- Feb 4, 2016
- 2,520
Though sloppy at times, Winnti Umbrella remain advanced and extremely prolific.
Researchers said Chinese intelligence officers are behind almost a decade's worth of network intrusions that use advanced malware to penetrate software and gaming companies in the US, Europe, Russia, and elsewhere. The hackers have struck as recently as March in a campaign that used phishing emails in an attempt to access corporate-sensitive Office 365 and Gmail accounts. In the process, they made serious operational security errors that revealed key information about their targets and possible location.
Researchers from various security organizations have used a variety of names to assign responsibility for the hacks, including LEAD, BARIUM, Wicked Panda, GREF, PassCV, Axiom, and Winnti. In many cases, the researchers assumed the groups were distinct and unaffiliated. According to a 49-page report published Thursday, all of the attacks are the work of Chinese government's intelligence apparatus, which the report's authors dub the Winnti Umbrella. Researchers from 401TRG, the threat research and analysis team at security company ProtectWise, based the attribution on common network infrastructure, tactics, techniques, and procedures used in the attacks as well as operational security mistakes that revealed the possible location of individual members.
A decade of hacks
Attacks associated with Winnti Umbrella have been active since at least 2009 and possibly date back to 2007. In 2013, antivirus company Kaspersky Lab reported that hackers using computers with Chinese and Korean language configurations used a backdoor dubbed Winnti to infect more than 30 online video game companies over the previous four years. The attackers used their unauthorized access to obtain digital certificates that were later exploited to sign malware used in campaigns targeting other industries and political activists.
Also in 2013, security firm Symantec reported on a hacking group dubbed Hidden Linx that was behind attacks on more than 100 organizations, including the high-profile 2012 intrusion that stole the crypto key from Bit9 and used it to infect at least three of the security company's customers.
In later years, security organizations Novetta, Cylance, Trend Micro, Citizen Lab, and ProtectWise issued reports on various Winnti Umbrella campaigns. One campaign involved the high-profile network breaches that hit Google and 34 other companies in 2010.
"The purpose of this report is to make public previously unreported links that exist between a number of Chinese state intelligence operations," The ProtectWise researchers wrote. "These operations and the groups that perform them are all linked to the Winnti Umbrella and operate under the Chinese state intelligence apparatus."