A new report says that Chinese intelligence officers are responsible for a decade’s worth of hacks aimed at software and gaming companies around the world.
According to Ars Technica, the most recent attack was in March, when hackers used phishing emails to try to access corporate-sensitive Office 365 and Gmail accounts.
But they also made operational security errors that allowed researchers to gain key information about targets, as well as possible locations.
It had been assumed that the hackers — who have been given names such as LEAD, BARIUM, Wicked Panda, GREF, PassCV, Axiom, and Winnti — were distinct and unaffiliated.
But a 49-page report, published by 401TRG, the threat research and analysis team at security company ProtectWise, states that all of the attacks are the work of Chinese government’s intelligence apparatus, which they have dubbed the Winnti Umbrella.
“The Winnti umbrella and linked groups’ initial targets are gaming studios and high tech businesses,” the authors wrote. “They primarily seek code signing certificates and software manipulation, with potential financially motivated secondary objectives. These targets have been identified in the United States, Japan, South Korea, and China.”
The researchers also revealed that the attacks associated with the Winnti Umbrella have been active since at least 2009 and possibly date back to 2007.
“One of the most common tactics used by the Winnti umbrella and related entities is phishing users whose credentials may provide elevated access to a target network,” the researchers explained. “We have observed spear-phishing campaigns that target human resources and hiring managers, IT staff, and internal information security staff, which are generally very effective.”
Last year, according to 401TRG, the Winnti umbrella focused most of its efforts around technical job applicant email submissions to software engineering, IT, and recruiting staff. An email was sent applying for a position, and then having the target clicking the malicious link, which sent the victim to a fake resume. Once opened, the fake document performed various actions in an effort to download malware onto the victim host.
“The attackers grow and learn to evade detection when possible, but lack operational security when it comes to the reuse of some tooling,” the report concluded. “Living off the land and adaptability to individual target networks allow them to operate with high rates of success. Though they have at times been sloppy, the Winnti umbrella and its associated entities remain an advanced and potent threat.”