Japanese Orgs Hacked ‘by China’ in Long, Widespread Campaign

Chinese state-backed threat actors have been busily hacking Japanese businesses for at least a year. The hacking group is fingered by researchers as APT10—aka POTASSIUM, Red Apollo, Menupass, Stone Panda or Cloud Hopper.

The goal appears to be espionage. Attacks aren’t limited to Japan itself, but have been spread across the world—including the U.S., the UK, India and Germany.

Here we go again. In today’s SB Blogwatch, we get déjà vu—and 既視感.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: amazing reconstruction.

Stop Monkeying Around

What’s the craic? Charlie Osborne effects this report—“Hacking group exploits ZeroLogon in automotive, industrial attack wave”:

 The active cyberattack is thought to be the handiwork of Cicada, [aka] APT10, Stone Panda, and Cloud Hopper, [which] the US believes may be sponsored by the Chinese government. … Researchers have documented [Japanese] companies and their subsidiaries in 17 regions, involved in automotive, pharmaceutical, engineering, and the managed service provider (MSP) industry, which have been recently targeted by Cicada.

Cicada’s latest attack wave has been active since mid-October in 2019 and has continued up to at least October this year. [It] appears to be well-resourced and uses a variety of tools and techniques.

It appears that the group is focused on the theft of information and cyberespionage. Data of interest [include] corporate records, HR documents, meeting memos, and expense information.

And Sergiu Gatlan adds—“Chinese APT10 hackers use Zerologon exploits against Japanese orgs”:

 The attacks were discovered by Symantec researchers after the detection of suspicious DLL side-loading activity on a customer’s network. … APT10 attackers were also observed using Zerologon exploits to steal domain credentials and take full control over the entire domain following successful exploitation of vulnerable devices.

The U.S. Government indicted two APT10 hackers in December 2018, showing that the group successfully compromised NASA’s Jet Propulsion Laboratory, U.S. Government agencies, managed service providers (MSPs) — including IBM and Hewlett Packard Enterprise. … Following this indictment, all countries in the Five Eyes Intelligence Alliance (the US, Canada, the UK, New Zealand, and Australia) issued statements attributing intellectual property and sensitive commercial data theft to the Chinese APT group.

Who found it? Symantec’s Threat Hunter Team—“Japan-Linked Organizations Targeted in Long-Running and Sophisticated Attack Campaign”:

 A large-scale attack campaign is targeting multiple Japanese companies, including subsidiaries located in as many as 17 regions around the globe in a likely intelligence-gathering operation. … The campaign is very wide-ranging. …The companies hit are, in the main, large, well-known organizations.

The scale and sophistication of this attack campaign indicates that it is the work of a large and well-resourced group. … The targeting of multiple large organizations in different geographies at the same time would require a lot of resources and skills that are generally only seen in nation-state backed groups. [We have] enough evidence to attribute it to Cicada, [which] has historically been known to target Japan-linked organizations.

The attackers were also seen deploying a tool capable of exploiting the ZeroLogon vulnerability (CVE-2020-1472). The critical elevation-of-privilege vulnerability was first disclosed and patched on August 11, 2020, and can allow attackers to spoof a domain controller account … and completely compromise all Active Directory identity services.

Japan-linked organizations need to be on alert as it is clear they are a key target of this sophisticated and well-resourced group. … Cicada clearly still has access to a lot of resources and skills to allow it to carry out a sophisticated and wide-ranging campaign like this, so the group remains highly dangerous.

But why Japan? thinkreal really thinks about it:

 Japan is a major economic power and industry competitor in areas China likes. This is focused espionage.

While their software and network techniques might be generically applicable, their targets are select.
This group likely invests research and local resources in Japan, possibly enlisting Japanese staff.

Wait. Pause. We’re just going to take it on trust that this is China? Anonyrnous ain’t no covvard: [You’re fired—Ed.]

 Be extremely suspicious of propaganda claiming to know the existence and origin of a hack. The origin of a hack is almost irrelevant. If there are vulnerabilities, someone will hack them. Whether it’s a government actor or a ransomware ***hole is neither here or there. Leaked information is leaked.

China wasn’t our enemy until the US decided to have a trade war in the vain hope of shutting the gate after the horse had bolted, kicked the farmer’s head off and **** down his neck hole.

Some of these attacks were on U.S. soil. This means war! jhodge stretches the point:

 “War” might be a bit of a stretch, but censure, sanctions, and reprisals short of war may well be called for. … We need government to step up and provide some deterrence.

In no other realm than cybersecurity do we expect private individuals and organizations to protect themselves against foreign nations. Yes, everyone should patch, follow best practice, least privilege, etc. OTOH, if your adversary is willing to burn a 0-day or two, all the patches and signatures in the world won’t save you.

Pretty hypocritical, given that U.S. agencies also hack foreigners. thereddaikon asks the obvious question:

 And? That’s how the game is played.

Of course I’m going to be angry when someone does unto us when we’ve been doing unto others. You call it hypocrisy. I call it realpolitik.

Don’t be naïve. One of the core purposes of the state of to look out for the wellbeing and prosperity of its citizens. That includes playing unfair with other nations.

If you think for a second that your nation doesn’t do it too … then you are wrong. … Everyone does it. Stop acting like we are the bad guys because we do it too.

So what to do? This Anonymous Coward offers an immodest proposal:

 Could we just cut China’s internet from the rest of the world until they learn to behave?

Meanwhile, set the Wayback machine to Stun, as woodturner channels Ted Stevens:

 The internet is a series of tubes. We could fill them up with potatoes or cement and then China couldn’t send their stuff. You’re welcome.

And Finally:

A fascinating forensic reconstruction of the Beirut Port explosions

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Image sauce: Steven Diaz (via Unsplash)

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 615 posts and counting.See all posts by richi

Secure Coding Practices