Last week, I had the pleasure of speaking at Virus Bulletin on the recent news of iPhone (first reported on by Google Project Zero) and Android (first reported on by Volexity) mobile malware being used to target Tibetans (as reported by Citizen Lab) and Uighur Muslims inside and outside the People’s Republic of China. Lots of great research is linked above and you should definitely read it.

Whenever events like these occur, researchers from many organizations are researching pieces of it. If you are interested in Chinese APT attacks against these groups, certainly take a look.

One of the most interesting things to me when looking into these attacks is the sophistication and persistence of the adversary. As vulnerabilities got patched, they reused what pieces they could from their attacks and discovered new vulnerabilities to maintain their ability to action on the surveillance objectives. Some of the tools used indicate relationships to other Chinese APT groups, and certainly these types of attacks could be used against truly foreign adversaries as well.

Testing Security Automation

One of the often discussed weaknesses of security automation is the view that targeted and sophisticated attacks will often not trigger enough warning for security automation to find them and to take some automated action on their adversarial infrastructure.

In this case, I took a look at the indicators produced by other companies and those I was able to substantiate and determine whether or services had them blocked, and compared that to how other services also were able to report on those indicators.

What I noticed is that ThreatSTOP had these indicators in our policies within 24 hours of publication of the first reports involved. Other providers (far from exhaustive) took up to an additional week to identify and block the same network indicators. This is important because in the present case, the Chinese APT group involved almost immediately tore down their infrastructure once it was exposed, as you would expect a sophisticated nation-state group to do.

It is also important for the victims as many items of data stolen from these phones (for instance, long-lived access tokens to services like Gmail) could still be leveraged even after the C2 servers were taken down. In this case, there is definite physical risk to the victims here and faster notification of compromise is essential to the protection of these ethnic and religious minorities in a portion of the world where they face very real risks.

Security automation, while not a panacea, is an essential component to ensuring that intelligence gets automated quickly to protect even against sophisticated threats. Even if 95% is automated, that greatly reduces the window of time between compromise and detection so not only disadvantaged groups, but any organization can limit the damage an attacker causes and to prevent exploitation in the first place.


Subscribe to our blog so you don't miss out on other posts from our experts around all things cyber security. For more information about ThreatSTOP and proactively using threat intelligence, check us out below.

Get a Demo

Photo Cred: Forbes