Security firm links malware to previous Anthem & OPM attacks

Oct 20, 2016 14:45 GMT  ·  By

Investigators have traced a series of malware infections on the systems of two European companies back to a Chinese threat actor, with clues linking the attacks to the same group that was behind the Anthem and OPM hacks.

The targets of these two attacks are the US subsidiary of a French company that provides energy management services and a European-based drone maker.

The French company is of importance because it builds critical infrastructure for the US Department of Defense (DoD), says ThreatConnect, the cyber-security firm that uncovered the malware infections.

Targets infected with HttpBrowser malware

According to the security firm's experts, the infection goes back to June 2016, when their experts discovered "HttpBrowser" on the networks of the two aforementioned companies.

HttpBrowser is a malware family previously associated with Chinese cyber-espionage groups that can log keystrokes and open connections to infected computers, allowing an attacker to send new commands, download other malware, or steal sensitive data.

In the past years, HttpBrowser was also discovered in the arsenal of two other Chinese cyber-espionage groups EMISSARY PANDA (aka APT27 and TG-3390) and DYNAMITE PANDA (aka APT18, Wekby, and TG-0416). HttpBrowser is also sometimes referred to as Token Control or the GTalk trojan.

Connection to Anthem and OPM incidents

ThreatConnect researchers say the instances of the HttpBrowser malware they discovered contain a series of hard-coded domain names (URLs) where the trojan sent stolen data for storage.

Researchers say these domains were registered with the same email address ([email protected]) as domain names used to exfiltrate data during the Anthem and OPM (United States Office of Personnel Management) data breaches.

The only thing that didn't add up was the fact that the OPM hack had been attributed to a threat group known as DEEP PANDA. Nevertheless, Chinese cyber-espionage has been widely believed to be state-controlled, so a tool passing from one group to another is not surprising.

China still hacking, despite US anti-hacking pact

Researchers believe that China is trying to find ways around the anti-cyber-espionage pact signed with the US, which prohibits the two countries from spying on each other for economical gains.

A ThreatConnect spokesperson said the company believes that Chinese hackers are targeting the French company for military espionage, but that the attacks on the drone vendor are purely for economical gain.

China’s DaJiang Innovation Technology (DJI) is currently in control over 70 percent of the entire commercial drone market. In the past, hacks of US and European companies have concluded with Chinese companies releasing similar products that helped propel several Chinese industry sectors into leading positions, such as the steel manufacturing sector.

In this case, the good news is that ThreatConnect says that, despite the malware's presence on the network of the two companies, there's no evidence to suggest the Chinese hackers managed to steal any data.