Researchers have discovered links between a number of different Chinese state intelligence operations and determined that several groups are indeed connected to the Winnti umbrella, known to operate under the Chinese government.
The 3 May report Burning Umbrella: An Intelligence Report on the Winnti Umbrella and Associated State-Sponsored Attackers was published by ProtectWise 401TRG. Key findings in the report noted that a number of previously disjointed Chinese state intelligence operations between 2009 and 2018 have been linked to the Winnti umbrella.
Over the course of the last decade, collective open-source intelligence from dozens of research firms, including but not limited to Kaspersky Lab, Bit9, FireEye, Mandiant, and Cylance, have helped researchers to conclude with a high degree of certainty that the groups are all linked to the Chinese state intelligence apparatus.
“We assess with high confidence that the Winnti umbrella is associated with the Chinese state intelligence apparatus, with at least some elements located in the Xicheng District of Beijing,” said the report author, Tom “Hollywood” Hegel.
The groups operating under the Winnti umbrella have been linked together because of their consistent use of similar tactics, techniques and procedures (TTPs), despite some experimenting with new tool sets and attack methods. In addition to the Winnti name, the Chinese intelligence apparatus has also been known as PassCV, APT17, Axiom, LEAD, BARIUM, Wicked Panda, and GREF and has continued to experience success in 2018 without the use of exploits or malware.
“The overlap of TTPs and infrastructure between the Winnti umbrella and other groups indicates the use of shared human and technology resources working towards an overarching goal. Operational security mistakes allow the linking of attacks on lower value targets to higher value campaigns. Reuse of older attack infrastructure, links to personal networks, and observed TTPs play a role in this overlap,” Hegel wrote.
Efforts to hide their identity have been largely successful, but mistakes along the way have revealed that their “attacks against smaller organizations operate with the objective of finding and exfiltrating code signing certificates to sign malware for use in attacks against higher value targets,” he said.
“Phishing remains the initial infection vector but the campaign themes have matured. In 2018, the campaigns have largely been focused on common services such as Office 365 and Gmail,” Hegel wrote.
The Winnti umbrella and its associate groups remain an advanced persistent threat.