[Infowarrior] - first interdiction against a state advanced threat group

[Richard Forno]

Begin forwarded message:

> From: dan
> Subject: referral: first interdiction against a state advanced threat group
> Date: November 2, 2014 at 1:27:32 PM EST
> 
> http://www.novetta.com/files/9714/1446/8199/Executive_Summary-Final_1.pdf
> 
> Axiom is responsible for directing highly sophisticated cyber espionage
> operations against numerous Fortune 500 companies, journalists,
> environmental groups, pro-democracy groups, software companies, academic
> institutions, and government agencies worldwide for at least the last
> six years. In our coordinated effort, we performed the first
> ever-private sponsored interdiction against a sophisticated state
> sponsored advanced threat group. Our efforts detected and cleaned 43,000
> separate installations of Axiom tools, including 180 of their top tier
> implants. This report will expand upon the following key findings:
> 
> *	A coordinated effort across the private sector can have
> quantifiable impact on state- sponsored threat actors.
> 
> *	The Axiom threat group is a well resourced, disciplined,
> and sophisticated subgroup of a larger cyber espionage group that has
> been directing operations unfettered for over six years.
> 
> *	Novetta has moderate to high confidence that the
> organization-tasking Axiom is a part of Chinese Intelligence Apparatus.
> This belief has been partially confirmed by a recent FBI flash released
> to Infragard stating the actors are affiliated with the Chinese
> government1.
> 
> *	Axiom actors have victimized pro-democracy
> non-governmental organizations (NGO) and other groups and individuals
> that would be perceived as a potential threat to the stability of the
> Chinese state.
> 
> *	Axiom operators have been observed operating in
> organizations that are of strategic economic interest, that influence
> environmental and energy policy, and that develop cutting edge
> information technology including integrated circuits, telecommunications
> equipment manufacturers, and infrastructure providers.
> 
> *	Later stages of Axiom operations leverage command and
> control infrastructure that has been compromised solely for the
> targeting of individual or small clusters of related targeted
> organizations.
> 
> *	Axiom uses a varied toolset ranging from generic malware
> to very tailored, custom malware designed for long-term persistence that
> at times can be measured in years. In descending order of observed
> scarcity these families are:
> 
>   Zox family (ZoxPNG, ZoxRPC)/Gresim
>   Hikit
>   Derusbi
>   Fexel/Deputy Dog
>   Hydraq/9002/Naid/Roarur/Mdmbot
>   ZXShell/Sensode
>   PlugX/Sogu/Kaba/Korplug/DestroyRAT
>   Gh0st/Moudour/Mydoor
>   Poison Ivy/Darkmoon/Breut
>