WASHINGTON — Highly sophisticated hackers linked to the Chinese government are breaking into technology companies, software-as-a-service providers and legal-services firms with stealthy malware that has allowed them to quietly steal sensitive data from those companies and their customers, Google announced on Wednesday.
The hackers have pivoted from service providers to their customers’ networks, searched the emails of specific people inside legal firms and hunted for information about U.S. national security and international trade matters, according to Google.
The threat actors have also stolen the source code for widely used enterprise technologies, likely as part of an effort to analyze them for undisclosed vulnerabilities that could power future attacks, Google said. In some breaches of enterprise tech vendors, they have searched the email inboxes of software developers for information about product flaws.
A China-linked group called UNC5221 is conducting most of the attacks, according to Google, but because different teams often share tools, the tech giant said other China-linked groups are also likely involved.
The campaign is active right now, Google cybersecurity experts told reporters on Tuesday during a briefing at the company’s Cyber Defense Summit in Washington.
“This is happening in the United States, this is next-level activity, and we’re only going to learn more about it over time,” said John Hultquist, chief analyst at Google’s Threat Intelligence Group (GTIG).
Hultquist described the campaign as “a very good intelligence operation” and said the attackers’ movement from major vendors to their customers recalled other supply-chain incidents such as Russia’s SolarWinds espionage campaign. “It is them moving upstream where they can pick and choose their targets of interest.”
Hiding in the gaps
An alarming element of the campaign, Google said, is the hackers’ use of a malware backdoor called Brickstorm that they plant on systems that cannot run endpoint detection and response (EDR) or antivirus software, such as VMware ESXi hypervisors, email security gateways and vulnerability scanners. Evading EDR allows them to hide for far longer than hackers typically can — Google said it has taken victims an average of 393 days to discover the intrusions, a remarkably long “dwell time” that defies recent trends in improved attack detection.
Google is releasing a tool that will let companies scan their networks for evidence of Brickstorm, as well as YARA rules that companies can use to search their backups for historical evidence of intrusions. Google experts said the hackers excel at erasing their tracks.
Many organizations will “find evidence of historic compromises or active compromises,” said Charles Carmakal, chief technology officer at Google’s Mandiant division.
Companies that do see signs of the Brickstorm malware need to conduct a thorough investigation, he added. “This is a very, very advanced adversary.”
Patient adversary, long-term ripple effects
The main China-linked group responsible for the intrusions, UNC5221, “is the most prevalent adversary in the United States over the past several years” in terms of the frequency, severity and complexity of their attacks, Carmakal told reporters.
UNC5221 hackers are extremely stealthy, Carmakal said, never using infrastructure hosted on the same IP address in more than one attack to avoid creating a recognizable pattern. “It’s very hard to detect them and to investigate them,” he said.
The attackers are also patient. In one investigation, Google saw the hackers configure their backdoor to lie dormant for months while the victim investigated signs of an intrusion. “It’s clever, but it also shows they’re in it for the long game,” said Austin Larsen, a principal threat analyst at GTIG.
Because most companies haven’t discovered the intrusions until long after their logs from the initial access timeframe are automatically deleted, Google researchers have found it difficult to identify the hackers’ means of initial access. But the company said evidence points to the attackers “compromising perimeter and remote access infrastructure,” including Ivanti Connect Secure VPNs and several other edge devices. UNC5221 has been one of the primary groups exploiting Ivanti vulnerabilities over the past two years.
Google experts declined to identify any of the victims, including the companies that have been hacked because of supplier breaches, as many of those victims are still remediating the intrusions. The company said it was publicizing the ongoing campaign now because it wanted to learn more about the extent of the attacks and to warn potential victims.
The impact of the campaign will continue to resonate “six- to twelve- to eighteen- to twenty-four months from now,” Carmakal said, “because over that time, there will be new things that will come out [and] there will be new victims that disclose [breaches].”
Source link
