Cyber-espionage group stole data from UK government contractor

The APT15 group stole UK government and military documents

Important information related to UK government departments and military technology is now in the hands of the cyber-espionage group called APT15. Security researchers report about the sophisticated attack which was arranged to steal sensitive information. It assumed that the same hacking group operates on behalf of the Chinese government.

It’s not the first time when the APT15 group launched cyber attacks towards governments in Europe. The attackers are known by other names, such as K3chang,^[1] Mirage, Vixen Panda, GREF and Playful Dragon.^[2] However, this time the criminals targeted a global company that works with UK government.

Security researchers from NCC Group report that cyber attack was launched using sophisticated tools and methods. Attackers even managed to use legitimate programs on the affected computers to stay unnoticed and undetected.

Cyber criminals used three backdoors that were designed to perform malicious tasks on the system, such as finding nearby computers or stealing information from Microsoft SharePoint servers.

Three backdoors were deployed to launch the attack

According to current research information, this cyber attack was held in May 2016 and managed to remain on the system until late 2017. During this period of time, more than 30 hosts were compromised, and sensitive information was stolen. Criminals used three backdoors to carry out the attack:

• BS2005
• RoyalCLI
• RoyalDNS

Differently than RoyalCLI and RoyalDNS, the BS2005 backdoor was used in the past. APT15 used the same backdoor for the attacks towards European ministries of foreign affairs and diplomats in 2013.^[3] A year before, the same campaign targeted London Olympics.^[4]

However, RoyalCLI backdoor seems to be similar to BS2005. Both of them use Internet Explorer’s WebBrowser2 COM interface to communicate with Command and Control server and uses Command Prompt to perform the majority of the commands.

However, usage of the COM interface IWebBrowser2 left cached calls in the disk which let researchers tracing the attack.

Meanwhile, RoyalDNS exploits DNS to run commands on the affected machine. This trojan receives and runs commands, and returns output using DNS. However, previously mentioned backdoors communicate with the help of HTTP.

RoyalDNS also helped to regain access to the compromised system if it was detected and eliminated. The backdoor used a VPN and stolen certificate from the compromised host.

Hackers used WinRAR and Spwebmember for the attack too

Apart from backdoors, APT15 also used a bunch of other tools to launch the cyber attack and steal sensitive information:

Additional tools were recovered during the incident, including a network scanning/enumeration tool, the archiving tool WinRAR and a bespoke Microsoft SharePoint enumeration and data dumping tool, known as ‘spwebmember.’ [Source: NCC Group]^[5]

Spwebmember helped attackers to extract information from the database. However, criminals also used keyloggers and their own tools created to steal data from Microsoft Exchange inboxes, but that was not enough.

APT15 was also observed using Mimikatz to dump credentials and generate Kerberos golden tickets. This allowed the group to persist in the victim's network in the event of remediation actions being undertaken, such as a password reset. [Source: NCC Group.]

Currently, it’s unknown if this cyber-espionage group targeted only UK government contractor. However, they are known for attacking ministries in the past. Hence, further cyber attacks are expected to be reported soon.