• Hacking News
    • Leaks
    • WikiLeaks
    • Anonymous
  • Tech
    • Android
    • Apple News
    • BlackBerry
    • Google News
    • Microsoft
    • Motorola
    • Nokia
    • Samsung
    • 3D
  • Cyber Crime
    • Phishing Scam
  • How To
  • Cyber Events
    • Censorship
    • Cyber Attacks
  • Security
    • Malware
  • Surveillance
    • Drones
    • NSA
    • Privacy
  • Explore
    • Gaming
    • Science
    • Viral
HackRead
  • December 15th, 2019
  • Home
  • About Us
  • Team
  • Advertise
  • Submit News
  • Privacy Policy
  • Contact Us
HackRead
  • Hacking News
    • Leaks
    • WikiLeaks
    • Anonymous
  • Tech
    • Android
    • Apple News
    • BlackBerry
    • Google News
    • Microsoft
    • Motorola
    • Nokia
    • Samsung
    • 3D
  • Cyber Crime
    • Phishing Scam
  • How To
  • Cyber Events
    • Censorship
    • Cyber Attacks
  • Security
    • Malware
  • Surveillance
    • Drones
    • NSA
    • Privacy
  • Explore
    • Gaming
    • Science
    • Viral
  • Follow us
    • Facebook
    • Twitter
    • Google+
    • Linkedin
    • Youtube
Home » Hacking News » News » APT15 Hackers Hit UK Govt Contractor to Steal Military Technology Secrets

APT15 Hackers Hit UK Govt Contractor to Steal Military Technology Secrets

March 13th, 2018 Waqas Hacking News, News, Security 0 comments
APT15 Hackers Hit UK Govt Contractor to Steal Military Technology Secrets
Share on FacebookShare on Twitter

The APT15 hacking group has always been associated with Chinese intelligence and it has been part of quite a few, infamous hacking sprees. Now the same group has allegedly stolen information about UK’s military technology by compromising computer of a UK government contractor and launching a malware-based attack.

As per the findings of NCC Group, the Chinese linked APT15 (also known as Ke3chang, Vixen Pands, Mirage, Playful Dragon and GREF) hacker group has been eyeing data related to military technology and governmental departments of the UK. In this particular attack, APT15 used new backdoors while the targets were contractors working with different military units and government departments in the UK.

The findings were presented by NCC Group’s senior malware researcher Ahmed Zaki at Kaspersky’s Security Analyst Summit (SAS). In an official blog post, NCC Group explained that on May 2-17, the Incident Response Team at NCC Group were called-in by a contractor who provided a wide range of services to the UK government and the team was requested to respond to a then on-going incident.

The blog stated that the client informed about becoming a victim of a network compromise that involved “advanced persistent threat group APT15.” The investigation was stopped in June 2017 on the request of the same client and then it was resumed in August once again when APT15 hackers again accessed victim’s network.

“APT15 managed to regain access a couple of weeks later via the corporate VPN solution with a stolen VPN certificate, which they had extracted from a compromised host,” the blog post read.

[irp posts=”43165″ name=”China Hacked Federal Deposit Insurance Corporation Via Backdoor Malware”]

It seems like this attack is not an individual attempt but actually part of a bigger, wider operation that is aimed at UK government and military contractors. The hacker group is believed to be using two new backdoors along with malware that already has imprints of APT15. Researchers wrote in their blog post:

“During our analysis of the compromise, we identified new backdoors that now appear to be part of APT15’s toolset. The backdoor BS2005 – which has traditionally been used by the group – now appears alongside the additional backdoors RoyalCli and RoyalDNS. The RoyalCli backdoor appears to be an evolution of BS2005 and uses familiar encryption and encoding routines.”

RoyalCLI was tracked through a debugging path that was left in the binary and happens to be a successor of BS2005 backdoor that was also used by APT15 in one of its previous malicious campaigns. RoyalCLI and BS2005 use Internet Explorer via the COM interface IWebBrowser2 to communicate with their C&C server.

The second backdoor RoyalDNS utilizes DNS to create a link with its C&C server. When the command is executed, the backdoor returned output via the same DNS. The domain and IP address infrastructure analysis showed various domains that quite possibly were used by APT15 and hosted on Google Cloud and/or Linode.

“All of the backdoors identified – excluding RoyalDNS – required APT15 to create batch scripts in order to install its persistence mechanism. This was achieved through the use of a simple Windows run key.

Additional tools were recovered during the incident, including a network scanning/enumeration tool, the archiving tool WinRAR and a bespoke Microsoft SharePoint enumeration and data dumping tool, known as ‘spwebmember’.” researchers explained.

After the NCC Group discovered the attack, APT15 did not give up on attacking and again accessed the system via the corporate virtual private network by using a stolen certificate extracted from an already compromised host.

“This time, APT15 opted for a DNS based backdoor: RoyalDNS. The persistence mechanism used by RoyalDNS was achieved through a service called ‘Nwsapagent’,” while the C&C server of this backdoor used the TXT record of the DNS protocol and the server contacted with ‘andspurs[.]com’ domain, the blog revealed.

Researchers were able to cache a number of C2 commands to the disk due to the IE injection technique that HTTP-based backdoors use. The files were recovered and reverse engineered by the researchers using the encoding routine that backdoors use to accurately uncover the commands executed by the attacker.

They recovered over 200 commands in total, which were executed by the attackers against compromised hosts. This is how they were able to understand the attackers’ TTPs. Decoded scripts have also been uploaded to NCC Group’s Github page.

[irp posts=”59534″ name=”This Fidget spinner app is sending other apps data to Chinese server”]

  • Tags
  • China
  • Cyber Attack
  • Cyber Crime
  • cyber war
  • DNS
  • government
  • Infosec
  • internet
  • Military
  • Technology
  • UK
  • VPN
Facebook Twitter Google+ LinkedIn Pinterest
Previous article Hackers can steal data from Air-Gapped PCs with microphones & speakers
Next article Is the financial sector the most vulnerable to cyber attacks?
Waqas

Waqas

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism.

Related Posts
"The Smartest Lock Ever” KeyWe is Vulnerable to Hacking

"The Smartest Lock Ever” KeyWe is Vulnerable to Hacking

Plundervolt: A new attack on Intel processors threatening SGX data

Plundervolt: A new attack on Intel processors threatening SGX data

2.7 billion email addresses & plain-text passwords exposed online

2.7 billion email addresses & plain-text passwords exposed online

Newsletter

Get the best stories straight into your inbox!



Don’t worry, we don’t spam

LATEST POSTS
Popular forms of cybercrime you should be aware of
Cyber Crime

Popular forms of cybercrime you should be aware of

179
70% of the entire US population is now on Facebook
Technology News

70% of the entire US population is now on Facebook

265
Hundreds of counterfeit branded shoe stores hacked with web skimmer
Cyber Crime

Hundreds of counterfeit branded shoe stores hacked with web skimmer

282
NGINX office in Moscow raided by police
Cyber Events

NGINX office in Moscow raided by police

1303

HACKREAD is a News Platform that centers on InfoSec, Cyber Crime, Privacy, Surveillance and Hacking News with full-scale reviews on Social Media Platforms & Technology trends. Founded in 2011, HackRead is based in the United Kingdom.

Follow us