netherlands, Colombia

US, Netherlands, Hong Kong

Target Industry Broad spectrum

Financial, Transportation,

Legal

©2018 FireEye

©2018 FireEye

TEMP.Periscope

§ Active since at least 2013

§ Initial focus on Western maritime targets, have expanded to include Southeast Asian Govts

§ Maintained access to US defense contractor during pause, but took no actions on network

§ Current Western targeting appears to fall within bounds of “Traditional Espionage”

TEMP.Periscope Before After

ToolsREDMAGE, FRESHAIR,

SOGU, PHOTO, AIRBREAK

AIRBREAK, MURKYTOP,

CHINACHOPER, BADFLICK,

HOMEFRY, PHOTO, JUMPKICK,

LUNCHMONEY

Target Countries US, Great Britain Worldwide

Target Industry

Defense and Academia, with focus

on Maritime

Aerospace & Defense,

Academia, Government,

Maritime, Transportation

©2018 FireEye

©2018 FireEye

Team.338

§ Active since at least 2010

§ Historical targeting and spoofing of high-profile individuals in global political and economic arena

§ Returned after hiatus targeting broad range of sectors in East Asia

– Between September 2017 to January 2018, leveraged spear-phishing messages with human rights and terrorist financing themes to deliver signature BUBBLEWRAP malware

– Used new tool DOWNSIDE and expanded targeting to include energy, extractive, industrial manufacturing, media and technology

Team.338 Before After

Tools

POISONIVY, PROTUX, FAIRBET, BUBBLEWRAP,

SAFERSING, THICKCLOUDMONKEYTILT

BUBBLEWRAP, DOWNSIDE

Target Countries Worldwide

Japan, Macau, Hong Kong, International

Organizations

Target Industry

Aerospace & Defense, Financials, Dissidents and Human Rights

NGOs, Telecommunications

Defense, Government, NGOs

Telecommunications, Media

©2018 FireEye

©2018 FireEye

Group A

§ Chinese cluster that has been active since at least 2009, characterized by use of WARP Malware

– Activity ended in December 2014

– Targeted Academic, Manufacturing, Defense orgs for IP theft

§ Mid-July, 2018, series of spear phishes delivering WARP malware

– The lure documents dropped WARP along with newly discovered DOORJAM malware

– Multiple organizations targeted in 2018, were also targeted between 2011-2013

– Dropper compiled in 2018, WARP backdoor in 2013, calls to a 2018 domain

Group A Before After

ToolsWARP, WEFT,

DOORJAM, SIDEPART, AURIGA, TRUCKBED

WARP, DOORJAM

Target Countries US & Canada US & Canada

Target Industry Broad spectrum Broad spectrum

A

What does this mean?

©2018 FireEye

What has changed?

§ Bureaucracy Driving Activity

– Reorganization caused significant operational impact

§ Changes still being implemented

§ Groups returned in diverse ways

§ Doesn’t explain everything

– Some didn’t pause

– Some didn’t come back

©2018 FireEye

What does it mean§ Is the Xi-Obama agreement holding?

– No widespread commercial IP theft in US

§ Other malicious activity continues

– Geopolitical Targeting– Defense IP– Confidential Business Information

§ IP Transfer continues

– Forced Technology Transfer§ Complex and Evolving US – China relationship

©2018 FireEye

Acknowledgements

§ Fred Plan

§ Scott Henderson

§ Sarah Hawley

§ TORE/AP2

§ Alex Lanstein

§ ”Red Line Drawn” v1 Team

§ Ana Foreman

©2018 FireEye

Questions?