The “Cloud Hopper” attack group is back in the spotlights this week after an informative report of Operation “Soft Cell” by security firm Cybereason. Detailed campaigns tracked by the firm display traits similar to how “APT10” associated groups have operated in the past.
Active since at least 2012 against telecommunications providers, “Soft Cell” was observed to target Active Directory domain servers once access was obtained on a target network before expanding their access. This suggests the group is primarily interested in long-term compromise of their targets. Their ongoing operations for months, and at times years, shows the group has the discipline and ability to practice stealthy and persistent attacks usually associated with well-funded nation-state groups.
Adaptability while maintaining access is a key ability for sophisticated nation-state groups. Such groups expect and plan for alternative routes during pre-attack operational activities.
A web shell (China Chopper) written for IIS servers was dropped after web-based compromise. From this webshell reconnaissance activity was observed by operators running basic diagnostic commands from a spawned cmd.exe instance with tools such as ipconfig, find, netstat, and whoami.
The second notable activity after initial access was running a modified nbtscan tool to identify NetBIOS name servers both locally and over the network. This tool was used by the actors to find shares on the internal Windows network.
Utilities such as Mimikatz were modified and deployed after the reconnaissance phase. Their modified artifact removed the need for command line arguments, likely to evade various techniques employed by EDR solutions to detect common tools like Mimikatz during execution. Modified and compiled code also has the advantage of easily defeating Anti-Virus solutions due to changes in signature(s) of code segments and structure, largely with no real work needed by the technical team powering Cloud Hopper’s operations.
Their modified Mimikatz tool allowed the group to dump NTLM hashes on the compromised machines. A second technique to obtain coveted NTLM hashes was performed by dumping specific hives from the Windows Registry containing the hashes. The SAM hive HKEY_LOCAL_MACHINE\SAM and Security hive HKEY_LOCAL_MACHINE\Security store these essential hashes.
With the network mapped and credentials stolen (and not necessarily cracked), the group had all they needed to remotely establish sessions. The target telco’s network’s production and database servers, along with their Domain Controller (!), were successfully compromise.
WMI and PsExec remote command execution, Windows sysadmin utilities, were used to successfully run the landscape of their target network.
Despite having all information and IP routing necessary to perform a complete domain compromise, the group performed additional tasks to enable persistence in forms other than their initial attack vector.
The attackers created high-privilege domain user accounts to perform actions after their first goal was achieved: domain compromise.
Changing the source of malicious operation, from the perspective of the Windows subsystem and network managers, provides multiple benefit. Obviously, it allows a deeper foothold into the system, having now a webshell along with domain-privileged accounts. Higher-privileged accounts, especially on machines with regular network traffic, are much quieter when performing administrative based tasks. With deployment of a RAT, such as PoisonIvy this threat actor used, they can maintain “phone home” or “callback” connectivity, bypassing the need to “push” into a network, opting to “pull” access at intervals.
This PoisonIvy variant abused a trusted and signed Samsung tool, runhelp.exe, was deployed as a Nullsoft Installer Package (NSIS) package. Once unpacked and run, the Samsung tool loaded a fake DLL posing as a legitimate dll, ssMUIDLL.dll, causing the malicious code to execute. The result was a scheduled task which would run the legitimate Samsung tool with the malicious payload. This is known as DLL Side Loading.
The actor opted for the RAR archival utility for compressing desired data for exfiltration. They were spotted keeping the WinRAR tool and their compressed data for exfiltration in the Recycle Bin folder.
These RAR data were stored as multi-part archives. This technique, among the others mentioned, are staples among the APT10 actor(s).
hTran was used attempting to exfiltrate targeted data out of segmented networks. The code was modified from the original; likely an attempt to evade detection of EDR and Anti-Virus solutions. The structure and debug output was almost identical, with key phrases left in the deployed payload, likely due to lack of English-language skills.
For example, “Connect error” became “C e.”.
Reasons for Attack
The most obvious reason for a nation-state targeting large telcos of nations is to track call/message data. These Call Detail Records (CDRs) are a way of telephone companies tracking data from:
- Device details
- Physical location
- Device vendor and version
- Source, destination, and duration of call
With such information, the unit can monitor another nation’s citizens, including their leaders. If they need further access, they can know the exact make/model of a device used by a target.
As a last resort, the unit also has the ability to potentially “jam” the data/voice network by destroying the infrastructure.
If the unit is extremely technically sophisticated, the desire is there from the management, and the target allows such technical operation, the group may pull off infected firmware updates, rogue base station legitimacy, or other such fanciful Hollywood-esque attacks which may actually exist as a capability.
Areas for Improvement
The attackers were found conducting multiple campaigns from the same IP address. When you’re a big nation state and not looking to cause overt damage, operation security is practically optional.
This author could critique the operation in many ways. The fact is the techniques described here work, and work well, for multi-year operations against higher-sophisticated targets such as telcos.
Hats off to the Cloud Hopper group for a long-term successful campaign that has likely monitored and lead to exploitation of several high-value political and business targets of the affected countries.
Without a doubt these operations will continue from the Chinese groups. They will continue to stay at the level (A/B/C/D/F grading) required to achieve and maintain access to sources of data their state deems critical to the operational success and future viability of their country.
No need to bring out the A-team for adversaries which do not demand it.