Earlier this month, Novetta took their initial public action in the first Coordinated Malware Eradication (CME) campaign against Win32/Hikiti and its associated threats.
Today, Novetta released a comprehensive report that describes in detail the threats and threat actors, known as Axiom, targeted in this campaign.
Axiom is a well-resourced, disciplined, and sophisticated threat actor that analysts believe has been conducting espionage operations online since at least 2008. Since then, Axiom has pursued a wide variety of targets such as government agencies, global Fortune 500 companies, shapers of economic and environmental policies, and developers of cutting-edge information technology and telecommunications equipment. They have also targeted political activists, Non-Governmental Organizations (NGOs), and journalists.
If you know or suspect that your organization was affected by this threat, we highly recommend you run a full scan of your PC with a Microsoft security product or software from another trusted security vendor to ensure Hikiti and other malware are detected.
The Novetta report can help you discover other indicators and behaviors of Hikiti malware and other related threats used by these actors. It also explains how Axiom can set up their architecture in an infected environment.
Many thanks to our security partners F-Secure, FireEye, ThreatConnect, ThreatTrack Security, Volexity, Symantec, Tenable, Cisco, and iSIGHT for working with us and Novetta on this campaign. As we mentioned in our initial post, collaboration across private industry is crucial to addressing advanced persistent threats. This campaign is the first of many that we are launching through our CME program.
The Novetta paper focuses on the technical and operational aspect of Hikiti and Axiom, and I am going to focus on how this CME campaign got started, how it went, and what we learned.
Early beginnings
This campaign kicked off at the FIRST Conference in Boston just after the presentation on the CME program. I was introduced to Andre Ludwig from Novetta, who said he had an idea for a CME campaign. Hikiti, although small in overall prevalence, was broad in the number of environments it impacted globally. In other words, it takes only one infection to have a large impact to an organization or an individual.
Putting together the plan
We pulled together a long and distinguished list of security experts from multiple organizations and the campaign started to take shape. In a campaign, we typically analyze several aspects of the target malware to assess methods for eradication:
- Distribution and infection vector
- Monetization
- Actor/attribution
Because Axiom targeted specific individuals and organizations, a methodical process of shutting down parts of the infection vectors (spear phishing, watering hole attacks) didn’t make sense. Although the malware authors may be interested in the value of intellectual property, there was no evidence of commercial buying and selling of the information they were collecting. From what the team knew about Axiom, it was unlikely they could be arrested (there are more details about this in the Novetta paper) meaning traditional tactics wouldn’t apply to this campaign. What was missing, however, was widespread detection and knowledge about how these actors worked and the tools they used so that every organization, both big and small, large security team or not, could have all the pertinent details to discover if they had been impacted by this threat and discover any collateral damage.
We developed a plan focused on two primary objectives.
First, we planned a simultaneous release of widespread detection for one of the more advanced, later stage components of these actors (Hikiti), along with related initial and secondary stage threats, such as Derusbi, Mdmbot, Moudoor, Plugx, and Sensode (see the comprehensive list in the Novetta report). Second, we planned to release detailed information about Axiom’s toolkit to help any affected organization effectively detect and mitigate its impact (our action today). Essentially, our plan was to fight the adversary with a plethora of public information to make it difficult for them, in their current incarnation, to hide.
Executing the plan and lessons learned
From an operational perspective, this campaign had fewer logistical components. There were no take-downs to execute and no arrests, so the timeline moved fast. Novetta created several documents to foster collaboration, created a common voice for the group, organized all of the team’s research, and ensured that everyone was in synch with timelines and messaging. We are now building templates based on what we learned and putting them back into the program for others to use.
We have more lessons learned, of course. The team will be meeting to discuss these lessons in depth, so that we can incorporate them back into the program.
What’s next
This campaign was a great first for the CME program. Thanks goes to the entire team that contributed samples, insight, analysis, reviews, and telemetry to the campaign, including our own Francis Tan Seng and Peter Cap. A special thank you to Andre Ludwig, who was our model campaign leader, and the entire Novetta team. We learned much from the operational expertise brought to this campaign from Andre and the rest of our partners. We’re building those learnings back into the program so that all future campaign leaders can leverage that experience. We have several campaigns already in progress, so look for more information about them in the upcoming months.
If you are one of our VIA members, or want to join us to lead the fight against malware like Novetta, have a look at the CME program page or reach out to us at cme-invite@microsoft.com.
Holly Stewart
MMPC
Clik here to view.