China, Vietnam and PlugX Dominate APT Landscape

China and PlugX malware were the most prolific entities in the advanced persistent threat (APT) space in 2014—with Vietnam and Goblin Panda respectively the most targeted country and the most active adversary for the year.

That’s according to CrowdStrike’s annual Global Threat Intel Report, which provides insight into 39 different advanced adversary groups.

"The adversaries we tracked last year were dynamic, persistent, and innovative. In fact, we saw several intrusions that did not use traditional malware in their attempts to penetrate and gain entry into enterprise networks," said Adam Meyers, vice president of intelligence at CrowdStrike, in a statement.

PlugX was by far the most used malware variant for targeted activity during 2014, the firm found, proliferating especially among China-based targeted intrusion adversaries.

“The malware has been around for years and has been used by multiple Chinese actors for quite some time; however, the frequency of PlugX use during 2014 revealed just how prominent it is,” CrowdStrike said in the report. “It is possible that there is a central malware dissemination channel supplying many Chinese adversaries and this is why so many groups are now using it. It is also possible that groups not using it in the past were more recently able to obtain it via the underground or public malware repositories.”

PlugX is used by more advanced China-based adversaries such as Aurora Panda, and adversaries of a lower level of sophistication, including Goblin Panda.

From late spring through summer, Goblin Panda conducted consistent targeted intrusion operations targeting organizations in Vietnam focused on tensions in the South China Sea. These campaigns relied primarily on spear-phishing with malicious documents that dropped malware (mostly PlugX) along with Vietnamese-language decoy documents. The content of these decoys often came from documents produced by Vietnam’s government, which “indicates that the adversary possibly infiltrated the government’s network and was using stolen documents in its operations,” CrowdStrike said.

The frequency of Goblin Panda’s operations, and targeted activity aimed at Vietnam in general, tailed off in the final months of 2014, but the volume of activity in spring and summer was enough to push them to the top of CrowdStrike’s targeting stats.

China-based adversaries were and will continue to be the most prolific in the targeted intrusion space, but public reporting on a number of actors linked to Iran and Russia show the breadth of the threat from targeted intrusion operators, the firm noted.

Malicious activity related to elections in Ukraine and Hong Kong underscore the threat that state-sponsored adversaries pose to democratic processes. For instance, during the Umbrella Revolution that dominated the streets of Hong Kong during the summer and fall of 2014, Chinese adversary groups were observed “broadly targeting any and all organizations related to the civil unrest in a wild attempt to collect intelligence on the protestors and their movements,” CrowdStrike said.

Going forward, it’s clear that the APT scene will only get more crowded. CrowdStrike Intelligence team identified and analyzed well over a dozen new adversary groups worldwide in 2014. At the same time, 2014 saw a big uptick in hacktivist and nationalist activities from Lizard Squad, Deadeye Jackal (aka, the Syrian Electronic Army) and Fraternal Jackal across the board.

“During the course of 2014, CrowdStrike observed the continued proliferation of targeted intrusion activity. Nation-states understand the value of collecting intelligence in the information domain and are mobilizing resources to capitalize on the intelligence opportunities that exist there.

What’s Hot on Infosecurity Magazine?