Chinese Hacking Group Targets Airlines, Semiconductor Firms'Chimera' Exfiltrates Intellectual Property, Personal Data
A hacking group with apparent ties to China is targeting airlines and semiconductor firms to steal intellectual property and personal data in repeated exfiltration efforts, according to NCC Group and its Fox-IT subsidiary.
The threat group, previously dubbed "Chimera,” appears to have been most active between October 2019 and April 2020 but is likely still waging campaigns, NCC Group says. And the attackers might still be lurking within compromised networks "looking for the most recent crown jewels,” it adds.
A 2020 report published by CyCraft noted that Chimera likely has ties to China.
The NCC Group report notes: "Our threat intelligence analysts noticed clear overlap between the various cases in infrastructure and capabilities, and as a result, we assess with moderate confidence that one group was carrying out the intrusions across multiple victims operating in Chinese interests."
The hacking operations “cut across geographical locations," NCC Group adds.
Using Stolen Credentials
The Chimera threat group typically obtains the usernames and passwords of their intended victims from previous breaches and uses them as part of a credential stuffing attack to gain initial access into a targeted network.
The hacking group then attempts to access the targeted victim's VPN or other remote services.
"As soon as they have a foothold on a system, they check the permissions of the account on that system and attempt to obtain a list of accounts with administrator privileges," the NCC Group report notes.
The threat group uses this list of administrator accounts to perform another password spraying attack until specific admin accounts are compromised. The report notes the hackers will then use a Cobalt Strike beacon - a legitimate penetration testing tool - to gain further persistence and move laterally through the network.
"From here on, the threat group stops using the victim's remote service to access the victim's network and starts using the Cobalt Strike beacon for remote access and command-and-control and for increased persistent access into the victim’s network," the report notes.
At this point in the attack, the hackers continue to run scans and queries to map various proxy settings, domain controllers, remote desktop services, Citrix services and network shares, according to the report.
The hackers also begin collecting data from the network, including personally identifiable information, configuration files, manuals, email stores and intellectual property. The threat actors exfiltrate the files, if they’re small enough, through the command-and-control channels created with the Cobalt Strike beacon, NCC Group says.
For larger files, the data is uploaded to legitimate cloud services such as Google and Microsoft, which help hide the exfiltration process because these tools are typically trusted by the network and security tools, the report notes.
"After the adversary completes their initial exfiltration, they return every few weeks to check for new data of interest and user accounts,” the researchers note. "At times, they have been observed attempting to perform a degree of anti-forensic activities, including clearing event logs, time stamping files, and removing scheduled tasks created for some objectives."
Types of Data Targeted
When targeting semiconductor firms, the attackers typically attempt to exfiltrate intellectual property and other business-related documents, according to the report. For airlines, the hackers target passenger name records and other information that can be used to track individuals' movements.
"Both types of stolen data are very useful for nation-states," the researchers say.