FBI Cyber Notification: Chinese Cyber Espionage Against U.S. Government and Business Networks


FBI Cyber Division FLASH Notification

  • 6 pages
  • March 18, 2015


The FBI is providing the following information with HIGH confidence: The FBI has obtained information regarding one or more groups of cyber actors who have compromised and stolen sensitive business information from US commercial and government networks through cyber espionage. Analysis indicates a significant amount of the computer network exploitation activities emanated from infrastructure located within China. Any activity related to these groups detected on a network should be considered an indication of a compromise requiring extensive mitigation and contact with law enforcement.

Technical Details

The FBI is providing the following information with HIGH confidence:

These groups have been observed across a variety of intrusions leveraging a diverse selection of tools and techniques to attempt to gain initial access to a victim including using VPN credentials acquired during previous intrusions. These groups have also been observed scanning for web-facing devices which are not fully patched and for which there are publically known vulnerabilities. These groups also continue to use malicious documents in spearphishing emails which leverage older vulnerabilities such as CVE-2011-0611 and CVE-2012-0158.

Following such an exploit, such groups have been observed recently using a more sophisticated variant of the 9002 Remote Access Trojan which was previously observed in Operation Aurora and the SunShop Campaign. The most recent variant employed a DLL load order hijacking technique and was named ws2_32.dll on the infected system. The DLL load order hijacking technique enabled the 9002 variant to load and gain persistence on the system when a susceptible application attempted to load the legitimate ws2_32.dll. The 9002 variant, which created a mutex named ‘xws2_32’, contained the same export functions as the legitimate ws2_32.dll which facilitates the redirection of legitimate API calls. The 9002 variant decoded malicious sections of code at runtime which were not written to disk. The initial beacon was transmitted as a POST request with a dynamic 4 byte XOR key starting at offset 0 that changed with each subsequent beacon and was Base64 encoded prior to transmission. The behavior of this 9002 variant was similar to the ‘Diskless 9002 RAT’ referenced in open source reporting.

These groups leverage their initial accesses to gain further access to protected information resources on other systems by collecting legitimate credentials or even misusing legitimate certificates introduced into
that compromised system or endpoint. In some cases these groups established automated maintenance routines using standard system administration tools to collect and exfiltrate password hashes on a regular
schedule without outside intervention. In other cases, specific tools designed to hijack PKI credentials such as the “Sykipot” malware enabled their ability to harvest and misuse legitimate user certificates. See the SANS report at www.sans.org/reading-room/whitepapers/malicious/detailed-analysis-sykipot-smartcard-proxy-variant-33919.

File Information:
Name: 256438747bae78c9101c9a0d4efe5572
Beaconing traffic to: cache.dnsde.com
Details: HOMEUNIX/9002 malware binary encrypted with password “NeverSayDie!”

If the presence of such tools is detected, it should be immediately flagged, given priority for enhanced mitigation and reported to FBI CYWATCH.

Recommended Steps for Initial Mitigation

The FBI and NSA recommend the following mitigation measures be taken within the first 72 hours of detection:

Prepare Your Environment for Incident Response

• Establish Out-of-Band Communications methods for dissemination of intrusion response plans and activities, inform NOCs/CERTs according to institutional policy and SOPs
• Maintain and actively monitor centralized host and network logging solutions after ensuring that all devices have logging enabled and their logs are being aggregated to those centralized solutions
• Disable all remote (including RDP & VPN) access until a password change for all accounts has been completed
• Turn on enhanced monitoring functionality with high-powered analytics to detect known security events and changes in adversary behavior.
• Monitor accounts and devices determined to be part of the compromise to prevent reacquisition attempts

Share this: