Cyber security coalition reports on Chinese state-sponsored espionage

Novetta Solutions released multiple reports, the main one being titled “Operation SMN: Axiom Threat Actor Group Report”, which details the characteristics of a threat actor group, dubbed Axiom by the coalition, which Novetta believes acts on behalf of a Chinese government intelligence apparatus.

The release of these reports follows months of cooperation by the cyber security coalition whose main objective is to move beyond basic reporting of malware exploits and associated threat actors and execute a coordinated, effective remediation and disruption of activities tied to several families of malware used by advanced threat actor groups across the globe.

“This coordinated effort by security industry leaders is the first of its kind and has had a quantifiable impact on state-sponsored threat actors,” said Novetta CEO Peter B. LaMontagne. “The Axiom threat group is a well resourced, disciplined, and sophisticated cyber espionage group operating out of mainland China. Through this initiative, we provided tools and and technical assistance via the coalition on a large scale that will not only better protect coalition customers but also force Axiom to use new exploits and thereby spend more resources. Coalescing multiple industry perspectives and technical capabilities provided the highest level of visibility we have ever seen in such an effort and established the foundation to deliver the intended effects against a threat of this nature.”

On Tuesday, October 14, 2014, the security coalition took its first public action related to Operation SMN via Microsoft’s Coordinated Malware Eradication campaign and announced the teaming of security industry leaders to execute coordinated, effective remediation and disruption of activities tied to several families of malware used by advanced threat actor groups across the globe. Following these actions, the coalition received and shared a substantial amount of technical information relating to the removal of these malware tools across the coalition’s customer set. To date, over 43,000 separate installations of Axiom­related tools have been removed from machines protected by Operation SMN partners; 180 of those infections were examples of Hikit, the late­stage persistence and data exfiltration tool that represents the height of an Axiom victim’s operational lifecycle.

Today’s final report details how Axiom’s operations are consistent with the area of responsibility attributed to the Chinese government intelligence apparatus and goes on to provide an overview of malware families they have been observed using, and an in-depth review of the tactics, techniques, and procedures (TTP’s) of this group. Key findings from the report include:

  • Novetta has moderate to high confidence that the organization tasking Axiom is a part of Chinese Intelligence Apparatus. This belief has been partially confirmed by a recent FBI flash released to Infragard stating the actors are affiliated with the Chinese government.
  • A coordinated effort across the private industry can have quantifiable impact on state-sponsored threat actors.
  • The Axiom threat group is a well resourced, disciplined, and sophisticated subgroup of a larger cyber espionage group that has been directing operations unfettered for over six years.
  • Axiom actors have victimized pro-democracy non-governmental organizations (NGO) and other groups and individuals that would be perceived as a potential threat to the stability of the Chinese state.
  • Axiom operators have been observed operating in organizations that are of strategic economic interest, that influence environmental and energy policy, and that develop cutting edge information technology including integrated circuits, telecommunications equipment manufacturers, and infrastructure providers.
  • Later stages of Axiom operations leverage command and control infrastructure that has been compromised solely for the targeting of individual or small clusters of related targeted organizations.
  • Axiom uses a varied toolset ranging from generic malware to very tailored, custom malware designed for long-term persistence that at times can be measured in years.