Cyber Security Coalition Releases Full Report on Large-Scale Interdiction of Chinese State Sponsored Espionage Effort

by Fortuna's Corner

November 3, 2014 

Cyber Security Coalition Releases Full Report on Large-Scale Interdiction of Chinese State Sponsored Espionage Effort

Washington D.C. – October 28, 2014 – Novetta Solutions, LLC (“Novetta”), a leader in advanced analytics technology solutions today released multiple reports, the main one being titled “Operation SMN: Axiom Threat Actor Group Report”. This report details the characteristics of a threat actor group, dubbed Axiom by the coalition, which Novetta believes acts on behalf of a Chinese government intelligence apparatus. The release of these reports follows months of cooperation by the cyber security coalition. Led by Novetta and including security industry leaders Bit9, Cisco, FireEye, F-Secure, iSIGHT Partners, Microsoft, Tenable, ThreatConnect Intelligence Research Team (TCIRT), ThreatTrack Security, Volexity and other unnamed partners, the coalition’s main objective was to move beyond basic reporting of malware exploits and associated threat actors and execute a coordinated, effective remediation and disruption of activities tied to several families of malware used by advanced threat actor groups across the globe.

“This coordinated effort by security industry leaders is the first of its kind and has had a quantifiable impact on state-sponsored threat actors,” said Novetta CEO Peter B. LaMontagne. “The Axiom threat group is a well resourced, disciplined, and sophisticated cyber espionage group operating out of mainland China. Through this initiative, we provided tools and technical assistance via the coalition on a large scale that will not only better protect coalition customers but also force Axiom to use new exploits and thereby spend more resources. Coalescing multiple industry perspectives and technical capabilities provided the highest level of visibility we have ever seen in such an effort and established the foundation to deliver the intended effects against a threat of this nature.”

On Tuesday, October 14, 2014, the security coalition took its first public action related to Operation SMN via Microsoft’s Coordinated Malware Eradication campaign and announced the teaming of security industry leaders to execute coordinated, effective remediation and disruption of activities tied to several families of malware used by advanced threat actor groups across the globe. Following these actions, the coalition received and shared a substantial amount of technical information relating to the removal of these malware tools across the coalition’s customer set. To date, over 43,000 separate installations of Axiom-­related tools have been removed from machines protected by Operation SMN partners; 180 of those infections were examples of Hikit, the late­ stage persistence and data exfiltration tool that represents the height of an Axiom victim’s operational lifecycle.

Today’s final report details how Axiom’s operations are consistent with the area of responsibility attributed to the Chinese government intelligence apparatus and goes on to provide an overview of malware families they have been observed using, and an in-depth review of the tactics, techniques, and procedures (TTP’s) of this group. Key findings from the report include:

•Novetta has moderate to high confidence that the organization tasking Axiom is a part of Chinese Intelligence Apparatus. This belief has been partially confirmed by a recent FBI flash released to Infragard stating the actors are affiliated with the Chinese government.

•A coordinated effort across the private industry can have quantifiable impact on state-sponsored threat actors.

•The Axiom threat group is a well resourced, disciplined, and sophisticated subgroup of a larger cyber espionage group that has been directing operations unfettered for over six years.

•Axiom actors have victimized pro-democracy non-governmental organizations (NGO) and other groups and individuals that would be perceived as a potential threat to the stability of the Chinese state.

•Axiom operators have been observed operating in organizations that are of strategic economic interest, that influence environmental and energy policy, and that develop cutting edge information technology including integrated circuits, telecommunications equipment manufacturers, and infrastructure providers.

•Later stages of Axiom operations leverage command and control infrastructure that has been compromised solely for the targeting of individual or small clusters of related targeted organizations.

•Axiom uses a varied toolset ranging from generic malware to very tailored, custom malware designed for long-term persistence that at times can be measured in years.

You can access the full report and an infographic that describes the timeline associated with this effort here. Novetta feels the unified approach developed within Operation SMN to unite multiple industry perspectives and technical capabilities provided the highest level of visibility and established the foundation to deliver the intended effects against a threat of this nature. It is Novetta’s hope that others within industry will embrace and adopt a similar approach in the future.

About Novetta Solutions

Headquartered in McLean, VA with over 600 employees across the US, Novetta has over two decades of experience solving problems of national significance through advanced analytics for government and commercial enterprises worldwide. Novetta’s Cyber Analytics, Identity Analytics and Social Analytics capabilities enable customers to find clarity from the complexity of ‘big data’ at the scale and speed needed to drive enterprise and mission success. Visit http://www.novetta.com for more information.