A Study of Chinese and Russian APTs

Adam DiStefano, M.S, CEH, CISSP, CCSKAdam DiStefano, M.S, CEH, CISSP (Adam-DiStefanoMSCEHCISSP)
Enterprise Cyber Security Leader |  Ai Security Strategist & Advisor | Ai and Cybersecurity Researcher
One of the biggest threats in the cyber realm pertains to advanced persistent threats (APTs). This paper is a compare and contrast of Russian and Chinese APT's.
Cyber security is the biggest challenge facing our nation today. Whether protecting our hospitals from ransomware or our financial sector from cyber criminals, the shift in tactics used by our enemies and criminals presents a new set of challenges. One of the biggest threats in the cyber realm pertains to advanced persistent threats (APTs).  An APT is defined by the components that make up its name. The attacks are advanced in that they are extremely sophisticated, often possessing the ability to by pass security layers on a target machine. The attacks are persistent in that the attackers are committed to the long term in order to accomplish their objectives. This means targets are deliberate and have been thoroughly researched. More often than not, targets and objectives are selected well in advance with heavy reconnaissance as opposed to a target selected at random. After all, APT groups invest time, money, and resources into their attacks so the return on investment must be worth the effort.

Two nation states that are the biggest perpetrators of  APTs are China and Russia.  It is interesting that since the Stuxnet attack became public, both China and Russia have become a powerhouse in terms of cyber capabilities. Unlike the Chinese who, by all measures, appear primarily focused on cyber espionage, "most Russian cybercriminals have earned reputations as digital pickpockets more interested in cleaning out other people's bank accounts than making a statement" (Raspopina, n.d.).  China is motivated by stealing proprietary information from both nongovernmental organizations and     governments alike, especially those organizations that feed their military-industrial complex. 

China is very unique in their political structure. While they have certainly embraced capitalism, they are still very much socialist, and power politically is controlled by a single party system. This would enable one to postulate that there are very few independent threat actors in the Chinese cyber threats, indicating that most APTs would thus be state sponsored. For example, the Naikon APT  - which is focused primarily on extraction of geopolitical intelligence in the South China Sea -  has been linked directly to the  People’s Liberation Army (PLA) unit 78020, a group of Chinese state sponsored hackers. According to Pierluigi Paganini, "the missions of the Naikon APT targeted entities in various industries including governments and the military, the hacking crew targeted diplomats, law enforcement, and aviation authorities in many Asian countries such as the Philippines, Malaysia, Cambodia, and Indonesia" (Paganini, 2015).

The attack used by Naikon initiates by sending an unsuspecting target an email with what appears to be a standard Word document. By all appearances, the attachment looks like an innocuous document when in actuality, it is capitalizing on the CVE-2012-0158 exploit. According to the National Vulnerability Database, CVE-2012-0158 is a runtime exploit that enables "remote attackers to execute arbitrary code via a crafted (a) web site, (b) Office document, or (c) .rtf file that triggers "system state" corruption, as exploited in the wild in April 2012, aka "MSCOMCTL.OCX RCE Vulnerability" (NVD, 2013).  In order to propagate, the victim must willingly interact, such as opening the attachment in the email. Additionally, Kapersky Labs points out that the Naikon APT  also spoofs fake file extensions, use RTLO (Right To Left Override, or, embedding a special Unicode character in a filename to make the real file extension reversed), or extra spacing (like “letter to Gov office.doc .exe” including up to 200 spaces). Finally, to increase the probability that the attached executable will be opened, they also modify file icons to look like word documents. While these were simple techniques, they were very effective against target organizations" (Legezo, 2015). What makes this so sophisticated is that the injected malicious code is not actually stored on the system, rather, it is stored in the memory. This is very helpful in avoiding security parameters put into place on the target system.  

Naikon was very successful in using a targeted spear phishing campaign to gain access to critical information from many foreign governmental entities. It is important to note that Naikon also targeted other APT groups. In 2014, another Chinese APT group code named Hellsing was targeted by a spear phishing attack by another APT group. This was discovered by Kaspersky Labs when "experts noticed that one of Naikon’s targets had spotted the attempt to infect its systems with a spear-phishing email carrying a malicious attachment" ("The Chronicles of Hellsing: a Spy vs Spy Story", 2015).  The Hellsing APT groups discovery is actually very interesting. 

Hellsing uses spear phishing email attacks directed at governmental organizations and diplomatic agencies, such as foreign embassy's.  It wasn't until Naikon targeted Hellsing that there was knowledge of their existence. It was reported that "the target questioned the authenticity of the email with the sender and, apparently dissatisfied with the reply, did not open the attachment. Shortly thereafter the target forwarded to the sender an email containing the target’s own malware. This moved triggered Kaspersky Lab’s investigation and led to the discovery of the Hellsing APT group"  ("The Chronicles of Hellsing: a Spy vs Spy Story", 2015). 

Hellsing uses archive file types to promulgate their attack. RAR, ZIP, and 7ZIP files have been reportedly used. According to Raiu and Golovkin, "the 7ZIP archives with passwords were probably introduced as a way to bypass the recent security features on Gmail, which block password-protected archives with executables inside" (Raiu & Golovkin, 2015).  These backdoors allow the malware to upload and download files, self update, and self destruct.

Russian APT groups are much more sophisticated than their Chinese counterpart. Most APTs need to operate using both domains and servers as a means of command and control. The Russian Turla APT however, have found away to avoid detection by intercepting data from satellite Internet providers. This attack is successful in that data packets transmitted in the downstream are completely unencrypted. As Stefan Tanese explains, "once an IP address that is routed through the satellite’s downstream link is identified, the attackers start listening for packets coming from the Internet to this specific IP. When such a packet is identified, for instance a TCP/IP SYN packet, they identify the source and spoof a reply packet (e.g. SYN ACK) back to the source using a conventional Internet line" (Tanese, 2015).

Turla and Epic Turla both use a number of methods to propagate their attack. For starters, they also use spear phishing attacks with the goal of exploiting vulnerabilities associated with Adobe PDF. Additionally, Turla and Epic Turla both utilize waterhole attacks by using Java exploit CVE-2012-1723, Flash exploits, and Internet Explorer version 6,7, and 8 exploits ("The Epic Turla Operation", 2014). Turla and Epic Turla primarily were focused on cyber espionage targeting academic and research facilities, governmental organizations, pharmaceuticals, military, and foreign diplomatic entities. 

Another Russian APT dubbed APT29, uses a very sophisticated backdoor, code named Hammertoss. This APT uses social media platforms such as Twitter, repositories such as GitHub, and popular cloud storage services in order to gain access by posing as legitimate account holders. This is effective in that "APT29 tries to undermine the detection of the malware by adding layers of obfuscation and mimicking the behavior of legitimate users" ("Hammertoss: Stealthy Tactics Define a Russian Cyber Threat Group", 2015). As Michael Mimoso explains, "once APT29 has access to a target network and deems it worthy, it deploys Hammertoss, which communicates through URLs seeded in social media accounts—Twitter in particular—and makes use of steganography in images stored on GitHub or compromised websites to retrieve encrypted instructions" (Mimoso, 2015).

In the 2015 report put forth by Fire Eye - one of the leading providers of cyber security solutions - postulates that this APT is Russian government sponsored "because of the organizations it targets and the data it steals. Additionally, APT29 appeared to cease operations on Russian holidays, and their work hours seem to align with the UTC +3 time zone, which contains cities such as Moscow and St. Petersburg" ("Hammertoss: Stealthy Tactics Define a Russian Cyber Threat Group", 2015).

There is a commonality between all of these APTs, whether originating in Russia or China. The all count on the weakest link in any organization; the human element. Social engineering has been the catalyst for most successful cyber attacks. One of the most successful ways to help mitigate against the risk of falling victim to an APT is employee training on email policies. There are also a number of controls that can be implemented to help protect against APT attacks. Whitelisting for example, has been shown to mitigate up to 85% of intrusion attempts when coupled with other defense mechanisms. Ensuring that all operating systems and third party applications are updated and patched for security flaws also prove paramount in the defense posture of any organization or individual. Lastly, it is always good practice to operate by the policy of least privilege. By implementing these strategies and using them in conjunction with a quality defense in depth approach to securing critical information, organizations will be better poised to defend against advanced persistent threats.
HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group. (2015, July).  Retrieved June 24, 2016.

Legezo, D. (2015, May 14). Beating one of the most active APTs in Asia? Whitelisting, heuristics, and more... Retrieved June 24, 2016.

Mimoso, M. (2015, July 29). New Hammertoss Espionage Tool Tied to MiniDuke Gang.     Retrieved June 25, 2016.

Paganini, P. (2015, September 25). Naikon APT Group backed by the Chinese PLA Unit 78020.     Retrieved June 20, 2016.

Raspopina, S. (n.d.). Slipping through the net: Russian hackers vs the world. Retrieved June 20, 2016.

Raiu, C., & Golovkin, M. (2015, April 15). The Chronicles of the Hellsing APT: The Empire     Strikes Back. Retrieved June 24, 2016.

Tanase, S. (2015, September 9). Satellite Turla: APT Command and Control in the Sky.     Retrieved June 25, 2016.
"The Chronicles of Hellsing: A Spy vs Spy Story." (2015, April 15). Retrieved June 24, 2016. 

"The Epic Turla Operation." (2014, April 7). Retrieved June 24, 2016.

Vulnerability Summary for CVE-2012-0158. (2013, March 06). Retrieved June 22, 2016.
Adam DiStefano, M.S, CEH, CISSP, CCSKAdam DiStefano, M.S, CEH, CISSP (Adam-DiStefanoMSCEHCISSP)
Enterprise Cyber Security Leader |  Ai Security Strategist & Advisor | Ai and Cybersecurity Researcher

Comments (0)

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.