Threat Attribution — Chimera “Under the Radar”

On 12 January 2021, Fox-IT & NCC Group published their detailed report, “Abusing Cloud Services to Fly Under the Radar”. The threat actor tracked in their report shared many similarities to the China-linked threat actor Chimera, whom CyCraft attributed to a year-long cyberattack targeting the Taiwan semiconductor industry just last year.

Much like Chimera, the threat actor mentioned in the Fox-IT & NCC Group report (referred to in this article as CUTR, Chimera Under the Radar) targeted intellectual property (IP) from the semiconductor industry; however, the report goes into further detail explaining how their threat actor’s targets were more diverse, including targeting sensitive data from the EU aviation industry.

In this article, we analyze and compare their research to ours.

Conclusions
  1. There is a strong probability the threat actor, CUTR, is Chimera as their IoCs, commonly used infra, tools, techniques, and behaviors are all very similar to Chimera; 42 of the 67 adversarial techniques used in both campaigns were identical.
  2. China-linked threat actors (e.g., Chimera, BlackTech, APT30) are known to share tools and attack methods with each other, making attribution challenging.
  3. Some differences in attack behavior may be due to differences in the victims’ architecture, security maturity, or geographic location (EU, not Taiwan). Different environments may require different TTP. TTP designed for infiltrating Taiwan’s semiconductor industry may require adjustment for the EU aviation industry and vice versa.
  4. Chimera was focused solely on the Taiwan semiconductor industry. CUTR showed “a wide set of interests,” including the EU semiconductor industry as well as aviation. While some China-linked threat actors have demonstrated an ability to adapt techniques, tools, and targets, sudden changes in attack behavior are not common — keeping true to the ideas behind Bianco’s Pyramid of Pain, as mentioned in the Fox-IT & NCC Group report. As TTPs are the hardest to change and tend to stay inflexible for longer periods of time, similar TTP usage between different attack campaigns/operations is a strong indicator of attribution.

Source — CyCraft Classroom: MITRE ATT&CK® vs. Cyber Kill Chain vs. Diamond Model

As mentioned in the FOX-IT & NCC Group report, Bianco’s Pyramid of Pain illustrates how difficult it is for an attacker to circumvent a particular attack method that has been stripped away from them. For example, while blocking a file or IP address is rather trivial for an attacker to get around, taking away an attacker’s tool is challenging; they will have to devise a new way of carrying out their objectives.

According to the Fox-IT & NCC Group report, “the largest overlap [between Chimera and their threat actor] is in the top half of the Pyramid of Pain: domain names, host artifacts, tools, and TTPs.”

We will compare Chimera with CUTR using the Pyramid of Pain model from the ground up.

Hash Values

The following table shows the hash of these IoCs. As depicted in the table, 3 of the hashes are identical to our research. Even though the identical WinRAR and get.exe can be easily used by other threat actors, the added inclusion of the Cloud exfil tool increases the probability of Chimera attribution.

Chimera primarily used both the Cobalt Strike Beacon and the Winnti backdoors during their operation against Taiwan’s semiconductor industry. CUTR was not observed using the Winnti backdoor but was observed using Cobalt Strike Beacon’s remote access functionality; however, we cannot confirm if it is the exact same Cobalt Strike Beacon as Fox-IT & NCC Group did not release the hash in their report.

HASHES

4d5440282b69453f4eb6232a1689dd4a
c9b8cab697f23e6ee9b1096e312e8573
133a159e86ff48c59e79e67a3b740c1e
328ba584bd06c3083e3a66cb47779eac
65cf35ddcb42c6ff5dc56d6259cc05f3
90508ff4d2fc7bc968636c716d84e6b4
dd138a8bc1d4254fed9638989da38ab1

IP address & Domain Name
None of the domain names are identical, but the behavior of abusing the cloud platforms such as Appspot or Azure Edge is aligned with our findings. This increases the probability of Chimera attribution.

Network & Host Artifacts

Some file names used are similar to our research. Here we list some similar naming schemes.

RecordedTV.ms
OneDrive.exe
update.exe
jucheck.exe

Tool

The tools used by their threat actor significantly overlap with our research into Chimera.

Cobalt Strike
OneDrive
Modified RAR
Cloud Service

TTP

According to the Pyramid of Pain model, TTP are the most difficult and less frequently changed methods of an attacker, suggesting that campaigns/operations with multiple similarities in TTP are most likely performed by the same threat actor.

Comparing the adversarial techniques used by Chimera and CUTR, 42 of the 67 adversarial techniques used in both campaigns were identical. Below are a few notable similarities and differences.

Techniques critical to both Chimera & CUTR’s attack behavior:
T1003.003 OS Credential Dumping: NTDS
T1003.001 OS Credential Dumping: LSASS Memory
T1053.005 Scheduled Task/Job: Scheduled Task
T1078 Valid Accounts

Observed only in CUTR:
T1574.002 Hijack Execution Flow: DLL Side-Loading
T1111 Two-Factor Authentication Interception
T1550.002 Use Alternate Authentication Material: Pass the Hash

Observed only in Chimera:
T1055.001 Process Injection: Dynamic-link Library Injection
T1556.001 Modify Authentication Process: Domain Controller Authentication

Differences in attack behavior may be due to differences in the victims’ architecture, security maturity, geographic location (EU, not Taiwan), or differences in visibility.

Both threat actors are China-based and located in the UTC +8 timezone.

The TTP used by both Chimera and CUTR are summarized below — mapped in the MITRE ATT&CK® framework.

Initial Access

both

T1133 External Remote Servic
T1078 Valid Accounts

Execution

both  

T1059.001 Command and Scripting Interpreter: PowerShell
T1059.003 Command and Scripting Interpreter: Windows Command Shell
T1053.005 Scheduled Task/Job: Scheduled Task
T1569.002 System Services: Service Execution‍
T1047 Windows Management Instrumentation

Persistence

both

T1133 External Remote Services‍‍
T1078 Valid Accounts

CUTR

T1574.002 Hijack Execution Flow: DLL Side-Loading

Privilege Escalation

both

T1078 Valid Accounts

Defense Evasion

both

T1140 Deobfuscate/Decode Files or Information‍
T1036.003 Masquerading: Rename System Utilities‍
T1036.005 Masquerading: Match Legitimate Name or Location‍
T1078 Valid Accounts

CHIMERA

‍T1055.001 Process Injection: Dynamic-link Library Injection

CUTR

T1070.001 Indicator Removal on Host: Clear Windows Event Logs ‍
T1070.004 Indicator Removal on Host: File Deletion ‍
T1070.006 Indicator Removal on Host: Timestomp ‍
T1574.002 Hijack Execution Flow: DLL Side-Loading ‍
T1550.002 Use Alternate Authentication Material: Pass the Hash‍

Credential Access

both

T1003.001 OS Credential Dumping: LSASS Memory‍
T1003.003 OS Credential Dumping: NTDS

CHIMERA

T1556.001 Modify Authentication Process: Domain Controller Authentication

CUTR

T1110.003 Brute Force: Password Spraying‍
T1110.004 Brute Force: Credential Stuffing‍
T1111 Two-Factor Authentication Interception‍

Discovery

both

T1087 Account Discovery‍
T1087.001 Account Discovery: Local Account‍
T1087.002 Account Discovery: Domain Account‍
T1083 File and Directory Discovery‍
T1135 Network Share Discovery‍
T1057 Process DiscoveryT1012 Query Registry‍
T1082 System Information Discovery‍
T1016 System Network Configuration Discovery‍
T1033 System Owner/User Discovery‍
T1124 System Time Discovery

CUTR

T1217 Browser Bookmark Discovery‍
T1482 Domain Trust Discovery‍
T1046 Network Service Scanning‍
T1069 Permission Groups Discovery‍
T1018 Remote System Discovery‍
T1049 System Network Connections Discovery‍
T1007 System Service Discovery‍

Lateral Movement

both

‍T1570 Lateral Tool Transfer‍
T1021.002 Remote Services: SMB/Windows Admin Shares

CHIMERA

T1021.001 Remote Services: Remote Desktop Protocol

CUTR

T1021.004 Remote Services: SSH‍
T1021.006 Remote Services: Windows Remote Management‍
T1550.002 Use Alternate Authentication Material: Pass the Hash

Collection

both

T1560.001 Archive Collected Data: Archive via UtilityT1119 Automated CollectionT1005 Data from Local SystemT1074.001 Data Staged: Local Data StagingT1074.002 Data Staged: Remote Data Staging

CUTR

T1213.002 Data from Information Repositories: SharePointT1039 Data from Network Shared DriveT1114.001 Email Collection: Local Email Collection

Command and Control

both

T1071.001 Application Layer Protocol: Web Protocols‍
T1071.004 Application Layer Protocol: DNS‍
T1573.002 Encrypted Channel: Asymmetric Cryptography‍
T1572 Protocol Tunneling

Exfiltration

both

T1020 Automated Exfiltration‍
T1030 Data Transfer Size Limits‍
T1041 Exfiltration Over C2 Channel‍
T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage‍

Summary

Threat attribution is difficult.

China-linked threat actors are known to share tools and attack methods (and possibly even personnel) with each other. Differences in victim security operational culture, geographic location, system architecture, security maturity, industry, and defense technology can all lead to minor and major differences in attack behavior. There are always numerous factors to consider and weigh, making perfect attribution difficult.

However, the evidence presented after comparing research from both CyCraft and Fox-IT & NCC Group illustrates a strong likelihood that CUTR is Chimera.

Chimera and CUTR are both located in the UTC +8 timezone, are China-based, and have a strong overlap in IoCs, commonly used infra, tools, techniques, and behavior. 42 of the 67 adversarial techniques used in both Chimera and CUTR campaigns were identical.

CyCraft confirms with high confidence that CUTR is Chimera.

We would like to thank Fox-IT & NCC Group for their detailed report, added visibility into the Chimera threat, and added threat intelligence against this China-based threat actor so that SOCs can better defend their organizations and keep their data secure.

Related Resources
  1. Read CyCraft research to understand the increasing adoption of MDR, AI, and automation in cybersecurity — includes research from Gartner, Inc on why Midsize enterprises should embrace MDR providers.
  2. Effective SOCs aren’t bought; they’re built from the ground up. Avoid costly mishaps by understanding common SOC pain points.
  3. CyCraft detected and defeated a China-sponsored APT targeting Taiwan’s high-tech ecosystem. Read our full analysis and malware reversal.
  4. CyCraft AIR detected, contained, and eradicated multiple sophisticated cyberattacks targeting several Taiwan government agencies.
  5. CyCraft Classroom: MITRE ATT&CK vs. Cyber Kill Chain vs. Diamond Model

Writer: CyCraft

About CyCraft

CyCraft is a cybersecurity company founded in 2017, focusing on autonomous AI technology. Headquartered in Taiwan, it has subsidiaries in Japan and Singapore. CyCraft provides professional cybersecurity services to government agencies, police and defense forces, banks, and high-tech manufacturers throughout the Asia-Pacific region. It has received strong backing from the CID Group and Pavilion Capital, a Temasek Holdings Private Limited subsidiary.

Subscribe to CyCraft's Newsletter

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
By clicking this button, you agree to CyCraft's privacy policy and consent to CyCraft using the information you provided to contact you. You may cancel your subscription at any time.