FireEye ontdekt samenwerking tussen Chinese hackers

FireEye (NASDAQ: FEYE), expert in het beveiligen tegen de nieuwste cyberaanvallen, heeft onlangs ‘Operation Quantum Entanglement’ uitgegeven. In het rapport beschrijven FireEye-onderzoekers twee specifieke aanvallen waarbij sprake is van samenwerking tussen verschillende regio’s in China. Deze samenwerking tussen twee groepen hackers is zorgwekkend. Het lijkt erop dat ze op deze manier samenwerken om regionale en internationale aanvallen nog gerichter uit te kunnen voeren.

Het volledige Engelstalige persbericht is hieronder te vinden. Verder is er een blog beschikbaar voor meer informatie.

FireEye Discovers Collaboration Between Chinese Threat Actors
Strong Evidence Links Separate Hacker Groups Targeting US, Japan, and Taiwan

FireEye, Inc. (NASDAQ: FEYE), the leader in stopping today’s advanced cyber attacks, today released “Operation Quantum Entanglement.” The report by FireEye researchers details two distinct attack campaigns operating in conjunction with each other but based in separate regions of China.

“The concern here is that these two separate groups appear to be collaborating, which raises the threat level significantly,” said Thoufique Haq, senior research scientist at FireEye. “It seems they are employing a ‘production-line’-like system to conduct joint attacks against regional and international targets, including the U.S.“

The first group, named Moafee, appears to operate from the Guandong Province in China. Its targets include the military organizations and governments of countries with national interests in the South China Sea, including some within the U.S. defense industrial base.

The second group, known as DragonOK, targets high-tech and manufacturing companies in Japan and Taiwan. DragonOK appears to operate out of China’s Jiangsu Province.

Both campaigns use similar tools, techniques and procedures (TTPs) – including custom-built backdoors and remote-administration tools (RATs) to infiltrate their targets’ networks. They favor spear-phishing emails as an attack vector, often employing a decoy document to deceive the victim. The emails are written in the intended victim’s native language.

Moafee and DragonOK both use a well-known proxy tool – HUC Packet Transmit Tool (HTRAN) – to disguise their geographical locations. Both utilize password-protected documents and large file sizes to disguise their attacks. These approaches, along with other similarities in TTPs, seem to indicate the groups either received the same training, have a common toolkit supply chain, or are, in fact, collaborating on their attack campaigns.

A third, separate group also appears to be using the same TTPs, including the same custom backdoors and RATs; however, FireEye researchers do not have enough insight to reliably report a definitive connection to the Moafee and DragonOK groups.

Over FireEye Inc.
FireEye heeft een gespecialiseerd, virtueel beveiligingsplatform ontwikkeld, dat real-time beveiliging biedt voor bedrijven en overheden tegen de nieuwste vormen van cyberaanvallen. Deze aanvallen worden steeds geavanceerder en omzeilen steeds vaker traditionele, op signatures gebaseerde beveiliging, zoals next-generation firewalls, IPS, antivirus en gateways. Het FireEye-Threat Prevention Platform biedt een dynamische real-time bescherming tegen deze nieuwe bedreigingen zonder gebruik te maken van signatures en beschermt organisaties gedurende verschillende fasen van een aanval tegen de belangrijkste bronnen van dreiging: mobiel, web, e-mail en bestanden. Een virtual execution engine vormt de basis van dit FireEye-platform en is aangevuld met dynamische en real-time informatie over bedreigingen om aanvallen tijdig te identificeren en te stoppen. FireEye heeft ruim 2.500 klanten in meer dan 60 landen, waaronder ruim 130 organisaties uit de Fortune 500.