THE SOURCE: Cyber Intelligence Report – Operation Dust Storm

By Chris Lucas, TSIC Intelligence Analyst

According to the cybersecurity firm Cylance, an advanced persistent threat group has been targeting Japanese critical infrastructure and commercial interests. The APT group has been dubbed “Operation Dust Storm” and is considered a sophisticated hacker with nation-state backing, and has been in operation since 2010. Considerable evidence points to China as the origin of the group. “Dust Storm” has been cited as being responsible for a range of global attacks since 2010. Targets of the group have included government and defense-related intelligence entities which have been the subjects of phishing and watering hole attacks. In 2015, the group shifted its attention to Japan.

A specific piece of malware application the group has utilized has been the “ZLIB backdoor” as dubbed by Cylance. The malware conducts cyber espionage by gaining access to private networks through hard-coded proxy addresses and credentials. The specific targets of this campaign have primarily been against Japan’s power generation, oil and natural gas, construction, finance and finally, transportation. Despite these industrial targets, Cylance did not find any evidence that the APT group is planning any cyber attacks that would cripple critical infrastructure. “Dust Storm” was reported to also being increasing its mobile operations in which the group creates custom Android backdoors for ‘man-in-the-middle’ style attacks and extract files from targeted devices.

The recent shift in the Japanese government to a more active military role in the Asia-Pacific has no doubt set off alarm bells inside Beijing. Beijing has continued to develop and polish its cyber operations starting with the now famous Unit 61398 which “Dust Storm” is believed to be a part of within the PLA. Their operations have largely been focused on conducting espionage as opposed to causing actual damage. However, that isn’t to say the group isn’t capable of causing harm to these industrial control systems (ICS). The Stuxnet worm should serve as a lesson as why critical infrastructure should have strong cyber security measures and risk mitigation practices in place.

© 2016 The Intelligence Community LLC. All Rights Reserved