Between May 2016 and late 2017, a hacker group alleged to be close to the Chinese government hacked into a UK government contractor’s network and stole information related to UK government departments and sensitive communication technology.
The hacker group named ATP15 used an open-source tool Mimikatz and several backdoors like BS2005, RoyalCLI and RoyalDNS to access sensitive information and to send it to a remote C&C server.
Security researchers at NCC Group have revealed how a hacker group named ATP15, which is believed to be close to the Chinese government, hacked into a network owned by a UK government contractor and used several hitherto unused tools to scan the network and to steal information from it while evading the attention of network operators and anti-malware technologies.
The covert operation by ATP15 to gain access to information related to UK government departments and sensitive communication technology went on for over a year before it was ultimately detected by experts at the NCC Group.
“Through our investigation we were able to identify and monitor the attack process from start to finish, offering us unique insight into the behaviour of this group. It’s clear to see that this is a highly sophisticated threat actor that has no problem writing tools which are specific to its victims,” said Ahmed Zaki, senior malware researcher at NCC Group.
The news comes not long after security firm Crowdstrike revealed that a number of influential think tanks in the UK were targeted by Chinese hackers since April last year, with some of them succeeding. The firm added that it had been contacted by several think tanks who wanted the firm to investigate such attacks.
It added that the group responsible for attacks on UK-based think tanks was “Panda” which is based in China and is believed to be linked to the Chinese government.
Hitherto unknown hacking tools
According to NCC Group researchers, APT15 hackers initially used an open-source tool named Mimikatz to to gain domain administrator credentials and to steal an VPN certificate using which they infiltrated an unnamed government contractor’s network.
Having infiltrated the network, the group proceeded to deploy three backdoors dubbed BS2005, RoyalCLI and RoyalDNS which helped it not only to use Windows command prompt (cmd.exe) to execute most of its commands while bypassing policy settings that disable running of command prompt on the host machine, but also to extract and collect information in multiple ways.
“The group used a tool called Comma Separated Value Data Exchange (CSVDE), which can export data in bulk from Microsoft Windows Active Directory, as well as Bulk Copy Program (BCP), which comes with Microsoft SQL, to export data from Microsoft SQL databases.
These methods were combined with bespoke tools to extract information from Microsoft Sharepoint and Microsoft Exchange. In the case of the Microsoft Sharepoint tool the binary included hard coded project names that were specific to the victim,” the researchers said.
They added that APT15 is also mentioned in cyber security cirles in other names such as Ke3chang, Mirage, Vixen Panda GREF, and Playful Dragon and has been found to be involved in several hacking attacks in the past.
“Espionage by foreign governments should not come as a shock to anyone, these days. False Flags, Double bluffs and blatant denials should also be expected. These attack tools have been associated with a group that targeted foreign affairs ministries in the past,” said Andy Norton, director of threat intelligence at Lastline.
“We do not know if the attack is limited to the UK at this point. The wide range of tools used suggests a requirement for many capabilities in the target network; from this, we can infer that Intellectual property was the target of the attack.
“Whether this would be considered a GDPR breach depends on the type of data exfiltrated, If policy strategy was the target of the attack, then no personally identifiable data would been impacted under GDPR regulation,” he added.