Posted
As highlighted in our recent webinar with Rick Holland, when there is a security event of great magnitude, organizational leadership will want to know as much as possible about the technical WHAT and HOW, as well as the WHO and the WHEN.
In many cases, not all of these questions can be answered definitively; however, our inability to answer specific questions does not negate the intelligence requirement, nor does it allow the decision maker to sidestep the decision point that they face. Below are some common questions that we have been asked over the past few days from a variety of organizations regarding our analysis of the recent OPM breach, of which we have included a recap of public reporting to support our position(s).
Who do we believe is responsible?
Based on open source research and technical analysis, we believe that Chinese-based actors operating on behalf of the government of the People’s Republic of China (PRC) are responsible for the 2015 OPM breach. Although the specific group(s) responsible for this activity have proven to be somewhat amorphous, many independent researchers and threat intelligence analysts with familiarity of this ongoing activity will concur that the ultimate benefactor of the stolen data is the central government in Beijing.
We stress that it is most likely a cohort of Chinese actors resourced and directed by a common benefactor. The diversity of expert opinion and ambiguity which the security industry places on this particular threat may have been by design. This could lend more credence to the working “Digital Quartermaster” theory originally introduced by FireEye and recently referenced within PricewaterhouseCooper (PWC) UK’s analysis of Scanbox II Threat Intelligence Bulletin, which featured facets of this particular threat.
One thing for certain is that despite the common uncertainty and consensus, this activity has been the catalyst for increased shared awareness, technical information sharing and analytic collaboration.
Why we believe it is China
- We feel that there are transitive properties associated with the technical aspects of the activity observed thus far.
- We can strongly tie Chinese based actors to faux Wellpoint (Anthem), Premera, Empire BlueCross Blue Shield and CareFirst themed infrastructure.
- Further, we can tie specific Sakula malware that was digitally signed with a unique signature to unique infrastructure which appears to have been specifically configured for persistence within the Wellpoint enterprise.
- We can tie infrastructure observed within a campaign that targeted a Virginia-based defense contractor VAE, Inc. to a named Chinese professor at Southeast University with ties to Beijing TopSec.
- This campaign used the Sakula malware with the same digital signature seen in the Wellpoint themed campaign. This infrastructure was configured for survivability within VAE, Inc. enterprise.
- Activity and dates associated with the faux VAE, Inc. infrastructure align with the timeline of a hacking competition sponsored by the Chinese Professor, Southeast University and TopSec Beijing, both with organizational ties to the Ministry of State Security (MSS).
- We can strongly tie malicious infrastructure that maintains an Office of Personnel Management (OPM) theme to registration patterns observed with the faux VAE, Inc. themed infrastructure.
- The actors used GoDaddy to register faux VAE, Inc. and OPM themed domains.
- In both instances, actors falsified domain registration data with Marvel “Avengers” themed first and last names.
- Attackers also used “throw away” GMX email accounts that maintained a pattern of <10 random alphabetic characters>@.gmx[.]com.
- The timeline of faux OPM themed infrastructure activity is congruent with this official OPM timeline.
- We can strongly tie Chinese based actors to faux Wellpoint (Anthem), Premera, Empire BlueCross Blue Shield and CareFirst themed infrastructure.
Have we seen this type of activity before?
The theft of government PII, and even a breach into OPM’s network, is nothing new. In 2013, the private firm USIS (a contractor retained by OPM to conduct background investigations on federal employees) reported falling victim to a sophisticated state-sponsored network intrusion. This breach received widespread coverage and also great scrutiny and criticism from regulators on Capitol Hill.
As time went on, details of the compromise began to spring forth. In a report compiled by Stroz Friedberg, the investigations revealed that the attackers had gained access to USIS networks via an unidentified SAP enterprise resource planning (ERP) software package vulnerability. Fast forward to March 2014, just a few months after the USIS hack, OPM would be breached, first announcing the breach in July 2014.
Additionally, consider the Wellpoint/Anthem, Premera, Empire and CareFirst hacks all had one thing in common: they are all part of the Blue Cross Blue Shield Association. BCBS provides healthcare services to the Federal workforce.
In the case of the Spring 2015 healthcare breaches, we have reported in the past that the attack nexus was indeed China, likely state-sponsored in nature, and relied upon the Sakula malware to gain initial entry. Additionally, as was the case in the USIS and OPM breaches, similar PII data was targeted (names, employment history, social security numbers, etc.). All of these things considered suggest a greater degree of correlation as opposed to mere coincidence.
Were there any previous indications or warning?
In 2014, Novetta and a number of supporting industry organizations including ThreatConnect banded together to produce Operation SMN: Axiom Threat Actor Group Report, a detailed report containing information pertinent to Chinese APT activity with an emphasis on HiKit malware. Of note, the report stated “Among the industries we observed targeted or potentially infected by Hikit [included] Asian and Western government agencies responsible for [a variety of services such as] Personnel Management”.
A statement from such an industry group should have served as a key warning to government entities which were charged with conducting Personnel Management and warehousing PII.
Where did the HiKit Rootkit Originate?
At the 2015 Kaspersky Security Analysis Summit, Kris McConkey with PricewaterhouseCooper (PwC) UK delivered a compelling presentation based on research from fellow PwC Chinese research analyst Michael Yip.
McConkey highlights the development of Adversary Intelligence surrounding a Chinese-based actor likely responsible for developing the HiKit capability as well as associations with a particular ZoxPNG sample. Both HiKit and ZoxPNG malware would be considered “tier one” unique custom capabilities, as opposed to some of the more lower end, commonly distributed implants such as ZxShell, PlugX, Gh0st or PoisonIvy.
It is critical to highlight that we are not drawing lines between Axiom / Hikit and current activity, other than to note that Chinese actors posed legitimate threat to Western government personnel management organizations. Irrespective of which threat posed the greater risk, there were indications that the Chinese maintained both capability and intent to target OPM as witnessed in 2014.
Is the OPM themed infrastructure related?
Based on our current understanding of the attackers and this activity, ThreatConnect suspects that the recent OPM attackers may have chosen the specific infrastructure naming convention (opmsecurity[.]org and opm-learning[.]org) to emulate an official OPM training resource that has been maintained outside of the OPM enterprise for some time. This emulation technique has been observed consistently across these seemingly related events.
If we are to couple the terms OPM (both Security AND learning) within a .org TLD, we identify the following web resources.
These online training resources currently fall outside of standard .gov enterprise and ironically provide online training and security awareness training services for OPM as well as numerous other federal departments, agencies and commercial clients.
Analyst Comment: Currently there is no evidence that suggests golearnportal[.]org has been co-opted or is compromised in any way.
OPM-LEARNING[.]ORG
As we highlighted in late February, the domain opm-learning[.]org was registered on July 29, 2014 by “tony stark” (vrzunyjkmf@gmx[.]com) and is observed active within pDNS as early as July 30, 2014, resolving to 50.117.38[.]170. This IP belongs to Egihosting, (EGI) a company based out of California, but it is known to resell VPS services in China.
EGI’s network was designed with redundancy in mind, including a multi-homed setup of upstream providers like Global Crossing, nLayer, HE.NET and Highwinds. Our network has excellent direct connectivity to China and Asian networks and provides optimal routes to both domestic and other international destinations, including the often problematic and congested Chinese and Asian markets.
It is important to note that OPM first announced the first breach on July 10, 2014. However, the actors would register opm-learning[.]org 19 days later, on July 29, 2014, at which point the domain resolved to a domestic VPS service which boasts optimal routes to China on July 30, 2014. At the time of our reporting in February 2015, we assumed that the opm-learning[.]org infrastructure was a remnant of ongoing OPM 2014 breach activity. We now assess that opm-learning[.]com was likely either:
- Used as a means for the original actors to reconstitute lost access from the initial 2014 breach.
OR
- Used by another group or team which was moving to establish new access.
Needless to say, a 19 day window from the 2014 breach announcement to establishment of new infrastructure is a noteworthy datapoint.
OPMSECURITY[.]ORG
On the heels of the recent 2015 OPM breach announcement, we worked with our friends at DomainTools who helped us apply a custom search technique that we had been experimenting with, from which we shared noteable outputs to our ThreatConnect Community. A refinement of that experiment yielded the domain opmsecurity[.]org.
Retrospective analysis of this domain indicates that it was registered on April 25, 2014 (four days prior to the We11point[.]com) where the first observed instance of it active (outside of GoDaddy resolutions) was early as December 18, 2014 resolving to 148.163.104[.]35 until June 3, 2015 (a day before the official OPM breach announcement).
According to an official OPM FAQ “the intrusion occurred in December 2014, OPM became aware of the intrusion in April 2015, and became aware of potentially compromised data in May of 2015.” This timeline is congruent with technical observables associated with the opmsecurity[.]org infrastructure. ThreatConnect assesses with high confidence that the opmsecurity[.]org infrastructure was leveraged within the 2015 OPM breach.
The IP address 148.163.104[.]35 also resolved the suspicious No-IP dynamic domains ladygagagaga.serveblog[.]net and jamlitop3.zapto[.]org from April 27, 2015 to early May 2015.
As we research both ladygagagaga.serveblog[.]net and jamlitop3.zapto[.]org we find that as of June 9, 2015, both C2’s resolve to 107.167.75[.]138, a Chinese VPS Provider 370Host[.]net, purportedly within a colocation facility in Phoenix Arizona.
What malware was used?
ThreatConnect assesses with moderate to high confidence that the opmsecurity[.]org domain was likely used within a PlugX variant based on a single VirusTotal URL submission. This URL contains the C2 callback URI structure “/DJMoqoirjvmimzzv/view/update?id=”, which is associated with the malicious DLLs MD5: 683a3e4448b7254d52363d74e8687f36 and MD5: c28ecee9bea8b7465293aeeef4316957. These DLL binaries are detected by multiple antivirus vendors as PlugX, which is likely an accurate malware classification considering the use of the “/update?id=” callback URI segment is specifically associated with the Destroy RAT aka Sogu family of malware, the direct precursor to PlugX.
Similar binaries found in VirusTotal are as follows:
- 23DE2AFF9DBE277C7CE6ABBD52E68CE6
- 4CED16CEB9C3BC50787303EC5C4DA0B8
- BDDF02095971F6A309C68CFDFAAA3648
- C51F43F860535CFA9B2F4528A5FE2877
Each of these binaries contain the hardcoded command and control IP address 46.21.150[.]165 (Fremont, California). This IP address also has passive DNS resolution history from the following suspicious domains:
binghomton[.]com
This domain was initially registered by abit572@yahoo[.]com, then switched over to a nine character, likely pseudorandom, GMX registrant of ton0251sx@gmx[.]com. The fact that this domain is registered by a seemingly random gmx.com registrant is noteworthy considering a similar registration profile was used in the faux OPM domains listed above. This domain may be a typo-squat impersonating a reference to Binghamton, a town and State University in New York.
sunnysoldier[.]com
This domain was registered in 2012 by 904726926@qq[.]com, then again in April 16, 2014 by the Chinese reseller “Li Ning” li2384826402@yahoo[.]com who has been identified previously in similar activity.
teko.mooo[.]com
This dynamic DNS domain currently resolves to 103.6.207[.]37 (Indonesia).
The use of a GMX registrant and the Li Ning reseller in the overlapping domains closely mirrors the registrant profiles associated with the Sakula campaign activity from the Wellpoint and VAE, Inc. targeting campaigns as well as in the faux OPM domains highlighted above. This leads ThreatConnect to assess with moderate confidence that the PlugX APT malware activity associated with the VirusTotal URL and related hashes is attributed to the actor that is using Sakula and leveraging the faux OPM domains. The timing of registrations and resolutions between the original June 2014 OPM breach announcement and the 2015 OPM breach announcement is noteworthy.
Conclusion:
To many, it may seem absurd that a foreign government would want to gather a database of federal employee PII. Some have noted that this information is likely of greater value to criminal actors, and that it wouldn’t be nearly as helpful to enable spearphishing in the future, as social media profiles often hold higher quality intelligence used to socially engineer a victim. While all of this is true to varying degrees, consider that we may be looking at this from the narrow perspective of the short-term. Building up a PII database could fulfil a number of strategic goals well into the future. The long game strategy is characteristic of Chinese thought, and may very well be what is at play here.