China group attacks India with Word exploit, then uses Microsoft's WMI

The hacking group seeks geopolitical information

A hacking group suspected of operating from China has had success stealing information from mostly Indian targets, often pertaining to border disputes and trade issues, according to FireEye.

The gang specializes in sending targeted phishing emails to victims in the hope of gaining wider access to their networks, a practice known as spear phishing, said Bryce Boland, CTO for Asia-Pacific at the security firm.

FireEye hasn’t give a name to the group, but has watched it since 2011, Boland said.

The company has gathered data on the group based on attacks attempted against its customers. Analysis of Internet infrastructure used by the group, including command-and-control servers, have given insight into the scope of its operations, Boland said.

“In some cases, we’ve found not just our customers but many other organizations that are being targeted as well and actively being breached,” he said.

Some of the latest spear-phishing emails have an attached Microsoft Word document, Boland said. The document contains an exploit for a now-patched vulnerability in Word dating from 2012.

The vulnerability is “really ancient,” Boland said. Still, it’s effective if organizations haven’t patched.

“For the most part, most governments across Asia have relatively less mature cybersecurity defensive capabilities,” he said. “They’re less effective today in patch management.”

Once a user is compromised, this group's attackers are using a script, nicknamed WATERMAIN, that leverages Windows Management Instrumentation (WMI) to explore computers and the network.

WMI is a powerful tool used by administrators and can be used for searching across machines on a network, distributing software and executing commands.

There’s often not a lot of logging and monitoring of WMI activity within organizations, which makes using it advantageous for the attackers, Boland said.

The group has targeted more than 100 entities of which around 70 are in India. But the group has also sought to compromise targets in Pakistan, Nepal and Bangladesh.

Boland said FireEye decided to release the information to show that organizations in Asia are also subject to these kinds of specific attacks.

Typically when FireEye releases information, the cyberattackers will change their tactics in order to be less obvious. Boland said he expects this group will recognize itself, since not many others use WMI as part of their attacks.

"I think they'll know they got caught," he said.

Having to change tactics comes with a price, however, and raises the attackers' operating costs, which is good.

"We want to force them to invest," he said.

Join the CSO newsletter!

Error: Please check your email address.

More about FireEyeMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place