Updates Sept. 19, 2015 14:26/18:51 EDT: The report at Trend Micro has been removed. Comments from Trend Micro have been requested and responses will be posted when received. Today's followup post is here: Report: Chinese Hackers Used OPM Data To Steal US Military Intel; 'Significant Risk To US Military'.
Update 20:35: A cached copy of the Operation Iron Tiger report is available here. As of Sept. 29, 2015 21:13 - Cache is timing out now. Unable to stabilize it.
Sept. 22, 2015 12:25 AM EDT - Yesterday Jon Clay, senior manager, global threat communications, Trend Micro, stated: “We are currently reviewing new information related to the ‘Operation Iron Tiger’ report and the current version is no longer available. Thank you for your patience and understanding.”
I did not update earlier as I requested further comment, not received. Story developing.
A high-level hacking group dubbed Iron Tiger has been observed stealing trillions of bytes of confidential data from the United States government, US defense contractors and related companies in the United States and abroad, security company Trend Micro reports in its research paper posted Tuesday, Operation Iron Tiger: Exploring Chinese Cyber Espionage Attacks on U.S. Defense Contractors.
Numerous U.S.-based security tech intensive companies were hacked and continuously monitored since 2013 until this year, Trend Micro reports. Dr. Ziv Chang, Sr. Director, Cyber Safety Solutions, Core Technology at Trend Micro and first author on the report, informed me by direct message (confirmed by email) that the attackers’ aims to target very important persons, engineers, and public relations/communication officers was evidenced even as recently as February 17, 2015, when mail of a corporate strategic director at Westinghouse Electric Company was breached. Dr. Chang informed me that he believes that "China based Iron Tiger hacking group is a highly active, continuous advanced persistent threat that continues to attack the U.S."
In its blog announcing the paper, Trend Micro stated that “Operation Iron Tiger is a targeted attack campaign discovered to have stolen trillions of bytes of data from defense contractors in the U.S., including stolen emails, intellectual property, and strategic planning documents.” The report further details that targets of Iron Tiger included military defense contractors, intelligence agencies, FBI-based partners, and the U.S. government. The private entities were tech-based government contractors in the electric, aerospace, intelligence, telecommunications, energy, and nuclear engineering industries.
Iron Tiger was observed exfiltrating up to 58GB worth of data from a single target, more than was stolen in the Sony attack. It could have potentially stolen up to terabytes of data in total, Trend Micro reports. It is highly environmentally adaptive and otherwise sophisticated and well organized, potentially merely an arm of a larger, multi-teamed operation with various targets.
China is convincingly Iron Tiger’s home base
The primary situs of China as the operatives’ home base was convincingly evidenced by the facts that the operatives used virtual private network (VPN) servers that only accepted China-based registrants, used Chinese file names and passwords, and operated from China-registered domains, according to the report. Some of Iron Tiger’s actions were also attributed Iron to an individual physically located in China.
Iron Tiger transformed from Emissary Panda in huge geographical and target shift
Iron Tiger is believed to be a transformation of a hacking group known since 2010 as Threat Group 3390 or “Emissary Panda.” The threat actors shifted their focus from east Asian political targets to United States government and defense industry targets. “The actors have stolen emails, full Active Directory dumps, intellectual property, strategic planning documents, and budget- or finance-related content—all of which can be used to sabotage target governments’ or private organizations’ plans,” the report states.
Update Sept 17, 2015 04:00 EDT: This report comes less than week before high-level US-China diplomatic meetings including China President Xi’s first state visit. It also follows intense private cyber security meetings that concluded with the Obama administration indicating that it would hold off on previously-threatened cyber sanctions.
