Chinese Espionage Group Directed a 6-Year, Widescale Offensive

Written by

A new threat actor group dubbed Axiom has been uncovered, believed to act on behalf of a Chinese government intelligence apparatus. It is a well-resourced, disciplined and sophisticated subgroup of a larger cyber-espionage group that has been directing operations unfettered for more than six years.

Novetta Solutions, which led an initiative called Operation SMN against the group, said that to date, more than 43,000 separate installations of Axiom-related tools have been removed from victim machines. About 180 of those infections were examples of Hikit, the late­ stage persistence and data exfiltration malware tool that represents the height of an Axiom victim’s operational lifecycle.

“The Axiom threat group is…operating out of mainland China,” said Novetta CEO Peter LaMontagne, in a statement. “This belief has been partially confirmed by a recent FBI flash released to Infragard stating the actors are affiliated with the Chinese government.”

In the white paper, Novetta explained that Axiom actors have victimized pro-democracy non-governmental organizations (NGO) and other groups and individuals that would be perceived as a potential threat to the stability of the Chinese state. They have been observed operating in organizations that are of strategic economic interest, that influence environmental and energy policy, and that develop cutting edge information technology, including integrated circuits, telecommunications equipment and other infrastructure.

The attacks on NGOs that deal with international politics, environmental policy, pro-democracy movements or human rights issues tend to be multistaged; Novetta observed at least one operation where Axiom compromised a satellite office of one of these organizations and then appeared to have moved laterally into that organization’s main headquarters.

“Much has been written of China’s dissatisfaction of their reputation on the world stage, in particular criticism for human rights abuses and environmental issues stemming from rapid industrialization; these criticisms are often viewed as a blow to the authority of the ruling party and to the soft power of their nation-state, which China has been keen on developing in recent years,” the paper noted. “Monitoring these kinds of organizations could allow the Chinese government to track these watchdog organizations and potentially accomplish more traditional goals such as the suppression of dissidents or intimidation of whistleblowers.”

Axiom uses a varied toolset ranging from generic malware to very tailored, custom bugs designed for long-term persistence that at times can be measured in years. Novetta said that the later stages of Axiom operations leverage command and control infrastructure that has been compromised solely for the targeting of individual or small clusters of related targeted organizations.

Strains used include Zox family, Derusbi, Fexel/Deputy Dog, Hydraq/9002/Naid/Roarur/Mdmbot, ZXShell/Sensode, PlugX/Sogu/Kaba/Korplug/DestroyRAT, Gh0st/Moudour/Mydoor, and Poison Ivy/Darkmoon/Breut. But, the most advanced tool in its arsenal is Hikit.

“The occurrence of Hikit activity within an entity indicates that the organization responsible for Axiom tasking considers it of importance or, alternatively, that the target is relatively hardened and more specialized malware is needed,” the company explained in the paper. “Within these targets, Axiom has been observed as going out of its way to ensure continued access regardless of changes to its target’s network topology or security controls.”

Axiom’s Hikit operators have been observed returning to compromised organizations on a scheduled basis, and even performing targeted lateral compromises based on the geographic locations of network egress points as well as introduction of new security controls.

Operation SMN was carried out by a cybersecurity coalition led by Novetta that includes security vendors Bit9, Cisco, FireEye, F-Secure, iSIGHT Partners, Microsoft, Tenable, ThreatConnect Intelligence Research Team (TCIRT), ThreatTrack Security and Volexity.

On October 14, Operation SMN took its first public action via Microsoft’s Coordinated Malware Eradication campaign, after which the coalition received and shared a substantial amount of technical information relating to the removal of Axiom’s malware tools across the coalition’s customer set.

“This coordinated effort by security industry leaders is the first of its kind and has had a quantifiable impact on state-sponsored threat actors,” said LaMontagne. “Through this initiative, we provided tools and technical assistance via the coalition on a large scale that will not only better protect coalition customers but also force Axiom to use new exploits and thereby spend more resources.  Coalescing multiple industry perspectives and technical capabilities provided the highest level of visibility we have ever seen in such an effort and established the foundation to deliver the intended effects against a threat of this nature."

What’s hot on Infosecurity Magazine?