APT15 hacking group linked to Chinese intelligence accused of hacking UK government contractor and stealing military secrets

Google Cloud used by Chinese hackers as part of command and control infrastructure for nation-state attack, claims NCC Group

A hacking group linked to Chinese intelligence is believed to have penetrated a UK government contractor and stolen information about military technology.

That's according to NCC Group, which has revealed the incident after it was called-in in May last year. It claims that the Chinese hacking group known as APT15 - but which is also referred to as Ke3chang, Mirage, Vixen Panda, GREF and Playful Dragon - was after information related to UK government departments and military technology.

In its investigation, it found new backdoors that it labelled RoyalCli and RoyalDNS used by the group, in addition to BS2005, a tool that the group has traditionally been linked with.

"RoyalCli and BS2005 both communicate with the attacker's command and control (C2) through Internet Explorer (IE) by using the COM interface IWebBrowser2," explained NCC Group in an analysis.

Analysis of the domains and IP address infrastructure used by APT15 identified a number of similar possible domains that appeared to be hosted on either Linode or the Google Cloud.

"All of the backdoors identified - excluding RoyalDNS - required APT15 to create batch scripts in order to install its persistence mechanism. This was achieved through the use of a simple Windows run key. We believe that APT15 could have employed this technique in order to evade behavioural detection, rather than due to a lack of sophistication or development capability," it continued.

"Additional tools were recovered during the incident, including a network scanning/enumeration tool, the archiving tool WinRAR and a bespoke Microsoft SharePoint enumeration and data dumping tool, known as 'spwebmember'.

"Spwebmember was written in Microsoft .NET and includes hardcoded values for client project names for data extraction. The tool would connect to the SQL SharePoint database and issue a query to dump all data from the database to a temporary file affixed with 'spdata'. The group also used keyloggers and their own .NET tool to enumerate folders and dump data from Microsoft Exchange mailboxes.

"APT15 was also observed using Mimikatz to dump credentials and generate Kerberos golden tickets. This allowed the group to persist in the victim's network in the event of remediation actions being undertaken, such as a password reset."

However, once discovered and ejected from the network, APT15 did not give up, according to NCC Group, regaining access via the corporate virtual private network (VPN) using a stolen certificate that they had extracted from a compromised host.

"This time, APT15 opted for a DNS based backdoor: RoyalDNS. The persistence mechanism used by RoyalDNS was achieved through a service called 'Nwsapagent'."

The command and control of this backdoor "was performed using the TXT record of the DNS protocol. C2 was communicating with the domain 'andspurs[.]com'".

Due to the nature of the IE injection technique used by the HTTP-based backdoors, "a number of C2 commands were cached to disk. We were able to recover these files and reverse engineer the encoding routine used by the backdoors in order to uncover the exact commands executed by the attacker.

"In total, we were able to recover more than 200 commands executed by the attacker against the compromised hosts and were able to gain a clear insight into the attacker's TTPs."

The decode scripts have been uploaded to NCC Group's Github page.

"Espionage by foreign governments should not come as a shock to anyone, these days," commented Andy Norton, director of threat intelligence at Lastline.

He continued: "These attack tools have been associated with a group that targeted foreign affairs ministries in the past. We do not know if the attack is limited to the UK at this point.

"The wide range of tools used suggests a requirement for many capabilities in the target network. From this, we can infer that intellectual property was the target of the attack."

He also indicated that GDPR might represent a legal complication when it comes to notifying the authorities about such an attack: "Whether this would be considered a GDPR breach depends on the type of data exfiltrated.

"If policy strategy was the target of the attack, then no personally identifiable data would been impacted under GDPR regulation."