Axiom APT group serves China's strategic interests

Oct 28, 2014 14:26 GMT  ·  By

A coalition formed of prominent private security companies delved into the activity of a large cyber espionage group from China and discovered operations dating since 2008, in an effort to steal technology information that would serve faster development of the country.

Coordinated by Novetta, a company providing advanced analytics technology solutions, the task force put together threat intelligence from their systems and managed to connect the dots between different cyber espionage endeavors occurring over the years and targeting a wide set of the entities from a diverse range of sectors.

Chinese APT group acts according to a long-term plan

Dubbed Operation SMN, the action included data from Cisco, FireEye, F-Secure, iSIGHT Partners, Microsoft, Tenable, ThreatConnect, ThreatTrack Security, Volexity, Novetta, and Symantec.

What started as a partnership between Novetta and Microsoft for creating signatures for the Hikit malware family turned into a larger operation that revealed an arsenal of malicious tools, all linked to a single actor, now referred to as Axiom Group.

The group’s sophistication level is believed to exceed that of Unit 61398 of the People’s Liberation Army (PLA), that had five of their members indicted this year in the US.

According to the final report from Novetta released on Thursday, Axiom targeted players in industries fitting “particularly well with China’s strategic interests and with their most recent Five Year Plans accepted in 2006 and 2011.”

Moreover, the document says that the actions of the group align to China’s goal to minimize dependence of foreign technology, especially that coming from the US.

Group infiltrated both international and domestic targets

As far as targets are concerned, telemetry data from the coalition shows a wide geographical area, most of the victims being in the US, Europe, South Korea, Taiwan and Japan.

The group focused on government agencies in the sectors of communications, law enforcement, environmental policy, personnel management, space and aerospace exploration and research as well as government auditing and internal affairs.

However, the list of entities of interest expands to private areas, such as manufacturers of electronics and integrated circuits, of networking equipment, Internet-based services, software vendors, journalism and media organizations, law firms, telecommunication companies, organizations in the energy sector or pharmaceutical companies. Attacks on highly regarded US academic institutions were also on the list.

It appears that the group does not aim only at entities outside China, but also at domestic elements viewed as a potential threat for internal stability due to multiple issues, from wage disparity, unemployment, environmental problems or territorial disputes.

According to Operation SMN findings, Hikit malicious software used by Axiom has been detected on machines in China and Hong Kong, indicating that the group set their sight on Chinese citizens, too, as well as universities and research institutions.

The report admits that there is a possibility that multiple Chiness threat groups could be connected to Axiom, and part of a larger organization. Symantec, which uses a different the Hidden Lynx nomenclature Axiom, says that the group has between 50 and 100 hackers.