A new report, Quartermasters: Facilitating Shared Tools and TTPs among Chinese APTs, from SecAlliance, reveals the links between financially motivated Chinese state-aligned advanced persistent threat groups, their shared tooling, and the quartermasters/front companies facilitating their activity.
The report analysis provides deeper insight into the active threat against global networks worldwide. In the research paper, the three advanced persistent threat (APT) groups covered are APT41, APT27, and APT17. The quartermaster in this case study is suspected Chinese Ministry of State Security (MSS) Officer Guo Lin, specifically tied to APT17.
Guo Lin
SecAlliance experts say that Guo Lin, highly likely a ministry of state security officer, operates within a network of front companies used for nation-state operations and can be linked to the origins of at least one Chinese APT group – APT17.
Describing himself as a Computer Science Masters student at Nanjing University, Guo Lin was linked to the front company - Jinan Quanxin Fangyuan Technology Co. Ltd, a ‘state-level high-tech enterprise that integrates development, productions, management and technical services with scientific research as the guide’.
The link between Guo Lin and APT17 is Zeng Xiaoyong, named a member of APT17 in July 2019, and believed to operate under the alias envymask/EMM.
Cyber security researchers identified a pretty good privacy (PGP) key linking envymask to the RealSOI Computer Network Technology Company – another front company related to Jinan Quanxin Fangyuan Technology Co. Ltd.
Xiayong’s EMM alias is also listed as part of the training team for Jinan Fanglang, along with ‘Phoenix’, which is an alias for Wang Qingwei, who was previously doxed by cybersecurity researchers.
APT17
The report looks into the activity of APT17, functioning since at least 2009, they have been actively involved in Chinese state-sponsored operations in Asia, Europe, and North America targeting various sectors. There is substantial evidence that this group is financially motivated, in addition to its state-sponsored activity.
Evidence of financial motivation as part of APT17 operations is supported by an APT17 attributed ‘price list’ circulated by security researchers, which advertised data belonging to Chinese targets, among international entities. Likely operating as a HfH operation, APT17 shares overlaps with APT41.
For example, in 2017, the CCleaner supply chain attack on Piriform was attributed to both APT17 and APT41. Zeng is credited with creating a specific exploit of the public vulnerability MS08-067. This is associated with the ZoxPRC which evolved into BLACKCOFFEE malware, a hallmark of APT17 and Zeng specifically. APT41 is using this same malware in their operations. This specific sharing of malware exploits talks to the increasing overlap and coordination of APT groups within China.
APT41
Another group SecAlliance experts look at in the report is APT41. One of the most prolific Chinese APT groups, APT41 is a key example of a group that conducts financially motivated activity alongside state-sponsored operations.
APT41 operations include both cyber espionage operations, developing tools for the People’s Liberation Army (PLA), as well as criminal activity. This includes cryptocurrency and in-game tokens theft, as well as ransomware attacks.
The report suggests these groups share tooling and TTPs: some are unique, but many are consistent with other Chinese APTs. Elements of the group function as a ‘malware factory’, with many tools developed by the group being redistributed to other Chinese threat actors, likely through a quartermaster.
APT27
Finally, SecAlliance experts analyse APT27. Active since approximately 2013, APT27 is known to be a Chinese state-affiliated actor, carrying out both nation-state operations as well as likely financially-motivated attacks, observed in their deployment of ransomware.
In January 2022, the Bundesamt für Verfassungsschutz (BfV; German domestic intelligence services) warned that APT27 was actively targeting German commercial organisations. These operations were focused on cyber espionage, consistent with the group’s primary function. The ransomware attacks attributed to the group display similar characteristics in terms of financially-motivated targeting (gaming/gambling industry) to APT41.
Proficient in watering hole, spear phishing attacks, and zero-day exploitation (consistent with other Chinese APT TTPs), APT27 has been linked to the wider Chinese cyber-espionage group Tilted Temple, which also includes APT30, APT15, APT31, and GALLIUM. This cluster of threat activity has been observed in sustained malicious activity in Europe and worldwide operations.
Inclusion in the Tilted Temple network indicates further links to a shared quartermaster. This is evident in widespread examples of shared tooling and TTPs (some with origins tied to APT41) to conduct intellectual property theft, intelligence collection, and other malicious activities supporting Chinese strategic objectives.
It is evident that these Chinese ‘contractor’ APT groups are operating in ‘sub-networks’ that are involved in both state and non-state operations. The insight given by this report into the relationship between quartermasters and Chinese APTs indicates a highly organised network, resulting in a significant threat.
SecAlliance experts conclude that it is highly likely that these APT groups will continue to cooperate, facilitated by quartermasters on behalf of the MSS. This means that many effective tools and techniques leveraged by the groups will not only be apparent in state-sponsored operations, but due to the loose nature of the APT sub-groups, will likely be observed in financially-motivated attacks.
The full report is exclusively available on ThreatMatch for SecAlliance’s ThreatMatch subscribers.