Tech by VICE

You Don't See This Often: Simultaneous FBI, DHS, and DoD Cyber Espionage Alerts

The alerts concern a prolonged hacking campaign against US government and contractor networks, likely originating from China.

by Joseph Cox
May 6 2016, 5:15pm

Photo: Nick Page/Flickr

Multiple arms of the US government issued warnings this week to private companies and contractors about a prolonged cyber espionage campaign which has centered around the theft of sensitive business information, according to documents obtained by Motherboard.

The hackers have been in some systems for over a year before being detected and have deployed a wide range of different types of malware, using infrastructure originating from China, according to an FBI document.

"The FBI has obtained information regarding multiple malicious cyber actor groups that have compromised sensitive business information from US commercial and government networks through cyber espionage," reads a May 2 FBI alert from the agency's cyber division. In what is potentially a sign of how serious the attacks are, the Department of Homeland Security (DHS) released a related Joint Analysis Report, and the Defense Security Service (DSS), which is part of the Department of Defense (DoD), distributed its own Cyber Alert.

"For all three to do anything coordinated is usually interesting," Robert M. Lee, a former US Air Force cyber warfare operations officer and founder and CEO of Dragos Security, told Motherboard in a Twitter message. However, Lee said this sort of coordination all depends on the subject matter and what prompted the agencies to publish together, which is not immediately clear. The DSS did not respond to a request for comment on this point.

"The reports provide validated malicious domains associated with command and control functions of customized malicious software or that have been identified hosting malicious files," reads the DSS alert, also obtained by Motherboard.

"The majority of the domains from the Flash FBI alert were associated with APT6 and one of their malware backdoors"

These sort of documents are propagated to cleared contractor security professionals to warn of current threats and provide information on how system administrators can detect, and hopefully prevent, attacks.

None of the affected companies or agencies are named in the documents, but the hackers "have been linked to a number of intrusions," the FBI alert continues.

According to cybersecurity experts, one of the actors responsible for this espionage activity is APT6, a suspected Chinese state-sponsored group.

"The majority of the domains from the Flash FBI alert were associated with APT6 and one of their malware backdoors," Erica Eng, a threat intel analyst from FireEye, told Motherboard in an email. "Based on our visibility, APT6 targeted the US and UK defense industrial base."

Craig Williams, senior technical leader and security outreach manager at Talos, part of cybersecurity company Cisco, described the group as "an advanced, well funded actor." (Williams referred to APT6 by Talos' own label for the group, which is "Group 19.")

In April 2016, Motherboard reported that APT6 has compromised and stolen information from US government and commercial networks since at least 2011. That reporting was based on another FBI alert, distributed in February 2016.

Infamously, suspected Chinese hackers were responsible for one of the most significant data breaches of all time, in which highly sensitive data on millions of government workers was stolen from the Office of Personnel Management. According to a map from the National Security Agency published by NBC News in July 2015, Chinese hackers attacked over 600 corporate, private or government targets over a five-year period. In March of this year, a Chinese man pleaded guilty to conspiring with a group to hack into US defense contractors' systems and steal military secrets.

According to the latest alert, the hackers targeting government and commercial systems have employed a large selection of different malware families, including WINNTI, which is used for data exfiltration and stealing encryption certificates, and 'HiKit', which installs its own digital certificate on the target machine.

The FBI document also mentions Derusbi, HomeUnix, DeputyDog, and Plug-X malware, and points to previous FBI alerts covering the use of some of this malware by Chinese hackers. The suspected creator of Plug-X is a member of a Chinese hacking group at the service of the country's Peoples' Liberation Army.

Image: NSA/NBC

The FBI document provides a long list of recommendations for recipients of the alert, such as establishing out-of-band means of communications for discussing how to deal with any intrusions; ensuring that all devices have logging enabled; pushing network-wide password resets to all domain, local, and machine accounts; trying to identify self-signed encrypted traffic in order to detect intrusions, and patching all systems for critical vulnerabilities. The document also provides advice for segmenting networks and protecting login credentials.

These sort of recommendations are often published in FBI alerts, but it's not clear whether all of these strategies are for those who have already detected a possible compromise, or whether it should be followed by all recipients of the document. The document said that core mitigation strategies should be followed with 72 hours to avoid re-exploitation.

Nora Scheland, an FBI spokesperson, declined to answer specific questions about the alert.

"In furtherance of public-private partnerships, the FBI routinely advises private industry of various cyber threat indicators observed during the course of our investigations," Scheland wrote in a statement. "This data is provided in order to help systems administrators guard against the actions of persistent cyber criminals."