Burning Umbrella: An Intelligence Report on the Winnti
Umbrella and Associated State-Sponsored Attackers
The Winnti
umbrella is associated with the Chinese state intelligence apparatus
Key Judgements
- We assess with high confidence that the Winnti umbrella is
associated with the Chinese state intelligence apparatus, with at least
some elements located in the Xicheng District of Beijing.
- A number of Chinese state intelligence operations from 2009 to 2018
that were previously unconnected publicly are in fact linked to the Winnti
umbrella.
- We assess with high confidence that multiple publicly reported
threat actors operate with some shared goals and resources as part of the
Chinese state intelligence apparatus.
- Initial attack targets are commonly software and gaming
organizations in United States, Japan, South Korea, and China. Later stage
high profile targets tend to be politically motivated or high value
technology organizations.
- The Winnti umbrella continues to operate highly successfully in
2018. Their tactics, techniques, and procedures (TTPs) remain consistent,
though they experiment with new tooling and attack methodologies often.
- Operational security mistakes during attacks have allowed us to
acquire metrics on the success of some Winnti umbrella spear phishing
campaigns and identify attacker location with high confidence.
- The theft of code signing certificates is a primary objective of
the Winnti umbrella’s initial attacks, with potential secondary objectives
based around financial gain.
Report Summary
The purpose of this report is to make public
previously unreported links that exist between a number of Chinese state
intelligence operations. These operations and the groups that perform them are
all linked to the Winnti umbrella and operate under the Chinese state
intelligence apparatus. Contained
in this report are details about....
Sem comentários:
Enviar um comentário