Coalition of vendors unmasks cyber espionage group

More than one IT security expert has said enterprises and vendors need to work more closely to fight the rising amount of cyber crime. Last week some of the biggest names in IT security announced they have joined together to fight advanced malware.

The group, called the Cyber Security Coalition, includes Cisco Systems Inc., FireEye, F­-Secure, iSIGHT Partners, Microsoft, Symantec, Tenable, ThreatConnect, ThreatTrack Security, Volexity, and a number of other threat researchers who want to be anonymous.

The coalition also issued the first fruits of their efforts under a project they called Operation SMN, which has identified what they believe is a “sophisticated cyber espionage group” based in China dubbed Axiom. It has been operating for at least four years, the coalition said, “in support of China’s strategic national interests.”

The coalition hopes the lessons learned from working together under Operation SMN will help members refine industry-wide collaboration and mitigation efforts. Individual vendors in the coalition will release signatures and remediations for the threats.

They also issued three reports identifying separate malware families and how they can be detected.

The announcement was made by Novetta Solutions, a Virginia software company that sells cyber analytics solutions to enterprises and governments which says it has been leading the group. It’s also an initiative that comes under Microsoft’s Co-ordinated Malware Eradication program for vendors to work together to fight malware.

There are other IT security partnerships. For example, we reported in May that security gateway maker Fortinet and next generation firewall manufacturer Paolo Alto Networks invited others to join their Cyber Threat Alliance to share threat intelligence. In September Symantec and Intel’s McAfee division joined that group.

Many security companies regularly issue reports on newly-discovered threats, the fledgling Cyber Security Coalition said in a news release.   “Instead, we’re turning knowledge into action. The coalition members have synthesized and operationalized shared knowledge of a common threat with the primary objective of disrupting, degrading and globally remediating the effects of a sophisticated, well resourced, cyber espionage group (Axiom). ”

That group has leveraged “an array of mid-point proxy infrastructure within Korea, Taiwan, Japan, Hong Kong and the United States,” the report said. “as well as maintaining supporting infrastructure accounts, such as dynamic DNS services, from U.S. and Chinese providers. It has targeted Fortune 500 companies, reporters, environmental groups and public sector organizations, usually with speak phishing and strategic Web site compromises to deliver “widely available first stage implants.”

Once inside an enterprise, the Axiom will leverage hacking utilities for privilege escalation and lateral movement, embedding themselves deeply with complex and customized backdoors and rootkits that are unique to them,” the report says.

In particular, the report said, Axiom has exploited U.S. and Japanese government departments “responsible for human resource management,” individuals in south-east Asian law enforcement, and unnamed international law firms.

Axiom uses known backdoor exploits such as Poison Ivy, GhOst Rat, PlugX, ZXShell, Hikit and the Zox Family.



Related Download
Can we save the open web? Sponsor: Acquia
Can we save the open web?
Join the creator of Drupal, Dries Buytaert, in a discussion about the web’s evolution, how we can put the power of the internet back into the hands of the people, and how you can prepare your organization.
Register Now