ATK1

Presumed Origin: China < Back

Alias: DragonFish, Lotus Blossom, ST Group, Spring Dragon

ATK1 (aka: Lotus Blossom, Spring Dragon, DragonFish) is a state sponsored (China) first seen in 2012.

 

The group focuses mainly on the territories bordering its country of origin (South China Sea); The group primarily targets government institutions and political parties; Educational establishments such as universities, as well as companies in the telecommunications sector are not spared.

 

They notably used the Elise malware, it was intended to spy on many government organizations, mainly in Southeast Asia. We can think that this campaign was intended to support the Silk Roads project by securing the maritime side of the latter.

 

At the end of 2015, its “Emissary” malware received numerous updates, probably to avoid being detected by security products.

 

After a very active period, the group remains discreet until the beginning of 2017.

 

Other campaigns are carried out sporadically until 2018, still using Elise as the main attack vector, and sometimes using new exploits, such as CVE-2017-11882. ATK1 is capable of performing very large operations over a long period of time, while developing its specific arsenal.

 

These targets are extremely precise and the group rarely deviates from them.

 

Examination of the group's targets reveals that they correspond to the preferred geographic areas followed by offices 2 and 6 (units 61398 and 61726), which are the United States / Canada and South Asia / Taiwan areas, respectively. These offices are part of the Network System Department (NSD), which reports directly to the Strategic Support Force (SSF), which is part of the PLA Staff Department of the Central Military Commission. The information gathered through these espionage campaigns therefore has an undeniable strategic dimension for the Chinese military administration.

 

Références :

 

 

REFERENCES

Target sector

  • Communication
  • Education
  • Financial Services
  • Government and administration agencies
  • High-Tech
  • Military
  • Satellites and Telecommunications
  • Telecommunication
  • Universities

Target countries

  • Cambodia
  • Canada
  • France
  • Hong Kong
  • Indonesia
  • Japan
  • Lao People&#039;s Democratic Republic
  • Malaysia
  • Myanmar
  • Philippines
  • Singapore
  • Taiwan
  • Thailand
  • United States Of America
  • Viet Nam

Attack pattern

  • T1007 - System Service Discovery
  • T1009 - Binary Padding
  • T1010 - Application Window Discovery
  • T1016 - System Network Configuration Discovery
  • T1022 - Data Encrypted
  • T1024 - Custom Cryptographic Protocol
  • T1027 - Obfuscated Files or Information
  • T1027.001 - Binary Padding
  • T1032 - Standard Cryptographic Protocol
  • T1035 - Service Execution
  • T1036 - Masquerading
  • T1043 - Commonly Used Port
  • T1045 - Software Packing
  • T1046 - Network Service Scanning
  • T1050 - New Service
  • T1055 - Process Injection
  • T1055.001 - Dynamic-link Library Injection
  • T1056 - Input Capture
  • T1057 - Process Discovery
  • T1059 - Command-Line Interface
  • T1059.003 - Windows Command Shell
  • T1060 - Registry Run Keys / Startup Folder
  • T1064 - Scripting
  • T1069 - Permission Groups Discovery
  • T1069.001 - Local Groups
  • T1071 - Standard Application Layer Protocol
  • T1074 - Data Staged
  • T1082 - System Information Discovery
  • T1085 - Rundll32
  • T1087 - Account Discovery
  • T1094 - Custom Command and Control Protocol
  • T1098 - Account Manipulation
  • T1099 - Timestomp
  • T1105 - Ingress Tool Transfer
  • T1105 - Remote File Copy
  • T1107 - File Deletion
  • T1112 - Modify Registry
  • T1113 - Screen Capture
  • T1115 - Clipboard Data
  • T1132 - Data Encoding
  • T1135 - Network Share Discovery
  • T1136 - Create Account
  • T1140 - Deobfuscate/Decode Files or Information
  • T1189 - Drive-by Compromise
  • T1193 - Spearphishing Attachment
  • T1218.011 - Rundll32
  • T1497 - Virtualization/Sandbox Evasion
  • T1543.003 - Windows Service
  • T1547.001 - Registry Run Keys / Startup Folder
  • T1573.001 - Symmetric Cryptography

Motivation

  • Espionage
  • Information theft

Malwares

  • Catchamas
  • Elise
  • Emissary
  • Hannotog
  • Mimikatz
  • Rikamanu
  • Sagerunex
  • Spedear
  • Syndicasec

Vulnerabilities

  • CVE-2009-0927
  • CVE-2012-0158
  • CVE-2014-4114
  • CVE-2014-6332
  • CVE-2017-11882