China's long-running hacking efforts may be more extensive than first thought. Security researchers at ProtectWise's 401TRG team have determined that a long series of previously unconnected attacks are actually part of a concerted campaign by Chinese intelligence officials. Nicknamed the Winnti umbrella, the effort has been going on since "at least" 2009 and has struck game companies (like Nexon and Trion) and other tech-driven businesses to compromise political targets.
There are common methods and goals to the attacks. They usually start with phishing to trick someone into compromising the company network (often using political bait), and then use a mix of custom and off-the-shelf malware to collect info. They'll often stay undetected by "living off the land" with the victim's own software, such as system admin tools. The intuders are primarily looking for code signing certificates and "software manipulation," according to the report.
The perpetrators also make occasional mistakes, and it's those slip-ups that helped identify the Chinese origins. They normally use command-and-control servers to hide, but they inadvertently accessed some machines using IP addresses from China Unicom's network in a Beijing district.
Even with these mistakes, the Winnti umbrella is an "advanced and potent threat," 401TRG said. It's also a not-so-subtle reminder that China's state-backed hacking efforts are deeper than they seem at first glance -- hacks that appear to be one-off incidents may be linked if you look for subtler similarities.