Axiom APT

Your consent is required to display this content from youtube - Privacy Settings

The Axiom group is a Chinese, potentially state-sponsored, threat actor that compromises systems that contain information of value to advancing China’s 12th Five Year Plan . It was investigated in the October 2014 Operation SMN, a joint operation between private firms, led by Novetta which released information and led to the removal of Axiom malware from over 43,000 systems.

Click to Share This Post

Since 2009, this group has been targeting networks in a broad range of sectors who possess confidential or classified information. Axiom campaigns share infrastructure, malware, or attack techniques with Operation Aurora (2009), the Elderwood Project (2009-2014), the VOHO campaign (2012), the Shell_Crew attacks on ColdFusion servers (2013), Operation Ephemeral Hydra (2013), Operation Snowman (2014), and 2014 attacks on American Middle Eastern Policy think tanks. Axiom could be connected to some of these other groups; however, it is more likely that Axiom advantageously adopts zero-day exploits or malware that are effective in other campaigns. It is possible that Axiom acquires its malware on deepnet or through underground trade.

The group is likely Chinese state sponsored, but there are no definitive links connecting it to the Third Department, which houses China’s offensive threat groups Putter Panda and APT1. Axiom malware was configured to use simplified Chinese language settings and some of the filenames are in Chinese. It is more sophisticated in its operations than the aforementioned Third Department groups. It utilizes different resources, and it may have a different mission than Third Department groups. Novetta hypothesizes that based on Axiom’s domestic monitoring trends that it might be charged with domestic operations and targeting Chinese dissidents in other countries. Universities and research institutions in Hong Kong and mainland China have been targeted with Hikit malware for persistent operations. This could indicate state-sponsored concern over liberal academics and students.

Novetta has found that this group targets a wide variety of entities inside and outside governments. Axiom targets a wide variety of sectors, but it only targets specific entities in those sectors. Within Asian and Western governments, Axiom targets law enforcement, governmental records and communication agencies, environmental policy agencies, personnel management divisions, space and aerospace exploration and research entities, government auditing and internal affairs divisions. In the science and technology sectors, Axiom targets networks belonging to electronics and integrated circuitry manufacturers, networking equipment manufacturers, internet based service companies, software vendors, cloud computing companies, energy firms, meteorological service companies, telecommunications firms, and pharmaceutical companies. Additionally, Axiom has targeted journalism and media outlets, Human Rights NGOs, international law firms, international consulting and analysis firms, and high ranking United States academic institutions. Most of the target’s organizations have been located in the United States, South Korea, Taiwan, Japan, and the European Union, with a majority of the breaches along the Eastern seaboard of the United States and Western Europe.

Axiom targeting coincides with interests reflected in China’s 2006 and 2011 Five Year Plans, which push for advanced technology and advanced R&D efforts. As China shifts away from foreign technology, more organizations may be targeted by Axiom. The actor may target semiconductor and networking technology firms with offices in China because China wants to reduce its dependency on foreign technology. Western and Asian organizations may be targeted in intelligence and counterintelligence operations. Axiom targets NGOs concerned with international politics, environmental policy, pro-democracy movements, or human rights movements. In some instances, Axiom will target a satellite office and move laterally through the compromised network to the main office. Novetta theorizes that Axiom targets NGOs as a means of the Chinese ruling party keeping track of watchdog organizations and other groups who may publish claims that challenge the authority or “soft power” of the party. Targeting NGOs may also enable the party to suppress dissidents or intimidate whistleblowers.

Novetta believes that this group has a six stage victim lifecycle that uses a different team for each stage of the attack. This indicates large scale organization and coordination. Initially, the target is identified and the actor conducts reconnaissance. Then the system is compromised, confirmed to be a valuable target, and the network is surveyed. The actor laterally moves through the network and creates additional footholds. Compromised C2 infrastructure is connected to the victim network. Finally, valuable data is identified and exfiltrated.

Axiom initially compromises systems through web based attacks, targeted attacks against public facing infrastructure, zero-day exploits, watering hole attacks and phishing emails. Once a system is compromised, Axiom spends a few days determining whether it is valuable. If it is determined to contain useful information, then the group installs persistent malware platforms. Otherwise, the group tries to move laterally through the network to locate more valuable systems. Axiom has proven capable of compromising large pools of machines and sifting through them in hours or days to find the valuable ones. This indicates dedicated resources, possibly a dedicated targeting team and a deterministic set of criteria. After the initial compromise, Axiom begins reconnaissance to identify where they are in the target network and to identify any changes that have been made to the network. Axiom then escalates privileges using previously compromised administrative accounts, local exploits, or remote exploits as demonstrated in ZoxRPC malware. Then, over the course of minutes or months, they try to dump the latest user credentials and exfiltrate the data. Once inside the network, Axiom can also exploit Remote Desktop Protocol or exploit vulnerabilities in the custom tools designed by the organization itself. This allows Axiom to “fly under the radar” and not alert antivirus or IDS systems to the compromise.

As the campaign continues, Axiom may install additional families of malware as a mechanism of remaining in the system even if one malware is discovered by the target. Compromised systems have featured up to four layers of malware ranging from extremely common (Poison Ivy, Gh0st, ZXshell) to focused tools used by threat groups (Derusbi, Fexel) to custom Axiom malware (ZoxPNG/ZoxRPC, Hikit). Axiom routes its activity through compromised proxy infrastructure in the United States, South Korea, Taiwan, Hong Kong, and Japan to try to disguise its traffic as legitimate to casual observation.

Novetta observes that the Hikit malware is unique to Axiom and is only used on high value targets at the height of the victim’s operational lifecycle. Of the 43,000 compromised systems discovered in Operation SMN, only 180 systems were infected with the Hikit malware. Hikit is a late stage persistence and data exfiltration tool that is capable of uploading and downloading files, generating a remote shell, tunneling into the network, and connecting to other infected machines to generate a secondary network.

Click to Share This Post

Type: Nation-State-Sponsor or Cyber-Mercenary

Status: Active

Other Names: Winnti/ Blackfly/ Tailgater Team/ Group 72/ Dogfish/ Deputy Dog/ Operation SMN

Active Since/Discovered: 2009/2013

Last Report: 5/2016

Targets: United States, South Korea, Taiwan, Japan, and the European Union, with a majority of the breaches along the Eastern seaboard of the United States and Western Europe

Target Sectors: pharmaceutical, telecommunication networks , government, energy, environmental policy organizations, circuitry manufacturers, networking equipment manufacturers, internet based service companies, software vendors, and cloud computing companies

Malware:

  • PoisonIvy, Gh0st RAT, HydraQ, ZxShell, Derusbi, Deputy Dog, PlugX, HTran, Fexel, Winnti, HDRoot, custom Axiom malware (ZoxPNG/ZoxRPC, Hikit)
  • Hikit used on select targets, such as energy organizations
    • Late stage persistence and data exfiltration tool that is capable of uploading and downloading files, generating a remote shell, tunneling into the network, and connecting to other infected machines to generate a secondary

Preferred Attack Vector: Spear-phishing; watering hole attacks; web-based attacks,targeted attacks against public facing infrastructure; and zero-day exploits

TTP:

  • CVE-2013-3893
  • Exfiltrates source code, internal system design details, and other information  relevant to China’s current five year plan

Unique:

  • Shared infrastructure with Aurora (2009), the Elderwood Project (2009-2014), the VOHO campaign (2012), the Shell_Crew attacks on ColdFusion servers (2013), Operation Ephemeral Hydra (2013), Operation Snowman (2014), and 2014 attacks on American Middle Eastern Policy think tanks
Click Here to share this post
© 2020 ArtOfTheHak.All Rights Reserved
Privacy Settings
We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
Youtube
Consent to display content from Youtube
Vimeo
Consent to display content from Vimeo
Google Maps
Consent to display content from Google
Save