While we know of many hacks carried out by Chinese groups over the last decade, what we didn't know was that these attacks were connected, according to security researchers.
The report from 401TRG, the Threat Research & Analysis Team at ProtectWise, connects attacks by LEAD, BARIUM, Wicked Panda, GREF, and PassCV to a Chinese state intelligence apparatus, which has been called “Winnti Umbrella” after the name of the Winnti backdoor tool used by the groups.
The attacks have been taking place since at least 2009 and may go back to 2007. The groups tend to share the same hacking methods, including the use of phishing campaigns to gain access to corporate accounts and networks. They follow up with custom malware and try to stay undetected by “living off the land,” which means using locally installed software and systems for malicious purposes.
Winnti Umbrella has hit more than 30 online video game companies over the last four years, and often infiltrates big tech businesses. “They primarily seek code signing certificates and software manipulation, with potential financially motivated secondary objectives. These targets have been identified in the United States, Japan, South Korea, and China,” write ProtectWise senior threat researcher Tom Hegel. Winnti also goes after political targets, such as journalists, activists, and governments.
But the attackers made mistakes that helped identify their true Chinese locations. The perpetrators use command-and-control servers to conceal their IPs, but they accidentally accessed some machines using IP addresses belonging to the China Unicom Beijing Network in the Xicheng District.
The US and China did negotiate a digital arms control accord back in 2015, but it doesn’t appear to have stopped the scourge of state-backed Chinese hackers.