Trend Micro, anti-virus firm, wrote a report about a cyberspying operation targeting US defense contractors.
Key individuals, who are believed to be part of a China-based attack group, have been stealing years of valuable government and corporate information from defense and high technology organizations in the US since 2013 and political and government-related entities in China, Hong Kong, and the Philippines since 2010.
This shift in targets is highly notable for the active cyber espionage operation we dubbed as “Operation Iron Tiger.” We believe that the threat actors have simply moved up in the food chain and were assigned new, high-level targets to spy on–all as part of a bigger espionage campaign.
US defense contractors were only fairly recent targets based on the operation’s history, which we traced to spear-phishing in 2010. “Foreign policy,” “future of the US Army Officer Corps,” and “economic development” are only a few of the keywords that threat actors have been using in spear-phishing attacks against directors and project managers of technology-inclined US government contractors.
The threat actors have stolen emails, full Active Directory dumps, intellectual property, strategic planning documents, and budget- or finance-related content—all of which can be used to sabotage target governments or private organizations’ plans. From what we have seen, the amount of stolen information could reach up to terabytes worth of data. We’ve even seen them nab up to 58GB worth of data from a single target.
Key individuals using the online aliases PHPXSS, EXENULL, ERSHAO, and MYERSHAO are believed to be spearheading this operation. We found convincing evidence pointing to China as the threat actors’ primary location. These indicators include the use of virtual private network (VPN) servers only accepting registration from China, Chinese file names and passwords, and China-registered domains. Specifically following two virtual aliases, “Phpxss” and “Ershao,” we were able to attribute operational activities to a key personality physically located in China.