Khaan Quest: Chinese Cyber Espionage Targeting Mongolia

Executive Summary:

The ThreatConnect Intelligence Research Team (TCIRT) has identified a weaponized Microsoft Word document that contains a Concept Development Conference (CDC) announcement for the joint US and Mongolia military exercise called Khaan Quest 2014.  Retrospective TCIRT research identified additional decoy documents, written in Mongolian, themed around events like the Mongolian presidential election, held in June 2013. KQ2013This activity represents Chinese Computer Network Exploitation (CNE) activity against Mongolian entities and others that have economic, military, or diplomatic relations with Mongolia.  Mongolia’s attempt to steer a more independent path by reaching out to what it calls “third neighbors,” such as the United States, Japan, South Korea, and the European Union, is possibly prompting China to conduct CNE. This would help China maintain awareness of changes in Mongolian relations with the US and other Western influences and protect their national interests in Mongolia.

Details associated with this threat have been shared within all ThreatConnect Communities as Incident “20130910A: KQ14 – CDC Document Exploit”.

Analysis of Khaan Quest 2014 CDC Message:

The TCIRT has identified a weaponized Microsoft Word document that appears to be an official unclassified announcement from the US Army Pacific, notifying Army, Marine Corps and State Department entities of a pre-planning CDC for a US military exercise, Khaan Quest 2014. This document “DRAFT MSG – KQ14 – CDC ANNOUNCE MESSAGE.doc” (MD5: F541CADA66C9E801976C30DEEF4AD42D) exploits CVE-2012-0158 and drops an implant (MD5: 6AB333C2BF6809B7BDC37C1484C771C5) that calls out to the malicious command and control (C2) domains peaceful.linkpc[.]net, mongolia.regionfocus[.]com, and mseupdate.strangled[.]net.

unclass

Additional Mongolian Defense Exercise Targeting:

Additional TCIRT analysis identified a document “VN Tsergiin acedemy update.doc” (MD5: 65587968eead577c54d55db170ca2fd2) exploiting CVE-2012-0158 that dropped the same malicious implant (MD5; 6AB333C2BF6809B7BDC37C1484C771C5) and calls out to the same domains as the Khaan Quest document.  This document is written in  Mongolian and appears to be an official Ministry of Defense announcement of plans for military training with the Vietnamese military.  This may indicate that a broader targeting campaign is occurring against Mongolian Ministry of Defense entities responsible for plans and exercises.

vietmongo

 

When executed, both of the documents are engineered to exploit CVE-212-0158 and drop the same malicious implant, “DW20.exe” (MD5: 6AB333C2BF6809B7BDC37C1484C771C5) and interact with the same C2 infrastructure.Comment_Graphic

 

Once successfully installed on the victim host, the implant issues a GET request to the following hardcoded path and file /2011/n325423.shtml:

KQ_Wireshark_23Sep13

 

The implant also contains the following hardcoded C2 strings:

StringsKQ

 

ThreatConnect Infrastructure Enrichments:

Follow-on research identified additional C2 domains. The TCIRT observed numerous common infrastructure overlaps peaceful.linkpc[.]net, mongolia.regionfocus[.]com, and mseupdate.strangled[.]net.  As of early October 2013, all of the C2 domains identified in these examples have overlapped, resolving to a common IP Address 113.10.205[.]236 (Hong Kong).

Comment_Bubble

Retrospective analysis of domain resolutions from October 7th 2011 to October 7th 2012 reveal that the threat actors have consistently used common infrastructure, such as IP addresses 58.64.200[.]105 and 58.64.200[.]106 (Hong Kong).

C2s

 

A Nexus to China:

TCIRT analyzed the registration point of contact information for the domains that were hardcoded in implant MD5: 6AB333C2BF6809B7BDC37C1484C771C5 and previously resolved to IP addresses 58.64.200[.]105 and 58.64.200[.]106.  Analysis was performed to discover any connections between the contact information provided to register the malicious domains and any personal information posted on the Internet by an adversary that may have been responsible for this activity.  The following email addresses have been used to register the domains of interest.

Analyst Comment: The TCIRT recognizes that there are other domains and subdomains associated with these malicious registrants, however the focus is in the context of the referenced activity.

chart_yyan

Research on the email address that was identified within the registration of the regionfocus[.]com domain “yyan_79@hotmail[.]com” reveals a 2008 academic research paper entitled “Research on P2P File Sharing Anti-pollution Strategy”. yyan_paper The identified research paper was authored by a Chinese female named “Yun Yan” who was born in 1979 and was a doctorate research student in the Department of Electronic and Information Engineering at the Dalian University of Technology in China.

yunyan_en

A Nexus to “Comment Crew” aka “APT1″:

As of  October 5 2013, the TCIRT identified an additional malware sample (MD5: FD708F4594F24430204C19536801BCD9) that issues the same GET request, “/2011/n325423.shtml”, and calls out to mongolia.regionfocus[.]com.  This file was compiled on October 5 2013, at 07:18GMT and submitted to VirusTotal at 07:23GMT (five minutes later), indicating that the adversary may have been testing the malware for antivirus detection. TCIRT analysis of the binaries and tradecraft employed in the activity described above suggests that “Comment Crew”, aka “APT1”, is likely using this custom implant as well.  The “/2011/n325423.shtml” in the GET request has been previously identified within several APT1 data sets. Retrospective analysis of a known APT1 malware sample MD5: 5100f0a34695c4c9dc7e915177041cad (as seen in appendix Erevealed the same GET request for “/2011/n325423.shtml” and legacy C2 nodes that resolved to hardcoded IP address 68.96.31[.]136 (Omaha, Nebraska).

three_horses

This research identified multiple legacy APT1 domains resolving to 68.96.31[.]136 at various points from September 18th, 2010 until mid February 2013 when the APT1 report was publicly released and the malicious infrastructure was subsequently sinkholed.

136_chart

The “Safe” Campaign Continues:

The TCIRT analyzed another separate binary (MD5: 32263b37d8a06595860db2ebdd4ba649) that also exploited a CVE-2012-0158, but dropped a different malware implant that communicated with separate C2 infrastructure.  In this case, the decoy document was also written in Mongolian but appears to be unrelated to the two previous examples as described above.  When translated, the document references the June 2013 Mongolian presidential election.

Analyst Comment: The TCIRT is not suggesting that the “Comment Crew” activity described above and the “Safe” campaigns are in anyway linked or associated.

Safe

 

When executed, the document drops the following files in the C:DOCUME~1ADMINI~1LOCALS~1TempSafeNet directory:

safe

 

SafeCredential.DAT also has the following hardcoded C2 strings including the C2 domain mongolbaatarsonin[.]in, and RC4 encryption key, and a campaign tag of “0411”:

0411The malware implant dw20.EXE(MD5: 7E1033C4304DC57DBAAD38D5AEF3D6B3) was designed to communicate over HTTP, when executed and included a unique User-Agent string, “Fantasia”: record The activity identified within this instance is similar to activity that TrendMicro has dubbed “Safe” and recognizes this malware as TROJ_DROPER.SMA. In their March 2013 paper, TrendMicro describes a very similar attack using the same implant type but two different sets of C2 servers, one of which included the domains, mongolbaatar[.]us and mongolbaatarsonin[.]in. According to TrendMicro, this infrastructure was used to target Mongolian and Tibetan victims. This example demonstrates a continued interest on the part of the “Safe” threat actors in targeting individuals and organizations affiliated with Mongolian issues.

Likely Attacker Motives:

US Military Support for Mongolia

Khaan Quest is an annual exercise hosted by the Mongolian Armed Forces with co-sponsorship alternating between the US Marine Corps Forces, Pacific and US Army Pacific. Approximately 1,000 troops from Mongolia, United States, Australia, Canada, France, Germany, Japan, India, Nepal, Republic of Korea, Tajikistan, United Kingdom and Vietnam took part in the exercise between 3 and 14 August 2013.  This is a prime example of the Mongolian military benefiting from US military cooperation and support.  The US has afforded Mongolian officers, citizens, and Foreign Service personnel the opportunity to attend military academic and training institutions across the US; engage in multiple training programs alongside US military personnel; and be given large amounts of technical support and upgrades.  In the past, Mongolia’s military has been developed and maintained largely by either Soviet Russia or China. Mongolia does not wish to repeat this scenario for fear of over-reliance on its powerful neighbors, and their possible political and military coercion, so it looks to the US for support in developing Mongolia’s military. As Mongolia does not share a border with the US, and has no history of US interference, it can comfortably develop a bilateral alliance with the US. The Chinese government regards the US as “a potential foe” which is threatening to deploy an encirclement strategy connecting from Central Asia to Mongolia.  Exercises such as Khaan Quest embody China’s perceived US encroachment in the region.  Beijing cannot afford to overlook the importance of developing relations with Mongolia to counter what they perceive as a US encirclement strategy.

Mongolian Foreign Relations

Mongolia became the 57th nation to join the Organization for Security and Co-operation in Europe (OSCE) on 21 November 2012. The OSCE Office for Democratic Institutions and Human Rights (ODIHR) also monitored the 26 June presidential election in Mongolia. ODIHR was invited by the government of Mongolia to observe the presidential election, in line with the country’s commitments as an OSCE participating State. In spite of the vast borders it shares with Russia and China, Mongolia is attempting to steer a more independent path by reaching out to what it calls “third neighbors,” such as the United States, Japan, South Korea, and the European Union, in order to preserve its independence. Mongolia hopes that engagements such as joining OSCE will alter the dynamics of the region, so that it will move from being bound by Russia-China geopolitics to becoming a fully independent member of the region and international society. A strategic pivot westward by Mongolia only diminishes Chinese influence.

Investment in Mongolia by China

Lying beneath Mongolia’s storied lands is an estimated $1.3 trillion in mineral resources such as coal, iron ore and copper. In 2011, China was a consumer of nearly 8 million metric tons of copper, accounting for 40% of the world’s total. By 2014, it is expected that China will consume nearly 84% of the world’s copper. A burgeoning natural resource and mining sector is expected to make Mongolia’s the second fastest growing economy worldwide in 2013, building upon over a decade of rapid economic expansion. The Oyu Tolgoi mine, a combined open pit and underground mining project in Mongolia, is the largest financial undertaking in Mongolia’s history and is expected to reach 500,000 tons of copper output annually. The Oyu Tolgoi mine is being developed as a joint venture between companies Turquoise Hill Resources, Rio Tinto and the Government of Mongolia. China imported 7% of its copper from Mongolia in 2012, when Oyu Tolgoi was just starting up. By having a mine like that on their doorstep, it would decrease China’s reliance on copper from Latin America, particularly Chile, where China gets over 74% of its copper. Beginning in the 1990s, China has become Mongolia’s biggest trading partner, and numerous Chinese businesses are operating there. China has been the largest investor in Mongolia since 1998 and its largest trading partner since 1999. In 2009, the bilateral trade figure stood at $2.4 billion with China importing $1.3 billion worth of commodities, which accounted for more than 70 per cent of Mongolian exports. According to official Mongolian statistics, China invested a total of $2.3 billion dollars in 2009, more than 60 percent of the total foreign investment in Mongolia.

Conclusion:

This activity represents Chinese Computer Network Exploitation (CNE) activity against organizations that China perceives to be jeopardizing its interests in Mongolia. As evidenced in the weaponized Khaan Quest document described above, Chinese APT groups will likely continue targeting US military entities involved in cooperation activities with the Mongolian military. Also, western European and other governments that engage with Mongolia diplomatically will be considered CNE targets as well. China’s heavy economic investment in Mongolian natural resources will likely continue to fuel cyber espionage efforts against commercial entities, particularly mining and energy exploration companies that may compete with Chinese mining and energy companies in Mongolia. Details associated with this threat have been shared system wide within all ThreatConnect Communities as Incident “20130910A: KQ14 – CDC Document Exploit”. If your organization is interested in obtaining regular crowd-sourced threat intelligence that increases your awareness of existing or emerging threats please register at ThreatConnect, join our communities, connect and collaborate together.

Leave a Comment

You must be logged in to post a comment.

Product
Methodology
Why ThreatConnect
Resources
News & Events
About
Partners