Research Saturday 2.1.20
Ep 120 | 2.1.20

Tracking one of China's hidden hacking groups.


Dave Bittner: [00:00:03] Hello everyone, and welcome to the CyberWire's Research Saturday, presented by Juniper Networks. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, and solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Dave Bittner: [00:00:25] And now a word from our sponsor, Juniper Networks. Organizations are constantly evolving and increasingly turning to multicloud to transform IT. Juniper's connected security gives organizations the ability to safeguard users, applications, and infrastructure by extending security to all points of connection across the network. Helping defend you against advanced threats, Juniper's connected security is also open, so you can build on the security solutions and infrastructure you already have. Secure your entire business, from your endpoints to your edge, and every cloud in between, with Juniper's connected security. Come see Juniper at RSA 2020 in booth 6161 to see why NSS Labs says Juniper is back in security. And we thank Juniper for making it possible to bring you Research Saturday.

Dave Bittner: [00:01:19] Thanks also to our sponsor, Enveil, whose revolutionary ZeroReveal solution closes the last gap in data security: protecting data in use. It's the industry's first and only scalable commercial solution enabling data to remain encrypted throughout the entire processing lifecycle. Imagine being able to analyze, search, and perform calculations on sensitive data, all without ever decrypting anything – all without the risks of theft or inadvertent exposure. What was once only theoretical is now possible with Enveil. Learn more at

Maarten van Dantzig: [00:01:59] So, we did an incident response case at one of our clients in Europe about one-and-a-half years ago.

Dave Bittner: [00:02:05] That's Maarten van Dantzig. He's Lead Intelligence Analyst at Fox-IT. The research we're discussing today is titled, "Operation Wocao: Shining a light on one of China's hidden hacking groups."

Maarten van Dantzig: [00:02:17] So, they were alerted to a breach by one of the honeypots that they had placed inside their internal network – so it was only reachable from the internal network – which was scanned by a pretty important host inside their network, one of their domain controllers. So they called us, said, well, we have a honeypot here internally – it was scanned by one of our domain controllers. Can you please come on site and tell us what's going on? And that's what all started this.

Dave Bittner: [00:02:44] Well, let's walk through it together. I mean, there's a lot in the research here. Let's start off – who are these people and what does it seem like they're after?

Maarten van Dantzig: [00:02:54] Right, so it's always very difficult to say what it is exactly that they're after. We have at least two cases where we saw the actor live inside the network of one of our clients. But for some of the other victims that we have named, we only know from our external scanning of the Internet that these attackers were active there. So, we're not entirely sure what it is that they were after. However, if you look at the countries where this group is active – so, where the companies or the victims are targeted by this group – when you look at the sectors and industries in which those victims are active, they very closely resemble the industries that are typically targeted by Chinese threat actors, right? Which are in line also with China's "Made in 2025" plan, where their goal is to become less dependent on the West or other countries for that matter. So you see that a lot of the victims that are targeted by this specific group, you can find those back in the industries where China wants to grow its own production.

Dave Bittner: [00:03:50] Well, one of the segments of your research here, you go through their modus operandi. Can you walk us through – what are some of the things you found here?

Maarten van Dantzig: [00:03:58] Right. So, in the report, we detailed it from initial access all the way to the last step of the MITRE ATT&CK framework. So, we mapped everything to MITRE's ATT&CK framework just so everyone could follow along from start to end. So, the initial action was actually quite interesting. So, the way they do it, in itself, is not very new or novel – so, they target vulnerable JBoss servers. But what was very interesting is that most of the cases that we've seen is that they would actually use web shells – so, backdoors placed there already by other threat actors – for initial reconnaissance. So of course, the vulnerable JBoss servers that I'm discussing were already compromised by other threat actors, you know, most of them opportunistic, running cryptominers and things like that. So they would use those initial backdoors just to see, you know, is this server in fact interesting for our operation? And if it was, they would exploit the server themselves to upload their own backdoor.

Dave Bittner: [00:04:54] And then they're moving laterally throughout the networks?

Maarten van Dantzig: [00:04:59] Right, yeah. So, the lateral movement is typical for what you would expect for, you know, any type of actor that wants to move from machine A to B within a Windows environment. So, usually your typical misconfigured Active Directory settings. So, they would use the average tools that you would expect, such as Mimikatz, to dump credentials from domain admins or local administrators and gain privileges in that way.

Maarten van Dantzig: [00:05:21] So, once the attackers have access to the domain admin accounts of one domain or multiple domains, they would then also target the system administrators inside the domain. So of course, they have access to a lot of servers and several credentials, but they're all part of the Windows domain. So, if they want to target servers that are separate from the Windows domain, such as the Linux environments or sometimes backup servers, they would target the sysadmins, or enterprise admins, and then specifically go after their password managers. So, in some of the cases that we've done, the admins would use KeePass, so the attackers would exfiltrate the KeePass database, and then the passwords once the enterprise administrator would type that into the password manager. So then they have access to all the credentials inside that KeePass database file. 

Dave Bittner: [00:06:08] One of the things I enjoy about your research here is that you go through what these threat actors' activity might be on an average working day. It's an interesting insight.

Maarten van Dantzig: [00:06:19] Yeah. So, because in one case, we actually got to see the attackers doing their thing over the course of several weeks, so we were not ready to kick these attackers out of the network because the visibility that we had on this victim's network was very limited. So we were concerned that if we would kick them out too early in the progress, that they would notice and completely change their modus operandi. So instead of kicking them out, we watched and monitored them while we improved our visibility over the network until we could kick them out.

Maarten van Dantzig: [00:06:50] And that visibility, over the course of several weeks, made for some very interesting insight. And one of those was that the attackers would use the victim's VPN concentrator to log in to the environment, then deploy their tooling, move through the network, and exfiltrate files. What we noticed was that the victim where we responded to was using a VPN solution that had two-factor enabled. However – so this was the RSA SecurID, and RSA SecurID has multiple methods of implementing two factor. So, you can either go with a token – so, a USB-based token – you can go with your phone, or you can actually do a software-based token on the desktop. And the latter was actually something that the attackers abused.

Dave Bittner: [00:07:35] Interesting. Now, you have a whole section here on attribution. Before we dig into some of the specifics of attribution in this case, I'm curious about how Fox-IT approaches attribution, because some – well, many organizations shy away from attribution, but you all find it to be a valuable thing. 

Maarten van Dantzig: [00:07:54] Right, yeah. So, me, myself, as an intelligence analyst, as well as an incident responder, I'm always interested to get as much facts as possible about an intrusion that I'm dealing with. In my opinion, any context or extra information I can get on an attacker where I'm actively responding to is of value. So, during such an incident, especially when you have this visibility on an attacker, you actually have the time also to look into what it is that might motivate the attacker.

Maarten van Dantzig: [00:08:21] So, as we write in the report, I'm fairly convinced that, you know, any attacker that has the goal to deploy, for example, ransomware, is very different from an attacker that might be looking for sensitive data to steal. Responding to an intrusion where the goal of the attacker is to deploy ransomware, you will respond to that differently than when the goal is to steal intellectual property. So your focus is on different servers inside the network. Your focus with ransomware might be on backup servers, while you're focus when it comes to espionage might be on servers that are holding a lot of intellectual property.

Dave Bittner: [00:08:55] Well, let's go through some of the specific things that you all noticed here that led you to your attribution. What sort of things did you note?

Maarten van Dantzig: [00:09:04] Right. So, multiple things pointing to the direction of China. So, during this intrusion that I spoke of, of multiple weeks, we also play some network sensors inside the environment of the victim. And there's one specific tool that the attackers appeared to be using continuously that we just named "XServer." It's essentially used to tunnel traffic from one machine to another or from multiple machines. And in one case, we actually saw a network packet coming from outside of the victim's network, but being tunneled through the victim's network where we had those network sensors. And then we got to see, through one of the not-encrypted HTTP headers, that the Accept-Language of the attacker's browser was actually set to the Chinese language setting.

Dave Bittner: [00:09:48] Hmm.

Maarten van Dantzig: [00:09:48] So, that was just one of the points. A more interesting one, which also led to the title of the report, was that the attackers had initially come in through a web shell that they had not used over the course of the incident. So, they used this for the initial access, but after that they solely relied on the VPN access that they had to the victim's environment. So after a while – so, they did leave that web shell on the vulnerable server with the intention to come back to it once they had been kicked out of the network.

Maarten van Dantzig: [00:10:18] So, fortunately, in our case, we also found the web shell and removed that. And now we could see the attacker coming back to that web shell, attempting to execute several commands. And after a couple of those commands, you could see, of course, the web shell no longer returns anything positive to his commands, right? So, no responses from the Windows server that were expected. And you can see several commands, and then the very last commands is, you know, not a Windows command. And when we actually Googled for this, it turned out to be a swearword in Chinese... 

Dave Bittner: [00:10:48] (Laughs) 

Maarten van Dantzig: [00:10:48] ...Which was very likely, you know, written as a sign of frustration after having lost access to a victim where they had had access for several months.

Dave Bittner: [00:11:01] And that was the word "wocao," which is what you all adopted as the identifier for this particular research.

Maarten van Dantzig: [00:11:10] Exactly, exactly.

Dave Bittner: [00:11:11] Yeah. You also were able to cooperate with law enforcement and find some things about some registration of some domain names.

Maarten van Dantzig: [00:11:19] Yeah, that's correct. So, we kicked back a couple of IP addresses to a couple of law enforcement agencies that we work with, and that are active in the countries where the servers were. So, we did this during the incident, but unfortunately for one of the servers, we were too late and the server was no longer actively being used by the actor. So, nothing was possible in terms of getting a forensic image from that machine and having the law enforcement agency investigate that.

Maarten van Dantzig: [00:11:45] However, they did supply us with the registration information, and it all appeared to be dummy data that was filled in – a name that sounded like it was a real person, and nor was the email address or the address. What was interesting is that the state and region contained Chinese characters, as opposed to the other English words that were written there. And at least our hypothesis is that one of the attackers put in this information while registering the servers, but possibly forgot to copy-paste the correct value from the translated one. And this is not information that you could see – this is not information that was used to register a domain, but it was really used to register a server. So it's not publicly visible for others. So I think it's really highly likely that this was, in fact, a mistake by one of these hackers.

Dave Bittner: [00:12:34] Oh, very interesting. Well, let's go through who you've gathered that they're targeting. You have a list of the victims here. What did you find here?

Maarten van Dantzig: [00:12:44] Right, so we saw targeting of at least ten countries, and is based on the visibility, of course, that we have across a wide variety of industries. So the victim that I referenced quite a few times where we got to see the attackers for several weeks was actually a managed service provider. So, you should know that the attackers target managed service providers, and a lot of other industries, but of course, through the managed service providers they target those industries as well, right? So, the main target is, of course, not the managed service provider, but they are the customers of the managed service provider, which we've seen – which we're seeing more and more from Chinese threat actors..

Dave Bittner: [00:13:21] How about the types of tools that they're using? Is it off-the-shelf stuff, or are they creating their own custom tools?

Maarten van Dantzig: [00:13:29] So, it's a combination of both. So they do use some of the open-source tools that are quite well known, right? So, Mimikatz and BloodHound are very well known among penetration testers, but unfortunately, also by a lot of malicious threat actors. There are some tools that are completely coded from scratch, or appear to be at least custom to this group, such as the XServer tool that I referenced. So, really a tunneling tool to go from machine A to B, and possibly through multiple other compromised machines, is for example done to access machines that are not directly connected to the internet but are connected to other machines inside the internal network.

Maarten van Dantzig: [00:14:07] And what's also interesting is that we saw some use of open-source tooling, but they are also making an effort to patch some of the indicators in there. So, in one specific example, they made use of smbexec – which is part of the Impacket Python penetration testing suites – and they patched one of the variable file names to something. So, it used to be "execute.bat", and they renamed it to a double underscore "__exec.bat", very likely in an attempt to evade detection.

Dave Bittner: [00:14:39] In your estimation, how would you rank the sophistication of this group?

Maarten van Dantzig: [00:14:44] Well, I'm not sure if there's an official ranking system here to do that. I would say that they are one of the more advanced Chinese threat actors, at least that I've dealt with.

Dave Bittner: [00:14:54] And what are your recommendations for people to protect themselves against this?

Maarten van Dantzig: [00:14:58] All right, so, there are a lot of things, but the initial entry vector is, of course, a big one, right? No organization should ever have an exposed JBoss server running vulnerable software directly through the Internet, nor should it be connected to the rest of the internal network. But if you read the report, you know, we've really gone through – have really put in effort to map this to MITRE's ATT&CK framework, you see that there's a lot of tools used – open-source tools used – which you can still easily detect.

Maarten van Dantzig: [00:15:25] Some of the other good ones are that the attacker also clears Windows event logs from compromised servers, and the clearing of a Windows event log actually in itself also generates an event log. So, monitoring for that will be a very good start.

Maarten van Dantzig: [00:15:39] So, one of the ways in which we attributed this attack to China was the fact that while we were monitoring the attackers' activity over the course of several weeks, we could easily see that they would start their day in line with normal Chinese working hours, right? So, they would start around 9:00 or 10:00 PM and continue for about eight to ten hours. And this was continuous for about three weeks. And during the weekends, it would be absolutely no activity.

Dave Bittner: [00:16:07] It's interesting how, I mean, it speaks to the professionalism of what's going on here – that this is someone's job.

Maarten van Dantzig: [00:16:14] Yeah, exactly. You can see and actually during the very start of the incidents – so, when we investigated patient zero, the specific breach – we could see that the attackers were actually active during the weekends. So very likely they'd find an interesting victim with a vulnerable JBoss server and knew that they only had likely little time to exploit it. But once they had that initial access, they had access to multiple servers, you could see them falling back into the routine of a normal business week.

Dave Bittner: [00:16:42] That's Maarten van Dantzig. The research is titled "Operation Wocao: Shining a Light on One of China's Hidden Hacking Groups." We'll have a link in the show notes.

Dave Bittner: [00:16:55] Thanks to Juniper Networks for sponsoring our show, you can learn more at, or connect with them on Twitter or Facebook.

Dave Bittner: [00:17:04] And thanks to Enveil for their sponsorship. You can find out how they're closing the last gap in data security at

Dave Bittner: [00:17:12] The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe, and I'm Dave Bittner. Thanks for listening.