A widespread and highly persistent cyber-attack has been discovered by security researchers. The series of assaults conducted by APT10 hacking group were found to have been leveraging the Zerologon vulnerability of Windows, targeting mostly Japanese firms but has connections to attacks happening in more than 17 territories around the world. No particular industry was targeted, but a collection of large-scale firms was included in the campaign – pharmaceutical companies, automotive corporations, industrial businesses, including engineering sectors, and of course government firms.
Researchers also found out that the attacks have been ongoing since mid-October of last year, possibly longer. One notable information about the attack is that most of the companies targeted were connected somehow or has some sort of business relations to Japan. The operations and attack vector excluding, this small detail somehow made it easy for security researchers to identify the primary suspects or group responsibly. APT10 (aka Cicada, Red Apollo, Stone Panda), a Chinese-backed hacker group was identified and previously held responsible for similar campaigns against Japanese-based firms and subsidiaries.
They are known by their usual tactics – custom malware payload deliveries that directly target network infrastructures. But like any other hacking group, they evolve with the times, as seen on their other campaigns using much more sophisticated obfuscation methods (network recon, RAR archiving techniques, DLL side-loading, malware injections, and PowerShell scripting). They were also using other well-known infiltration methods when attacking multiple targets simultaneously – employing the QuasarRAT malware delivery system and living-off-the-land techniques. These methods have been used by different threat groups like TA505 and MuddyWater in the past. And just like APT10, these groups are known to initiate their attacks and keep it going for a few months, remaining undetected and continue for a year or so.
With ample resources at their disposal, APT10 clearly has one particular target – Information Theft.
Acquiring information from organizations, primarily Japanese firms, is their primary goal it seems. Unfortunately for some companies, there’s almost no shortage of vulnerable devices to be used for – Domain Controller account spoofing, Active Directory identity access and services, and more importantly, stealing Domain credentials from users and compromise Network operations. The Japanese government have repeatedly expressed their frustrations and condemnation on the attacks. Their Foreign Ministry has issued statements regarding the assault against the affected firms and continuous attacks and sensitive information theft by the hacker group against their country and the so-called Five Eyes Intelligence Alliance (United States, United Kingdom, Japan, Canada and Australia).
It was no less than 2-years since the United States indicted a few members of APT10 for their attacks on different agencies of the government. Their group was credited for the intrusion on NASA’s Jet Propulsion Laboratory, and government agencies’ managed service providers – IBM and Hewlett Packard. The suspects were also responsible for the breach in the U.S. Navy network systems which resulted in over 100,000 confidential personnel info being stolen.
It’s one thing to worry about getting hacked and your personal/corporate information taken, what’s even more disturbing is getting them posted on the Dark Web and sold to the highest bidder. To date, the attacks by APT10 yielded more than US$200 billion/yr. Losses to the affected Japanese firms and their partners/subsidiaries.