Darwin’s Favorite APT Group ✓ Solved

Darwin’s Favorite APT Group Darwin’s Favorite APT Group F

The attackers referred to as APT12 (also known as IXESHE, DynCalc, and DNSCALC) recently started a new campaign targeting organizations in Japan and Taiwan. APT12 is believed to be a cyber espionage group thought to have links to the Chinese People's Liberation Army. APT12's targets are consistent with larger People's Republic of China (PRC) goals. Additionally, the new campaigns we uncovered further highlight the correlation between APT groups ceasing and retooling operations after media exposure, as APT12 used the same strategy after compromising the New York Times in Oct 2012.

Much like Darwin’s theory of biological evolution, APT12 has been forced to evolve and adapt in order to maintain its mission. FireEye researchers also discovered two possibly related campaigns utilizing two other backdoors known as THREEBYTE and WATERSPOUT. Both backdoors were dropped from malicious documents that exploited CVE. These documents were also emailed to organizations in Japan and Taiwan. While APT12 has previously used THREEBYTE, it is unclear if APT12 was responsible for the recently discovered campaign utilizing THREEBYTE.

Evolution of Tactics

From October 2012 to May 2014, FireEye observed APT12 utilizing RIPTIDE, a proxy-aware backdoor that communicates via HTTP to a hardcoded command and control (C2) server. Following the release of an article detailing RIPTIDE’s protocols and infrastructure, FireEye observed distinct changes in RIPTIDE’s protocols to decrease detection by security vendors, leading to the emergence of HIGHTIDE, a new variant.

On August 24, 2014, a spear phishing email was sent targeting a Taiwanese government ministry, leading to the drop of the HIGHTIDE backdoor. The backdoors used in campaigns targeting organizations in Japan and Taiwan showcased similarities in delivery methods and infected file paths, thus indicating a potentially interconnected operational strategy.

Backdoor Families

HIGHTIDE Malware Family

The HIGHTIDE backdoor was delivered via phishing emails, exploiting vulnerabilities in Microsoft Word documents that used CVE. The malware was adept at evading initial detection but retained functionality that allowed it to communicate with its C2 servers.

THREEBYTE Malware Family

APT12's separate campaign involving the THREEBYTE backdoor displayed similar exploitation patterns, further indicating a cohesive operational strategy aimed at acquiring sensitive information from targeted victims in Taiwan.

WATERSPOUT Malware Family

The WATERSPOUT backdoor, observed on August 25, 2014, utilized similar attack techniques, reinforcing the belief that APT12’s adaptiveness is a significant aspect of its operations. This backdoor mirrored previous delivery methodologies while also targeting the same geographical locations with spear phishing tactics.

Adaptability to Public Disclosure

APT12 has demonstrated significant ability to adapt following public disclosures. The group refines its toolset and methodologies to execute continued cyber operations without determent over extended periods. This transient adaptability allows them to persistently target and infiltrate organizations in Japan and Taiwan effectively.

Conclusion

The ongoing evolution of APT12 from RIPTIDE to HIGHTIDE signifies both the group's responsiveness to external scrutiny and its commitment to ongoing operational efficacy in its cyber-espionage activities. The rapid retooling in reaction to the disclosure of their techniques suggests APT12 will pursue similar environments under newly developed pretexts to maintain strategic attack vectors against geopolitical adversaries.

References

  • FireEye. (2014). Darwin’s Favorite APT Group. Retrieved from [FireEye](https://www.fireeye.com/blog/threat-research/2014/09/darwin-s-favorite-apt-group.html)
  • ,
  • Arbor Networks. (2014). Illuminating The Etumbot APT Backdoor. Retrieved from [Arbor](https://www.arbornetworks.com/news/blog/illuminating-the-etumbot-apt-backdoor/)
  • Mandiant. (2014). MTrends Report. Retrieved from [Mandiant](https://www.mandiant.com/resources/)
  • Symantec. (2018). Emerging Threats from APT Groups.
  • Kaspersky. (2017). Advanced Persistent Threats: An Overview.
  • McAfee. (2019). The Evolving Landscape of Cyber Espionage.
  • CrowdStrike. (2018). The Cybersecurity Landscape: A Report on APTs.
  • ENISA. (2020). Threat Landscape Report.
  • IBM. (2019). Cyber Threats: Detecting the Unseen.
  • CISCO. (2021). World Security Report: Advanced Threats.

Related Assignments