Research Saturday 6.9.18
Ep 39 | 6.9.18

Winnti Umbrella Chinese threat group.


Dave Bittner: [00:00:03] Hello everyone, and welcome to the CyberWire's Research Saturday, presented by the Hewlett Foundation's Cyber Initiative. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, and solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Dave Bittner: [00:00:26] And now, a moment to tell you about our sponsor, the Hewlett Foundation's Cyber Initiative. While government and industry focus on the latest cyber threats, we still need more institutions and individuals who take a longer view. They're the people who are helping to create the norms and policies that will keep us all safe in cyberspace. The Cyber Initiative supports a cyber policy field that offers thoughtful solutions to complex challenges, for the benefit of societies around the world. Learn more at

Dave Bittner: [00:01:02] And thanks also to our sponsor, Enveil, whose revolutionary ZeroReveal solution closes the last gap in data security: protecting data in use. It's the industry's first and only scalable commercial solution enabling data to remain encrypted throughout the entire processing lifecycle. Imagine being able to analyze, search, and perform calculations on sensitive data, all without ever decrypting anything. All without the risks of theft or inadvertent exposure. What was once only theoretical is now possible with Enveil. Learn more at

Tom Hegel: [00:01:42] We began encountering this attacking entity for our customers out in East Asia.

Dave Bittner: [00:01:47] That's Tom Hegel. He's a senior threat researcher at ProtectWise 401TRG. The research we're discussing today concerns a threat group they call "the Winnti Umbrella."

Tom Hegel: [00:01:58] Just kind of seeing them evolve over time really attracted my attention towards them, kind of seeing the targets they are going after and seeing how they've evolved over time, in addition to just their, you know, their determination. It really kind of attracted me to them, so I spent a good amount of time focusing on them over the last few months, and then also last year during multiple incidents.

Dave Bittner: [00:02:19] So, set the table for us. What is the background here? Who is this group, and what's their history?

Tom Hegel: [00:02:25] Yes, this group goes back quite a while. So, as you'll notice in the report, we reference a lot of external reporting from other vendors and researchers out there. Some of the first reporting on this particular entity was done in 2013 and 2014 from Kaspersky Lab and then Novetta.

Tom Hegel: [00:02:44] The interesting thing was a lot of the historical reports actually link even farther back to previous operations conducted by associated entities, different attribution on, like, an actor name level. But they have always kind of had an agenda of going after politically-focused targets. So, in 2013, a lot of the attacks that Novetta actually documented were identifying pieces of malware signed with code signing certificates from additional victims of that entity. So, the ultimate goal kind of goes back a long history going after the government side of things as well, which is pretty interesting, to say at least.

Dave Bittner: [00:03:22] As you say, you're referencing work by some other groups here, and this group goes by a variety of names depending on who's reporting on them.

Tom Hegel: [00:03:30] Yeah, absolutely. And, you know, our report, we didn't try and take away from any of the naming or attribution that the previous public reports have used. You know, if you look at Winnti, or LEAD, or BARIUM, a lot of those names come from what the reporting entity, the security vendor or the researcher, identified based on their telemetry. So, you know, we're not necessarily trying to negate any of their findings, but rather kind of regroup and see how the greater picture is that these are all closely linked together.

Tom Hegel: [00:04:03] So, we took the approach of really trying to understand the multiple viewpoints into this same entity, which ended up being the Chinese intelligence apparatus, which we assess with high confidence. Kind of seeing those different pieces of this intelligence apparatus based on the public reports, and linking them all together is one of the more fascinating parts we found.

Dave Bittner: [00:04:22] All right, so let's dig in here. Take us through, what are they up to? What are their tactics, techniques, and procedures?

Tom Hegel: [00:04:28] Absolutely. So, in 2017, when we began really heavily seeing these, this entity attack, primarily in East Asia, one of the more notable differences that we saw over previous public reporting was a shift towards open-source and public tooling. We began seeing this actor use penetration testing tools such as BeEF and Meterpreter and a few others. We saw them using Cobalt Strike internally to spread and propagate within the network and, you know, get their foothold in the environments. So, in 2017, that was really interesting. We ended up encountering them in multiple aspects doing the same exact thing going after their initial targets, which ended up being the gaming and software organizations.

Tom Hegel: [00:05:11] And then, in 2018, later 2017 into 2018, we began seeing a shift. More recently, up until about two weeks prior to the release of our public report, we saw them shift more towards, you know, stepping away from open-source tooling, going back to really heavy tactics of trying to live off the land. This entity has a really strong discipline to try and limit the amount of detection capabilities that defenders would have. So, if it comes down to using legitimate tooling that is approved by the organization to have command-and-control, we would see that. And in some cases, would actually use them, abuse organizations' VPN solutions to gain authenticated remote access into their environment.

Dave Bittner: [00:05:56] So, let's back up a little bit and walk us through how they go at things here. According to your report, as with many of these things, it starts with some phishing.

Tom Hegel: [00:06:06] Yeah, absolutely. That was the main kind of beachhead we've seen into the victim organizations. It always originally started with phishing. And, to go back into 2017, the phishing trends have shifted dramatically over the years. In 2017, the primary objective was to appear as an HR, or an applicant to a job. Human resources applicants and going after IT and security folks for these job applicant positions. So, they would have a phishing email that would say, hey, I'm an individual looking for a job, here's my resume. And you click the link and then it kind of kicks off the attack from there.

Tom Hegel: [00:06:43] In 2018, more recently, we ended up seeing that shift go towards trying to just do generic phishing on common services such as Google, Office 365, and so forth. And based on a lot of the infrastructure that we are able to link to this, which we have in the report, ended up being, we ended up seeing a lot of interesting associated potential phishing campaigns that were going after internal business tooling such as Jira, ticketing software, or Jira Agile Software, and ADP-type solutions as well, which are pretty common for organizations.

Dave Bittner: [00:07:19] Now, once they got in, what were they after?

Tom Hegel: [00:07:22] The primary thing during these initial attacks ended up being code signing certificates. We would see them, once they successfully get into the network either on their cloud infrastructure, or their onsite enterprise network, or anything like that. We would see them immediately start to shift and seek out code signing certificates, either locally on their share drives or by scanning the internal network, looking for any sort of a host intranet, any sort of software developer tools, or anything like that. That was their primary focus, was the code signing certificates, and the use for those comes later.

Tom Hegel: [00:07:55] But the secondary objective, which we believe with pretty high confidence tends to be potential moonlighting by the individual operator on the attacker end, tends to be financially motivated. So, if we saw them identify, or if they were able to identify potential ways to manipulate the software, either a game or the actual software solution via that victim, for financial gain, we would see the actor try and pursue that.

Tom Hegel: [00:08:23] And that would include things like modifying or learning more about the backend of a virtual economy, or learning how to steal or mine virtual currency for that particular game. And then they would take advantage of that at a later point. So, it was a really kind of a primary mission and then an optional secondary objective by the individual operators, which we believe to be pretty standard for them.

Dave Bittner: [00:08:48] So, spell out for us their attraction to code signing certificates. What's their goal there? What are they good for once they get their hands on them?

Tom Hegel: [00:08:57] Yeah, absolutely. That was really interesting, because we've kind of categorized the victims into initial targets and later-stage targets, where we see the initial targets being sought after for the code signing certificates. And once the actor gets there hands on those, they exfiltrate this information and then they code-sign their malware with that certificate so it's approved and legitimate, because the victims often don't know that those have been stolen, so they're still valid. And then we would see that malware used against additional targets.

Tom Hegel: [00:09:27] The span of that use is quite dramatic. We saw cases where an individual software organization's code signing certificates were used to sign malware to go after an online gaming organization. And then we ended up seeing trends where those two certificates were both used to sign malware going after political targets. So, we believe the political targets and the higher-value tech organizations tend to be the later-stage victims, or later-stage targets, while the initial targets are really kind of seeking those codes signing certificates.

Tom Hegel: [00:09:59] And then there were also pretty interesting trends in terms of links to previous reporting. So, Novetta and the Cylance report that we referenced, they did a lot of documentation and reporting on finding malware that was signed by other victims similar to this exact same tactic. So, this isn't a new approach for them. They've been using it for quite a few years at this point.

Dave Bittner: [00:10:23] Take us through your process for attribution, how you established who this was. I understand they were pretty careful, but every now and then they got a little sloppy.

Tom Hegel: [00:10:33] Absolutely. So, the attribution side of the house is really interesting. We tend to try and stick away from attribution. You know, we didn't want to come up with a unique name of our own. We really kind of wanted to settle some dust in terms of confusion around naming, around public reporting over the last decade.

Tom Hegel: [00:10:49] So, when we ended up finding links to the infrastructure that our victims were being targeted with, or being used in command-and-control or phishing, we ended up linking that to a lot of the previous reporting. So, that added a lot of context around the historical documentation of this entity. And then we began to pretty much assess that with, you know, maybe there's overlap, maybe there's some shared resources, but, you know, just looking at infrastructure alone doesn't always provide you extremely high confidence.

Tom Hegel: [00:11:19] So, once we began getting our hands into a variety of environments that had the same entity attacking them with the same linked infrastructure, we were able to build a really clear picture of the amount of resources they're sharing, and the links between all the different potential teams within this intelligence apparatus.

Tom Hegel: [00:11:39] So, you know, the initial targets, we ended up seeing cases where they tend to be, you know, more of a B-Team. They have weaker operational security practices, while the later stage targets tend to have more discipline in terms of covering their tracks, and so forth.

Tom Hegel: [00:11:54] So, during a few engagements, we ended up identifying cases where a victim organization was compromised, and then the attacker made mistakes where they were also identifying their potential true location.

Tom Hegel: [00:12:07] So, that kind of came when they were doing command-and-control and they were making mistakes every once in a while to forget to proxy all of their command-and-control through their own proxy infrastructure. They were coming from their true location, and then they would quickly fix that. They would back out really quickly. So, it was very small snippets in network traffic that we were able to identify them being linked to a potential location. In this case, it ended up being, with fairly high confidence, the Xicheng District of Beijing.

Dave Bittner: [00:12:35] And someone sitting behind a terminal saying to themselves, "oh, crap!"

Tom Hegel: [00:12:40] Yeah, exactly. Yeah, that's kind of the view that we were able to kind of build just based on all the logs and the network traffic, and how fast it modified. Typically it was, hey, they've gained foothold into the network, and then they come in manually, remote into the network, and then they quickly back out and remote back in through their proper proxy infrastructure. So, it was potential mistakes on the attacker end, and it only happened a handful of times across multiple victims, so it was pretty interesting trend to see, which led us to help identify even more clues towards potential attribution.

Dave Bittner: [00:13:15] You saw a good bit of overlap among this group and other groups which helped you with your attribution. In terms of this being state-sponsored or other groups, how much distinction is there, and is it a distinction without a difference, perhaps?

Tom Hegel: [00:13:29] It's really tricky. The way that this entity is structured isn't entirely clear, and that's the type of information that we can't always tell from cyber-based threat intelligence. You know, there's just a lot we just don't know. When we kind of build the profile of this actor, we start to learn their tactics, who they're going after, and then seeing the later stage, going after the politically-focused victims or targets.

Tom Hegel: [00:13:54] And, when you kind of put together this whole picture, you start to get an understanding of this greater mission that they're all working towards. So, this is where we start to step away from extremely high-confidence statements. You know, we try and say, you know, these guys are all working towards the same mission.

Tom Hegel: [00:14:12] However, there's multiple teams associated with it, we believe, and then those teams each have their own objectives as well. And those teams, based on previous reporting, you start to step into, hey, these are likely government contractors. Some of these are likely, you know, actual team members.

Tom Hegel: [00:14:30] And so, that's where you get a little fuzzy, just because that type of, that depth of intelligence we just can't tell from, you know, the cyber realm, or anything like that. So, it gets a bit fuzzy, but linking it all to previous reporting and seeing this involved in multiple victim organizations, we were able to build a rather high amount of confidence on those statements.

Dave Bittner: [00:14:54] How can people use your findings here to inform their own defense against cyber attacks?

Tom Hegel: [00:15:01] A big thing with the report, it's quite massive, but the vast majority of the report is actually the indicators associated with the infrastructure. And we released this report in a different approach than we see typically through our industry. We didn't want to just go out and completely burn the indicators with no head start to any defenders.

Tom Hegel: [00:15:23] So, when we wrote this report, we ended up releasing it early to our customers and a variety of other security vendors out there, trusted third parties. Even if we don't have partnerships, just other researchers that we respect in the industry and that we know will handle it properly. We got this report to them early to see if they can help defend their organizations identify, or identify this for their customers, before we go publish it.

Tom Hegel: [00:15:47] So, we tried to approach it with a bit of a head start for defenders, but the indicators that are in the report are all the infrastructure that we've linked to this the single entity. Defenders can take those those indicators and historically look at any sort of logs or traffic, or any sort of detection mechanisms they have internally, and then add them to their own type of blacklists.

Tom Hegel: [00:16:12] This actor group tends to reuse infrastructure over the last decade, so we don't believe this is going to completely burn down and they're going to rebuild from scratch. I do believe they are going to come back and keep using this in the future.

Tom Hegel: [00:16:23] And then, also, more importantly than indicators and just real-time detections like that, is we tried to provide in this report an accurate actor profile. So, a defender can read this report and then get an understanding of the types of tactics that are currently in use from state-sponsored attackers and, you know, more determined in advanced groups out there. So, you know, if you read this as a defender, you can take these tactics that this entity uses and ensure you have coverage in your environment. You know, start to question your tooling and your detection-response capability. You know, if this happened to you, would you be able to respond and find it inside your network? So, multiple approaches there, to say the least.

Dave Bittner: [00:17:07] Yeah. What's your estimation of the sophistication of this group?

Tom Hegel: [00:17:12] It definitely varies. Like I mentioned, the initial attacks, some of them tend to be more like the B-Team. So, it spans. This group tends to have, just based on the variety of attacks and the the breadth of their victim targets, they tend to have a variety of different skill sets internally. Each team or part of this entity tends to have those different skill sets.

Tom Hegel: [00:17:35] So, you know, we have the more advanced side of things, which tend to be politically-focused attackers, and then we have the initial attacks, which tend to be, you know, more of that B-Team. So, generally, they're pretty sophisticated. If anything, I would say they're extremely patient and determined. They will tend to go after the same organization years down the road. It's a mix, to say the least. There's quite a variety, depending on the type of attack they're doing at that time.

Tom Hegel: [00:18:02] You know, a big piece of this is we're not trying to take attribution to the next level or come up with some new name. I think this is the way our team is approaching public reporting on any sort of threat intelligence. You know, we don't want to add more haze to the industry, and that type of stuff. So, we really want to try and, you know, add clarity to profiles of actors and attackers, so I think this type of approach is something that other defenders and researchers should try and follow if they can.

Dave Bittner: [00:18:34] Yeah, it's an interesting insight. I mean, when it comes to sharing information across the industry, you know, I understand that a lot of researchers from different companies, you know, you all, you have Slack groups that you share in common, and various ways to communicate with each other to share. I mean, is there that general sense of community, of sharing, among researchers across the industry?

Tom Hegel: [00:18:56] Yeah, absolutely. There definitely is. Kind of the black eye of the industry, in my opinion, tends to be the vendors out there that will take and repurpose it for, you know, they'll try and take other people's research and monetize it for themselves. You know, similar to how we see, you know, the big reports based around the large viruses or malware that's spreading, like WannaCry, or something like that. Now, every vendor jumps on it.

Tom Hegel: [00:19:23] You know, it's kind of an interesting topic, to say the least. There's a handful of people that we really trust, as our team, that we share information with pretty openly. And, you know, they're not partners, or customers, or anything like that, but we just trust that they'll take it and use it appropriately, rather than trying to turn it around and monetize it for their own gain.

Tom Hegel: [00:19:41] So, it's a matter of identifying those trusted, closed groups, and when it comes to sharing to the more public groups out there, we tend to wait until later stages before we get to that point, because they can't all be trusted, unfortunately.

Dave Bittner: [00:19:54] It's the nature of the business, right?

Tom Hegel: [00:19:56] Yeah. Absolutely.

Dave Bittner: [00:20:01] Our thanks to Tom Hegel from ProtectWise 401TRG for joining us. You can find the Burning Umbrella report on their website.

Dave Bittner: [00:20:11] Thanks to the Hewlett Foundation's Cyber Initiative for sponsoring our show. You can learn more about them at

Dave Bittner: [00:20:19] And thanks to Enveil for their sponsorship. You can find out how they're closing the last gap in data security at

Dave Bittner: [00:20:28] The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams in technology. It's produced by Pratt Street Media. The coordinating producer is Jennifer Eiben. Editor is John Petrik. Technical editor is Chris Russell. Executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.