Researchers at security company FireEye have revealed an advanced persistent threat targeting the U.S. defense and aerospace industries and likely originating in China. Named Beebus after an early sample, the campaign's attacks come in continuous waves over time against strategically chosen individuals. According to an unnamed inside source, the Beebus campaign began in early 2012 when FireEye noticed suspicious activity on the systems of some its defense and aerospace clients. Of 261 discovered attacks, 123 targeted unmanned aerial vehicle or systems vendors. The most recent exploit used a Deloitte industry analysis report sent in a weaponized email. Researchers believe that the campaign has so far touched 214 servers with 60 unique IP addresses.
Beebus Mixes Attack Vectors
Beebus uses simple spear phishing that exploits known vulnerabilities with PCs, PDFs and DOC files to open Trojan back doors. The campaign targets end users with a mix of email and drive-by downloads. The emails contain malicious PDF or DOC attachments with professional-sounding titles identical to legitimate documents. When a user opens the attachment, malware infects the PC.
A targeted user can inadvertently trigger a drive-by download by visiting either a legitimate website that has been compromised or a malicious site that looks almost identical to a genuine one. The malware then puts a file named ntshrui.DLL in the c:windows directory. The strategy takes advantage of the fact that executables call DLLs in a certain order beginning with those in their root directory. This allows the malicious DLL in the Windows root directory to persist.
Beebus uses various modules to gather its intelligence. One module collects system information, including processor type and hardware resources. It also captures the process ID, process start time, and user information. Another module downloads payloads and updates. The malware establishes communication with a command-and-control server, encrypts and sends its information, and then waits for instructions from the server.
Campaign Origins Point to China
Based on the information to date, researchers believe that China originated the Beebus campaign. Beebus appears to be part of a highly orchestrated offensive by the Chinese government to steal U.S. industrial secrets relating to drone technology. All of the companies targeted were in aerospace and defense, and a significant number dealt with unmanned aircraft.
Darien Kindlund, FireEye senior staff scientist, acknowledged that researchers suspect China. “We have enough evidence that points heavily in that direction. We knew this was being done on behalf of a nation state." He also indicated that the effort was considered a fair success.
A number of correlations support the China connection. Beebus uses tools, techniques, and procedures, or TTP, resembling those used in Operation Shady RAT. This long-running operation against RSA, publicized in 2011, successfully targeted prominent organizations mostly in the United States. Security experts logged successful breaches against government agencies and defense contractors among others. FireEye researchers established a link when they captured a Beebus sample referencing a hostname that included businessconsults.net. This same address hosts the TCP proxy tool used in Operation Shady RAT. The chain of association continues with a link between the Operation Shady RAT perpetrators and an attack group known as the Comment Team or Comment Group. Both threat actors make use of obfuscated HTML comments as a TTP. The Comment Team has been tied to the Chinese government and is considered a nation state group.