Front companies for Chinese and Iranian APTs doxxed

Written by

Brett Winterford
Brett Winterford

You can subscribe to the weekly Seriously Risky Business newsletter at our SubStack page.

The FBI is doxxing APTs like there’s no tomorrow

The US Department of Justice has doxxed over 50 state-sponsored hackers from China and Iran in a spree of indictments and sanctions.

The indictments exposed ‘front companies’ for intelligence services in both countries that engage in cybercrime and espionage operations. They included:

  • The indictment of three employees and two freelancers that worked for Chengdu 404, a Chinese front company for APT41/Barium;
  • The indictment and arrest of two Malaysians accused of helping Chengdu 404 launder digital currency stolen in attacks;
  • Sanctions against an Iranian company (‘Rana’) accused of being a front for APT39/Chafer, and sanctions against 45 Rana staff;
  • The indictment of two Iranians (one connected to APT34/OilRig) accused of hacking for the country’s intelligence services and profiting from the sale of stolen data;
  • The indictment of a further three Iranians connected to Elfin/APT33 that attacked global targets in the aerospace industry.

The allegations are detailed in separate items below.

APT41 named, China shamed in indictments

The US Department of Justice has outed the front company for APT41 (aka Barium), naming five of its hackers in indictments and announcing the arrest of two Malaysian accomplices that helped launder funds for the organisation.

Three public indictments put a name (‘Chengdu 404’) and five faces to one of the world’s most capable hacking teams. The indictments put to bed any lingering doubts about whether the same crew that hacked and defrauded video game companies also performed stunning software supply-chain attacks and hacked telcos to slurp up the communications of dissidents living abroad. The answer is yes, yes, yes, and then some.

Prosecutors chose to focus on the group’s criminal activity in the indictments and didn’t explicitly allege that Chengdu 404’s illicit activities were ‘state sponsored’. But there is sufficient evidence in the documents to conclude that the “penetration testing company” is routinely tasked by the MSS.

The most recent activity mentioned in the indictments were attacks on pro-democracy groups and universities during the 2019 and 2020 protests in Hong Kong. Separatist groups, universities and state-owned enterprises in Taiwan were also targets. Foreign telcos were hacked to intercept SMS messages exchanged between the Uyghur and Tibetan diaspora.

In one intercepted conversation, a Chengdu 404 hacker boasted of his close relationship with the Ministry of State Security (intelligence services) that protected the company from running into issues with the Ministry of Public Security (domestic law enforcement). “These are the breadcrumbs that show these hackers are proxies for the Chinese Government,” Acting US Attorney Michael Sherwin told reporters at a media conference.

Chengdu 404 funded its operation through criminal schemes: cryptojacking, ransomware and the defrauding of video game companies. The team was also alleged to have hacked software companies to distribute malware to their customers. The use of ShadowPad malware connects the group to software supply-chain attacks that compromised Asus, CCleaner and Netsarang, among others. It also adds to a growing base of evidence (long-disputed) that APT41 compromised TeamViewer’s network between 2015 and 2017. A mid-2018 post-incident report into the hacking of the CCleaner network concluded that attackers used valid staff TeamViewer credentials for initial access. The description of a compromised “electronic communications service provider” on page 11 of the Chengdu 404 indictment matches TeamViewer to a T.

Prosecutors allege the hackers broke into at least six video game companies and modified database entries to add ‘credits’ (in-game currency) to player accounts that were set up by two co-conspirators in Malaysia. The co-conspirator’s business, SEA Gamer Mall, sold those credits to other players in online forums and gave a cut of the proceeds to their hacker friends in the form of hard currency and Visa gift cards.

The two Malaysian principals of SEA Gamer Mall have been arrested and US authorities have applied to extradite them. Malaysian authorities are yet to express opposition to the extradition, which will test the country’s strong relationship with China.

The FBI released indicators defenders can use to hunt for APT41 activity in a TLP:White advisory (PDF).

Iranian hackers pummelled with sanctions and indictments

The United States also doxxed dozens of Iranian hackers in a rapid-fire release of indictments and sanctions.

US Treasury outed Rana Intelligence Computing Company as a front company for Iranian group APT39 (aka Chafer), designating it “owned or controlled” by Iran’s Ministry of Intelligence and Security (MOIS). Forty-five Rana staff and the Rana operating entity are now subject to US sanctions.

Rana was accused of hacking foreign governments and airlines (including 15 travel-related companies in the US) in espionage campaigns that wouldn’t be uncharacteristic for Western intelligence services. Unlike Western agencies, however, APT39 was also tasked by MOIS to “exploit, harass, and repress their fellow citizens” in domestic attacks on journalists, dissidents and academics.

The FBI uploaded eight samples of APT29/Chafer malware to VirusTotal and shared technical indicators for how to detect APT29 activity in a TLP:White advisory [pdf].

Separately, the DoJ indicted two Iranian nationals blamed for a long series of hacking operations against Iran’s principal adversaries (Israel, Saudi Arabia and the US). Hooman Heidarian and Mehdi Farhadi were alleged to have worked for Iran’s intelligence services, but also profited from attacks by selling data that wasn’t of use to their sponsors in online forums. Farhadi was among several Iranian hackers doxxed in a mysterious leak of Iranian malware in May 2019, which linked him to APT34 (aka OilRig).

Three other Iranian nationals were indicted for hacking aerospace targets in Australia, Israel, Singapore, the UK and US in activities linked to Elfin/APT33. The team’s ring-leader Pourkarim Arabi bragged in his CV about working for Iran’s Islamic Revolutionary Guards Corp (ISRG), and even listed a few trophy hacks he was especially thrilled with. Arabi allegedly gave orders to the two other indicted Iranians, Mohammad Reza Espargham (of OWASP fame) and Mohammad Bayati. The FBI published a handful of indicators related to these individuals in a TLP:White advisory [pdf].

Don’t forget the Russians

While the US didn’t go after agents of the Russian State this week (that’s a career-limiting move in the current climate), the DoJ did unseal indictments and imposed sanctions on two Russian cybercriminals.

Russians Danil Potekhin and Dmitrii Karasavidi were accused of setting up phishing websites for numerous cryptocurrency exchanges, stealing user credentials and making off with US$16m in digital currency. US authorities clawed back US$6 million and an undisclosed value of stolen digital currency.

Ransomware attack linked to death in Germany

Prosecutors in Germany are investigating whether a ransomware crew could be charged with ‘negligible homicide’ after an attack on Heinrich Heise University infected the systems of the University Hospital (Uniklinik Düsseldorf).

A patient turned away from the University Hospital was redirected to a hospital in nearby Wuppertal, and died before she could be treated.

The ransom note was reportedly addressed to the University. When investigators told the attackers their operation also disrupted the University hospital, the attackers replied with a decryption key. But by then, the damage was done.

A known vulnerability in Citrix network gateways (CVE-2020-19781) was used for initial access to the university network. That bug was first disclosed in December 2019 and wasn’t fully patched until late January 2020. The hospital claims to have applied mitigations and patches as they became available, but as we reported in early July, attackers had already backdoored many Citrix boxes before patches were applied.

Trump’s TikTok fix borrows from China’s playbook

US President Donald Trump has backed a ByteDance proposal that gives Oracle (12.5%) and Walmart (7.5%) stakes in TikTok Global, a new entity that will be set up to manage TikTok users outside of China.

The deal was struck in response to a Trump Executive Order that would have banned further TikTok downloads via US app stores from Sunday night. The CFIUS granted a one-week reprieve for compliance with the order to give the parties time to formalise the deal.

Under the proposed terms, TikTok Global would list on a US stock exchange within 12 months and US investors would get four of the company’s five board seats. Data on America’s 100 million TikTok users would be hosted in Oracle’s US data centres, and ByteDance’s TikTok source code would be ‘subject to review’ (but not controlled) by Oracle.

The proposal is subject to review by Chinese authorities.

None of these measures would do much to mitigate the national security concerns Trump seized on to justify his Executive Order. TikTok’s IP would continue to be developed by ByteDance in China. There are outstanding questions around how TikTok’s recommendation engine would be maintained without developer access to user data or how the US-based entity would prevent ByteDance (and by extension, the PRC) determining what content is recommended or shadowbanned.

Further, the prospect of the US President unilaterally deciding which of his supporters gets to own a cut of foreign businesses operating in America has serious implications for foreign investment in the United States. Trump has ceded America’s high ground in debates about data privacy and digital sovereignty: Chinese State Media wryly points out that he’s endorsing the sort of crony capitalism Western companies have long complained of when seeking to do business in China or Russia.

Meanwhile, a US court placed a temporary injunction on a Trump order that would have blocked WeChat American users from receiving updates through US app stores. Shannon Vavra at CyberScoop reports that the ban would result in buggy, vulnerable apps and create incentives for running jailbroken devices or downloads of phoney WeChat apps riddled with malware and adware. The potential for harm outweighs what good could come of this.

CISA demands admins spend (another) weekend patching

CISA issued another emergency directive late Friday that demanded US government agencies patch the Netlogon bug (CVE-2020-1472) by Monday night (September 21) at the latest.

The NSA echoed the warning and its panic is warranted. First, the Netlogon flaw was incorporated into Mimikatz over the weekend. And second, Fox-IT researcher Dirk-jan Mollema discovered ways to combine exploitation of the bug with known quirks in Microsoft’s Print System Remote Protocol (“SpoolSample”, lol).

Mollema’s research is significant: when an attacker exploits the Netlogon bug to change the machine password for the domain controller to something out of sync with the domain password, they risk setting off a cascading set of noisy issues. Mollema’s approach will be safer and stealthier.

Three reasons to actually be cheerful this week:

  1. Android stalkerware banned: Google pledged to ban Android apps designed expressly to monitor other user devices. Exceptions are made for apps that include “adequate notice or consent” of tracking capabilities and that display a “persistent notification” when a user is being monitored.
  2. Be nice to hackers: The UK NCSC published a vulnerability disclosure toolkit to share best practices on how organisations should engage with security researchers.
  3. What sorcery is this? The NSA released a technical guide to customising UEFI Secure Boot to help protect against rootkits. It can be done: you just have to be a total wizard to do it at scale.

Shorts

InfoSec journalists are spoiling all the fun

Mozilla has shuttered its ‘Send’ file-sharing service after InfoSec newshound Catalin Cimpanu at ZDNet drew attention to how often the service was abused to host malware. Microsoft also removed a ‘file download’ feature from Windows Defender after Lawrence Abrams at Bleeping Computer demonstrated how it could be used to install malware.

DDoS extortionists are all bark and no bite

France’s national CERT (CERT FR) warned about the DDoS extortion attacks mentioned in our last two newsletters, with a very juicy caveat: in attacks it has seen so far, organisations that ignored the ransom demands weren’t attacked again after being hit with demonstrative attacks.

China-backed bidder wins 5G spectrum in the Philippines

The Philippines has licensed 5G spectrum to DITO, a new telco 40% owned by China Telecom and 60% owned by a Filipino billionaire backed by Chinese investment. But fear not, the company hired Fortinet to manage its cybersecurity.

Huawei’s pinky promise

Huawei has submitted a pledge to Canadian authorities that it won’t “spy or include any backdoors” in its kit if Canadian companies use it.

Dark times ahead for Dark Overlords

A 39-year old British man was sentenced to five years prison for his role in The Dark Overlord (TLO), a hacking collective that threatened to leak data stolen from its victims if they didn’t pay a ransom. Craftier hackers have since improved on that business model.

Enjoy this update? You can subscribe to the weekly Seriously Risky Business newsletter at our SubStack page. Feedback welcome at editorial@risky.biz.