Share :
2019-09-19

‘Tick’ing Time Bomb: Critical Analysis of the Tick Threat Actor Group

skull

In today’s world, Japan is a favourite target for globally placed threat actors looking to deal massive financial and reputational damage or conduct corporate espionage. Japan is already a powerhouse of digitalization and adoption of technology, but still on the learning curve where cybersecurity is concerned. Thus, presented with top-notch digital infrastructure and baseline security, threat actors are presented with expansive attack surfaces that can be exploited for vulnerabilities. The list of threat actors looking to spearhead this digital attack on Japan is a long one, owing to the country’s booming economy and complicated geo-political placement.

Tick is one of the prominent Chinese threat actor group leading the malicious online charge against Japan. This group is also known by other aliases, including ‘BRONZE BUTLER‘ and ‘REDBALDKNIGHT.’

What is the Tick threat actor group?

Active since 2012, Tick is a Chinese cyber-espionage group linked to the Chinese government. In a classic example of state sponsored cyberattacks, Tick exfiltrates critical data, such as intellectual property, product details, and corporate information, from unsuspecting victim enterprises, for the benefit of the Chinese government. Aside from Japan, Tick has also routinely targeted organizations in South Korea. This threat actor’s primary agenda has been to inflict financial and reputational damage and likes to particularly target the heavy manufacturing and the food & beverages industry in Japan.

Attack methodology of the Tick threat actor group

It has been observed that Tick employs customized tools for each campaign, through some attack patterns remain the same, including the threat actor’s use of infrastructure, especially the preference for certain Command and Control (C2) domains. The following lists the other commonalities employed by Tick as part of its attack methodology.

  • Spear phishing attacks with Flash animation attachments executing the Daserf malware.
  • Leveraging on Adobe Flash zero-day vulnerability for SWC attacks.
  • xxmm: A backdoor that possesses the capability to exfiltrate sensitive information from the victim’s machine.
  • Datper: Backdoor Trojan designed to provide covert access to a compromised system. It exfiltrates data and downloads additional payload.
  • Daserf: Backdoor that helps the attackers gain full access to the infected system.

Recent threat activities by Tick threat actor group

Throughout 2018, the Tick threat actor group was noticed launching attack against Japanese technology and retail organizations using increasing variants of malwares and phishing attacks. This group’s modus operandi included the usage of secure USB drives to target critical air-gapped systems as part of its cyber espionage campaigns.

CYFIRMA’s Cyber Threat Intelligence (CTI) team made critical breakthroughs by leveraging tactical resources across the surface web, deep/dark web, and obscure forums frequented by hackers, to expose Tick’s escalating malicious activities against Japanese commercial interests. Subsequently, early warnings were issued for each of these instances. Listed below is one such early warning issued by CYFIRMA’s CTI team.

Data Leak Monitoring, 24 June 2018: CYFIRMA raised an alert about a possible data leak impacting a large Japanese Technology house. Chinese hackers claimed to possess Facial Recognition Software source code to affect the hack. Later, the involvement of Chinese threat actors Stone Panda and Tick was confirmed.

In 2019, the Tick threat actor group’s activities have only escalated, as can be figured from the early warning from Japan CERT as listed below.

On 19 February 2019, Japan CERT discovered that the suspected threat actor continued to leverage the Datper malware through RSA encryption as communication technique to target enterprises in Japan via targeted attack mail and by exploiting vulnerabilities present in the Asset Management Software.

CYFIRMA’s CTI Efforts: Effective protection against the Tick threat actor group

In the case of Tick, as also other similarly placed threat actor groups, innovation and persistence is the key. These groups are forever refining and deploying uniquely configured threat attacks that are difficult for conventional security systems to identify and mitigate. Additionally, Tick’s position as a state sponsored cyber threat outfit ensures that it is flush with resources and can afford to be persistent, and target high-tech, technologically organized establishments too.

CYFIRMA’s Cyber Threat Intelligence (CTI) capabilities ensure that threat actors like Tick are never allowed to vanish from the intelligence radar. Sourcing relevant information from the deep/dark web, specialist hacker forums, obscure chatter over the surface web, and employing bleeding edge technologies like artificial intelligence and machine learning, ensures that the faintest hints about potential threat attacks are retrieved in time and analysed for relevancy. If attacks are being planned, malicious tools being hired, developed or deployed, ‘hackers-for-hire’ being sourced, or older attack methods being outfitted with new proficiencies, CYFIRMA’s CTI team will be in the know. This applies to both an individual organization being attacked, or the overall industry being targeted.

Further, CYFIRMA’s CTI team issues notifications and recommendations that will help the organizations better manage the incoming threat. This includes mitigation techniques such as:

  • Block malicious, suspicious, spam emails and its attachments using an email gateway solution.
  • Unknown attachments with extensions such as scr, .exe, .pif, .cpl, zip, rar etc. should be blocked and not transmitted over email as part of the security best practices.
  • Maintain secure hardening guidelines in the operating system and the applications to prevent malicious code executions.
  • Client-side exploitation can be minimized using application micro segmentation and virtualization.
    And, strategies to detect an incoming Tick cyberattack, including:
  • Network intrusion detecting systems, Email gateway filtering should be used to identify compressed and encrypted attachments and scripts.
  • Network sensing, endpoint sensing solutions should be potentially used to detect malicious activities once an attachment is opened.
  • URL reputations analysis can be performed by firewalls and proxies checking for potential malicious domain or parameters.

Summarily,

COMMON IDENTIFIERS/NAMESBRONZE BUTLER, REDBALDKNIGHT and Tick.
PREFERRED TARGETSEnterprises in Japan and South Korea.
ACTIVE SINCE2012
PREFERRED TARGETSHeavy manufacturing and the food & beverages industry in Japan.
PREFERRED ATTACK TOOLSxxmm, Datper, and Daserf malwares.

Concerned about threat actor groups like Tick showing up in your own security landscape?

Know more about the CYFIRMA’s Cyber Intelligence Analytics Platform (CAP):
https://www.cyfirma.com/products-services/about-cyber-intelligence-analytics-platform/

CYFIRMA’s products & services line-up: https://www.cyfirma.com/products-services/