Malware Found Matches Code Used Vs. Defense Contractors in 2012
Cyber espionage hackers who broke into security firm Bit9 initially breached the company’s defenses in July 2012, according to evidence being gathered by security experts investigating the incident. Bit9 remains reluctant to name customers that were impacted by the intrusion, but the custom-made malicious software used in the attack was deployed last year in highly targeted attacks against U.S. Defense contractors.
Earlier this month, KrebsOnSecurity broke the story of the breach at Waltham, Mass.-based Bit9, which involved the theft of one of the firm’s private digital certificates. That certificate was used to sign malicious software, or “malware” that was then sent to three of the company’s customers. Unlike antivirus software, which tries to identify and block known malicious files, Bit9’s approach helps organizations block files that aren’t already digitally signed by the company’s own certificates.
After publishing a couple of blog posts about the incident, Bit9 shared with several antivirus vendors the “hashes” or unique fingerprints of some 33 files that hackers had signed with the stolen certificate. KrebsOnSecurity obtained a list of these hashes, and was able to locate two malicious files that matched those hashes using Virustotal.com — a searchable service and database that lets users submit suspicious files for simultaneous scanning by dozens of antivirus tools.
The first match turned up a file called “media.exe,” which according to Virustotal was compiled and then signed using Bit9’s certificate on July 13, 2012. The other result was a Microsoft driver file for an SQL database server, which was compiled and signed by Bit9’s cert on July 25, 2012.
Asked about these findings, Bit9 confirmed that the breach appears to have started last summer with the compromise of an Internet-facing Web server, via an SQL injection attack. Such attacks take advantage of weak server configurations to inject malicious code into the database behind the public-facing Web server.
In an exclusive interview with KrebsOnSecurity, Bit9 said it first learned of the breach on Jan. 29, 2013, when it was alerted by a third party which was not a customer of Bit9. The company believes that the trouble began last July, when an employee started up a virtual machine that was equipped with an older Bit9 signing certificate which hadn’t been actively used to sign files since January 2012.
Harry Sverdlove, Bit9’s chief technology officer, said the company plans to share more details about its investigation into the intrusion in a post to be published Thursday on Bit9’s blog. For instance, he said, the control server used to coordinate the activities of the malware sent by the attackers traced back to a server in Taiwan.
Sverdlove said Bit9 will not reveal the identities of the customers that were apparently the true target of the breach; he would only characterize them as “three non-critical infrastructure entities.” Sverdlove said although it is clear now that Bit9 was hacked as a jumping-off point from which to launch more stealthily attacks against a handful of its customers, that reality hardly softens the blow.
“Although it doesn’t make us feel any better, this wasn’t a campaign against us, it was a campaign using us,” Sverdlove said. “We don’t take any solace in this, but the good news is they came after us because they weren’t able to come after our customers directly.”
It’s not clear why the attackers waited so long to use the stolen certs, but in any case Bit9 says the unauthorized virtual machine remained offline from August through December, and was only turned on again in early January 2013.
The company said the SQL injection vulnerability was used to plant HiKit, a sophisticated “rootkit” program designed to hide the presence of other malicious files and to open a backdoor on host systems. HiKit was first detailed in August 2012 by Alexandria, Va-based security forensics firm Mandiant, which said it uncovered the custom tool while investigating targeted attacks against a small number of defense contractors in the United States. Mandiant’s initial analysis on HiKit is here.
Interestingly, according to a writeup from Symantec, the version of HiKit that it examined also installed itself to host machines using a stolen digital certificate. Symantec didn’t say which firm the certificate was stolen from, but it did say the certificate in question had expired almost a year earlier — in Nov. 2011. That suggests that the stolen cert used in the HiKit attacks documented last year used someone else’s certs: According to Bit9, their stolen certificate was not set to expire until May 2013. (Update: The stolen cert referenced by Symantec appears to have been taken from a Japanese game maker YNK Japan Inc.).
The disclosure comes amid heightened public and U.S. government anxiety over targeted espionage attacks aimed at siphoning intellectual property from American corporations, government contractors and the military. Much of this conversation has centered around repeated allegations of state-sponsored hackers in China, from which a huge amount of these sophisticated, pinprick attacks are thought to emanate.
The Chinese government has vehemently and consistently denied any sponsorship or encouragement of such attacks. Responding to a story about Chinese hackers suspected of breaking into networks of The Washington Post (another story first featured on KrebsOnSecurity), the Chinese Defense Ministry was quoted as saying, “It is unprofessional and groundless to accuse the Chinese military of launching cyber attacks without any conclusive evidence.”
Apparently taking that as a personal challenge, Mandiant on Tuesday released a 73-page report detailing the activities of Chinese hacking collective known as the “Comment Crew” (a.k.a. “Comment Group”). In that analysis, Mandiant presents evidence purporting to show that more than 140 targeted cyber intrusions attributed to The Comment Crew since 2006 trace back to a single building in a run-down neighborhood on the outskirts of Shanghai that serves as the headquarters of the People’s Liberation Army Unit 61389.
The Mandiant report is chock full of fascinating details and is a good read. It’s worth mentioning that one of the two public cyberattacks that Mandiant and others have attributed to the Comment Crew was the breach last year at Telvent, a company that designs software that gives oil and gas firms and power grid operators remote control over their systems (the Telvent story also first broke on KrebsOnSecurity.com).
It remains unclear whether Chinese hacking groups were involved in the attack on Bit9, but initial analysis of the malware left behind in the breach points back to East Asia, if not China. The malicious media.exe file was compiled using Simplified Chinese characters. Also, when installed on a test machine, it beacons home to an Internet address in Singapore (22.214.171.124).
Asked what his company might have done differently or might do differently going forward, Bit9’s Sverdlove emphasized greater vigilance and more closely following one’s own security procedures. He also expressed hope that a broader and more open information sharing about these targeted attacks and threats may make things harder on attackers and help unite defenders.
“On one level, this is just more evidence that we are dealing with motivated, well organized attackers and long-term campaigns that are being waged in terms of cyber espionage,” Sverdlove said. “On another, it’s a reminder that all of us — even security companies –need to remain diligent and deploy a layered defense-in-depth. It’s a bitter pill, and it doesn’t feel good, that is the truth. But we’re strong believers in threat intelligence sharing, and I think as a security community we need to share intelligence and come together on this, because we’re facing enemies that are definitely doing that.”