On 15 October 2014, Novetta and the Cyber Security Coalition behind Operation SMN published an Executive Summary discussing the Axiom threat actors and their operations over the last several years. Today, on behalf of the Operation SMN Coalition, Novetta published the full technical and behavioral reporting associated with Operation SMN. This report explores the structure, potential motivations, and tactics of the Axiom threat actor.
This report comes on the heels of a coordinated push of new malware detection, IDS signatures, raw data, and knowledge transfer that allowed both the cyber security industry and private enterprise to protect themselves and their customers against these threats. This report also represents the collective action of some of the biggest and most capable players in the cyber security space. Coalition partners have contributed data, key analytics, and advanced threat knowledge and expertise to ensure that this reporting is as accurate as possible. Additionally, Microsoft’s Virus Information Alliance (VIA) program allowed coalition partners to share malware and signatures associated with this threat actor group with 66 other organizations.
The key findings in this reporting, which have been revealed and reinforced over the past two weeks are as follows:
- The Axiom threat group is a well resourced, disciplined, and sophisticated subgroup of a larger cyber espionage group that has been directing operations unfettered for over six years.
- Novetta has moderate to high confidence that the organization tasking Axiom is a part of Chinese Intelligence Apparatus. This belief has been partially confirmed by a recent FBI flash released to Infragard stating the actors are affiliated with the Chinese government.
- Axiom actors have victimized pro-democracy non-governmental organizations (NGO) and other groups and individuals that would be perceived as a potential threat to the stability of the Chinese state
- Axiom operators have been observed operating in organizations that are of strategic economic interest, that influence environmental and energy policy, and that develop cutting edge information technology including integrated circuits, telecommunications equipment manufacturers, and infrastructure providers.
- Later stages of Axiom operations leverage command and control infrastructure that has been compromised solely for the targeting of individual or small clusters of related targeted organizations
- Axiom uses a varied toolset over a lengthy victim lifecycle ranging from generic malware to very tailored, custom malware designed for long-term persistence that at times can be measured in years.
I am extremely proud of the efforts that the Coalition partners have put forth, and believe that their embrace of this new methodology will provide increased protection for existing and future organizations targeted by Axiom.
The below information has been included in the reporting that was released on 28 October 2014 and is linked below for ease of access and use.
It is highly encouraged and suggested that people download and deploy these signatures to their IDS platforms as soon as possible.
ClamAV names and Snort Signature IDs detecting Axiom/Group 72 RAT malware:
- Gh0stRat — Win.Trojan.Gh0stRAT, 19484, 27964
- PoisonIVY / DarkMoon — Win.Trojan.DarkMoon, 7816, 7815, 7814, 7813, 12715, 12724
- Hydraq — Win.Trojan.HyDraq, 16368, 21304
- HiKit — Win.Trojan.HiKit, 30948
- Zxshell — Win.Trojan.Zxshell, 32180, 32181
- DeputyDog — Win.Trojan.DeputyDog, 28493, 29459
- Derusbi — Win.Trojan.Derusbi, 20080