Security Companies Team Up, Take Down Chinese Hacking Group

Novetta, Microsoft, and others form Operation SMN to eradicate Hikit malware and disrupt the cyber espionage gang Axioms extensive information gathering.

A coalition of security companies has hit a sophisticated hacking group in China with a heavy blow. The effort is detailed in
a report released today
by Novetta. The coalition, which calls itself Operation SMN, detected and cleaned up malicious code on 43,000 computers worldwide that were targeted by Axiom, an incredibly sophisticated organization that has been stealing intellectual property for more than six years.
This effort was led by Novetta and included Bit9, Cisco, FireEye, F-Secure, iSIGHT Partners, Microsoft, Tenable, ThreatConnect Intelligence Research Team (TCIRT), ThreatTrack Security, Volexity, and other unnamed organizations. Operation SMN is working independently of law enforcement or intelligence agencies. The group united as part of
Microsofts Coordinated Malware Eradication (CME) campaign
against Hikit (a.k.a. Hikiti), the custom malware often used by Axiom to burrow into organizations, exfiltrate data, and evade detection, sometimes for years.
Novetta had been closely investigating Hikit since early this summer. So when Novetta senior technical director Andre Ludwig learned about Microsofts
new CME program
-- which calls for organizations to pool their tools, information and actions to drive coordinated campaigns against malware -- he proposed that they go after Hikit together. But Axiom used a variety of tools to access and re-infect environments -- not just Hikit, but also Derusbi, Deputy Dog, Hydraq, and others. So, Ludwig says, they expanded the group and its scope so that we absolutely did the best possible job of cleanup and removal and rolled it all into
a Microsoft Malicious Software Removal Tool
(MSRT) released Oct. 14.
The work and the tool are comprehensive, but this may be only a temporary setback for Axiom, which is an exceptionally well-oiled attack machine.
Novetta says it has moderate to high confidence that Axiom is a well-resourced and well-disciplined subgroup of the state-backed Chinese Intelligence Apparatus. There are links between Axiom and some of the most sophisticated attacks in recent history, including
Operation Aurora
in 2010 and the
VOHO campaign
of 2012.
Axiom seems to be systematically gathering very deep information to support a mission from higher up. According to the report:
Axiom operators have been observed operating in organizations that are of strategic economic interest, that influence environmental and energy policy, and that develop cutting edge information technology including integrated circuits, telecommunications equipment manufacturers, and infrastructure providers.
The targets are relatively few, but the intelligence gathering is comprehensive, covering a variety of target organizations that were very deliberately chosen -- whether that be a technology manufacturer with trade secrets to steal or an NGO protecting government dissidents or whistleblowers.
Finding the ideal targets and getting to them quickly is one of Axioms greatest strengths. The report notes its ability to sift through large sets of infected machines to identify the highest-interest targets and then quickly (within hours or days) begin followup exploitation -- like escalating access privileges, creating shell utilities customized for the operational environment, and exfiltrating confidential information.
The target organizations are often related in some way, and the Hikit malware uses that to its advantage. As Ludwig explains, once Hikit has burrowed its way into a computing environment, it can create a mini-network, communicating laterally with other Hikit installations within the organization or related outside organizations, using each other as proxies and never communicating with the command-and-control server directly. And traffic flowing between legitimate organizations that are known partners will not look very suspicious.
Axiom actors also hide their tracks in other ways. The researchers discovered evidence that Axiom created multiple, segregated network infrastructures to carry out different stages of the attack.
As the report describes it, the entire Axiom operation is remarkedly orderly and disciplined. The individuals working for Axiom set up clear Hikit maintenance schedules, to ensure that an infection is still operating correctly and that there havent been any significant changes to the surrounding environment. Plus, the individuals are making it difficult for the good guys to identify them by avoiding risky behaviors, like using Axiom resources to visit personal websites.
According to the report, this displays a level of familiarity with investigative and forensics operations that clearly sets [Axiom] apart from the less sophisticated threat actors.
The legacy
Operation SMN is another example of competing security companies collaborating to take down a common adversary -- similar to the operations that took down Gameover Zeus and Blackshades, but without the participation of a government intelligence or law enforcement agency.
Ludwig says he hopes the industry as a whole moves to this more collaborative, proactive approach, instead of the old model of observe and report.
He also says that his companys executives were entirely supportive of this effort and were not worried about any negative business impacts of sharing their resources with other security companies. It does not help us to have a stranglehold on the information. The competitive edge, is not in having the information, but in using the information to protect customers.
Download the full report
here
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Security Companies Team Up, Take Down Chinese Hacking Group