Serious Breach Linked to Chinese APTs Comes to Light

22.2.2017 securityweek APT

Several major organizations may have been affected by a breach suffered by an IT services and software provider. The attack, linked to threat actors believed to be located in China, took place in 2015, but it has only now come to light.

A report published earlier this month by RSA describes Kingslayer, a supply chain attack that apparently targeted system administrators in some large organizations. The attackers breached the systems of a company that offers event log analyzers and replaced a legitimate application and its updates with a backdoored version.

The malicious version of the software was delivered between April 9 and April 25, 2015, and it was downloaded by at least one Windows system administrator working for a defense contractor.

While it’s unclear exactly how many organizations downloaded the backdoored software in the April 9-25 timeframe, RSA said the portal that hosted it had numerous subscribers, including four major telecoms providers, over ten western military organizations, more than two dozen Fortune 500 companies, five major defense contractors, and tens of IT solutions providers, government organizations, banks and universities.

While RSA has not named the company whose systems were compromised, investigative journalist Brian Krebs determined that it was Canada-based Altair Technologies Ltd. The company offers firewall log analyzers, a Windows event monitoring product, and a repository of troubleshooting information related to Windows event log messages (EventID.Net).

The EventID.Net website hosted EvLog, the software hijacked by the attackers. A notice posted on the site on June 2016 provides some details on the incident and recommendations for potentially affected users.

However, as Krebs pointed out, the advisory does not appear to have been shared on social media and there was no link to it from anywhere on the site – a link was added this week after the journalist contacted Altair Technologies. The company told Krebs it had no way of knowing who downloaded the software so potential victims were not notified directly either.

While Altair representatives said they don’t expect large organizations to use the EvLog tool, the company’s main website claims the EventID.Net portal has helped millions of users worldwide. SecurityWeek has reached out to Altair Technologies for clarifications.

RSA pointed out that the defense contractor targeted by Kingslayer was attacked only 11 weeks after the breach of Altair’s systems, which suggests that the attackers may have focused on other targets in those 11 weeks.

Evidence uncovered by RSA suggests that the attack was linked to Shell Crew, aka Deep Panda, and Codoso, aka Sunshop Group. Both Shell Crew and Codoso are advanced persistent threat (APT) groups believed to be operating out of China.

RSA also pointed to similarities with another supply chain attack known as the 2014 Monju incident, which targeted a nuclear facility in Japan. That attack was also linked to China.