China’s BlackFly Targets Materials Sector in ‘Relentless’ Quest for IP
China’s Blackfly advanced persistent threat (APT) group hit two subsidiaries of an Asian conglomerate in the materials and composites sector with cyberattacks recently. Researchers say it’s part of a broader, “relentless” assault of various sectors in the region aimed at stealing intellectual property (IP).
According to a blog post published today by researchers at Symantec (which is owned by Broadcom Software), the latest activity from Blackfly (aka APT41, Winnti Group, or Bronze Atlas) occurred late last year and early this year, and it shows the group relying more on open source tools than its usual trove of custom malware. This trend is reflected by other threat groups targeting the region, which has been a hotbed of activity. Last week, for instance, researchers at Symantec revealed a new threat group dubbed Hydrochasma targeting Asia-based organizations associated with COVID-19 treatments and vaccines in an intelligence-gathering operation — solely using open source and commodity malware and tools.
Dick O’Brien, principal intelligence analyst at Symantec Threat Hunter, tells Dark Reading that this puts Blackfly’s incursions in context. “This investigation is a small piece of the jigsaw,” he says. “The bigger picture is that there seems to be a fairly relentless intelligence operation underway on multiple fronts.”
The open source tools tactic helps them avoid detection, which in the case of Blackfly — members of whom already have been indicted by the US government — would be an attractive proposition, O’Brien says.
“This shift toward open source tools is something we’ve seen a lot of attackers doing,” he tells Dark Reading. “It makes attacks more difficult to attribute.”
Not One, but Two Threat Groups
Blackfly is one of the longest known threat groups operating out of China. The group originally earned notoriety by attacking the gaming industry, but has evolved to target a diverse range of organizations and sectors, including industrial control systems, semiconductor, telecommunications, pharmaceutical, media and advertising, hospitality, and more, the researchers said.
Different research groups track the APT using different monikers. In fact, some use the umbrella label APT41 to denote not just Blackfly, but also another China-backed APT known as Grayfly because the two groups are so closely associated. In 2020, the US government indicted seven men on charges relating to hundreds of cyberattacks carried out by both groups, which highlighted the link between them by identifying two Chinese nationals alleged to have worked with both, the researchers said.
As security experts have already predicted, the public attention from that indictment on APT41 has apparently done nothing to deter the group, which continues its onslaught in an attempt to steal IP from multiple business sectors, O’Brien says.
“Blackfly and a number of its peers have been highly active over the past 12 months,” he says.
A Move to Open Source Cyberattack Tools
While the latest attacks continue the patterns of activity that researchers have seen from Blackfly in recent years, as mentioned, one new aspect is the use of open source tools that haven’t been a hallmark of previous activity, O’Brien says.
Early Blackfly attacks were distinguished by the use of the PlugX/Fast/Korplug, Winnti/Pasteboy, and ShadowPad malware families. The Winnti backdoor and other custom tools were used in the recent spate of attacks (for taking screenshots, dumping credentials, querying SQL databases, and configuring proxies), but Blackfly also used for the first time an open source, proof-of-concept (PoC) app called ForkPlayground to create a memory dump of an arbitrary process, and the publicly available credential-dumping tool Mimikatz.
“While the group’s technical sophistication has remained consistent, there’s been a regular refreshing of its toolset, no doubt in a bid to stay ahead of detection,” O’Brien notes.
Protecting the Enterprise From Chinese APTs
Symantec advises using an overall in-depth defense strategy and the adoption of multifactor authentication (MFA) across the enterprise network to help avoid compromise by Blackfly and other APTs aimed at stealing IP. This entails “using multiple detection, protection, and hardening technologies to mitigate risk at each point of the potential attack chain,” O’Brien says.
Organizations should also monitor the use of dual-use tools inside the enterprise network and ensure that the latest version of PowerShell is deployed, as well as enable logging, and only allow remote desktop protocol (RDP) from specific known IP addresses, he adds.
Proper audit and control of administrative account usage can also help organizations avoid attacks, as well as introducing a policy for one-time credentials for administrative work on the network “to help prevent theft and misuse of admin credentials,” O’Brien says.
“We’d also suggest creating profiles of usage for admin tools,” he adds. “Many of these tools are used by attackers to move laterally undetected through a network.”