Operation Iron Tiger: How China-Based Actors Shifted Attacks from APAC to US Targets
By Ziv Chang, Kenney Lu, Aaron Luo, Cedric Pernet and Jay Yaneza of the Cybersafety Solutions Team
Key individuals, who are believed to be part of a China-based attack group, have been stealing years of valuable government and corporate information from defense and high technology organizations in the US since 2013 and political and government-related entities in China, Hong Kong, and the Philippines since 2010.
This shift in targets is highly notable for the active cyber espionage operation we dubbed as “Operation Iron Tiger.” We believe that the threat actors have simply moved up in the food chain and were assigned new, high-level targets to spy on–all as part of a bigger espionage campaign.
US defense contractors were only fairly recent targets based on the operation’s history, which we traced to spear-phishing in 2010. “Foreign policy,” “future of the US Army Officer Corps,” and “economic development” are only a few of the keywords that threat actors have been using in spear-phishing attacks against directors and project managers of technology-inclined US government contractors.
Figure 1. Global distribution of Iron Tiger’s targets
The threat actors have stolen emails, full Active Directory® dumps, intellectual property, strategic planning documents, and budget- or finance-related content—all of which can be used to sabotage target governments or private organizations’ plans. From what we have seen, the amount of stolen information could reach up to terabytes worth of data. We’ve even seen them nab up to 58GB worth of data from a single target.
Figure 2: Types of data stolen in Operation Iron Tiger
Key individuals using the online aliases PHPXSS, EXENULL, ERSHAO, and MYERSHAO are believed to be spearheading this operation. We found convincing evidence pointing to China as the threat actors’ primary location. These indicators include the use of virtual private network (VPN) servers only accepting registration from China, Chinese file names and passwords, and China-registered domains. Specifically following two virtual aliases, “Phpxss” and “Ershao,” we were able to attribute operational activities to a key personality physically located in China.
Sharpened Claws: Custom Hacking and Malware Tools
The actors are noted to be skilled in computer threats and hacking techniques. They adapted their attacks according to the security level of the network they were targeting. They used known targeted attack remote access tools (RATs) like PlugX and Gh0st variants in their attacks.
However, Operation Iron Tiger threat actors can use sharper claws when they need to. They not only followed new malware-creation tool releases but also used customized tools like “Dnstunserver” and abused legitimate services like Blogspot™ and Google Cloud Platform™. Using legitimate services allowed them to evade monitoring and efficiently change command-and-control (C&C) servers in case of discovery. They also used a stolen code-signing certificate from Korea-based security company, SoftCamp Co., Ltd., to laterally move inside networks undetected.
Figure 3. Iron Tiger used this certificate signed on November 22, 2012
Combating Cyber Espionage
We saw cyberspies with digital roots in China target high-technology organizations from the US after spending years extracting information from targets in Asia-Pacific, including their own country. Actors were able to steal up to terabytes worth of data from targets using a mix of known malware tools and custom hacking tools and spear-phishing emails. They hacked at the relatively weak defenses of target networks that are supposed to be protecting years of valuable government and corporate research.
At an age where one click or download can unleash a cyber espionage Tiger in your government or corporate network, the time has lapsed for banking only on lanky and weak traditional security solutions. Rely on custom defense mechanisms anchored on your organization’s network patterns and nuances. Who knows? The next breach you mitigate might potentially stop attackers from stealing the data they need to cause an economic downturn or a fatal attack on critical infrastructure.