Keeping the world’s dizzying array of hacking groups straight has become a challenge for researchers and journalists. One person’s Helix Kitten is another’s OilRig, sowing confusion — in this writer as well as others — about where one group ends and the next one begins.
But getting hacking taxonomy right matters because knowing which group is responsible for malicious activity can help network defenders secure their data. That’s why researchers from multiple companies are pointing out what they say is a case of mistaken attribution of a global hacking operation.
A report published last week by cybersecurity companies Recorded Future and Rapid7 blamed a well-known Chinese threat group, APT10, for breaching a Norwegian software vendor, a U.S. law firm, and an international apparel company. APT10, which U.S. officials and private analysts have linked to China’s civilian intelligence agency, gained greater notoriety in December when the Department of Justice announced charges against two of the group’s alleged members.
The Recorded Future-Rapid7 report assessed with “high confidence” that APT10 was responsible for the breaches. Among other technical evidence, the researchers listed the so-called Trochilus malware and a signature backdoor, or remote-access portal, that APT10 has used. The DOJ indictment helped solidify the APT10 attribution, they said.
But analysts at other companies that follow APT10 say the activity described in the report is the work of another China-linked hacking group, called APT31 or Zirconium. An APT10 attack would have looked different, according to Kris McConkey, head of cyberthreat detection and response at PricewaterhouseCoopers (PwC).
“None of the stuff that we were tracking as APT10 overlaps with what Recorded Future and Rapid7 have reported,” McConkey said. His company published a detailed account of APT10’s compromise of remote IT service providers in 2017.
McConkey said the command-and-control infrastructure listed in the Recorded Future-Rapid7 report is that of APT31, not APT10. His team, he added, has not seen APT10 deploy Trochilus in the manner described in the report (Recorded Future and Rapid7 described it as a “new variant”).
Benjamin Koehl, an analyst at Microsoft’s Threat Intelligence Center, also took issue with the report’s APT10 attribution in a series of tweets.
This activity is not APT10. It is all APT31 (or ZIRCONIUM) in our terms. The C2 domains that you mention were all registered and the threat actors made subsequent changes in specific ways that we attribute (with other information) to ZIRCONIUM.
— bk (@bkMSFT) February 6, 2019
According to Koehl, Zirconium has registered more than 50 command-and-control domains in the manner described in the Recorded Future-Rapid7 report in the last few years.
There is extensive public data tracking APT10, which is known for supply-chain attacks that enable intellectual property theft. Much less has been written about the more recently-surfaced APT31 (though some ink has been spilled in the name of Zirconium). The groups’ hacking tools have overlapped and they have both conducted supply-chain attacks, analysts say, but APT31’s infrastructure, and sometimes its targeting, differ from its more famous relative.
The Recorded Future-Rapid7 report caveated the attribution by saying that the investigation of the breaches included “privileged conversations that lead us to believe that in the future, portions of what is now known as APT10 will be recategorized as a new group. There is insufficient data at this time to make that distinction.”
Origin of species
Distinguishing between these two prolific China-based hacking groups can help organizations prepare for the next malicious campaign.
“Where it matters to network defenders is that sometimes the groups will have different objectives and the information they’re looking for will be slightly different,” McConkey told CyberScoop. “If you work out what their objective is, that informs your strategy for what you need to protect as the highest priority in an organization.”
At the same time, however, many hacking outfits are moving toward shared tools, he said. That makes attribution more difficult, but also means that identifying the tools used, as the Recorded Future-Rapid7 report did, allows organizations to block swaths of the malicious activity at once.
While McConkey said the Recorded Future-Rapid7 report got the attribution wrong, he credited the companies for shining a light on the malicious activity and the Norwegian software firm, Visma, for being willing to be named publicly.
When asked about criticism of the report’s APT10 attribution, Priscilla Moriuchi, Recorded Future’s director of strategic threat development, cited the company’s caveat on the possible overlap in threat groups. She said that there appear to be such strong similarities in the tactics, techniques, and procedures of APT10 and APT31 that they could be part of the same Chinese state organization. That is still being investigated.
For now, Recorded Future does not plan to amend the report, Moriuchi said. The company is in touch with researchers from Microsoft who have tracked APT31 to further investigate. After digging more into the overlap between the groups, Recorded Future will update the report if necessary, she said.
“We completely understand and are huge advocates of understanding the differences in threat actor groups from a network defense perspective,” Moriuchi added. “We’re always open to reassessing our judgements if new facts come to light.”
Asked about the attribution criticism, a Rapid7 spokesperson said the company wasn’t involved in identifying the hackers, only in providing information about their activity.
The debate stirred by the report points to the larger challenge the industry has in clearly chronicling hacking groups. Like biologists cataloging new species, malware analysts christen a threat group if they see enough of a pattern in unique characteristics to warrant the distinction. That happens regularly, and cybersecurity researchers say the lack of a standard nomenclature is a problem.
“Our goal really is just to simplify and clarify [threat intelligence] for users because it’s information that network defenders need, not the different names,” Moriuchi said.