Wapack Labs analysts collected information from Chinese hacker and cyber security websites to determine the extent of Chinese research on PowerShell as part of standing collection requirements. PowerShell a comprehensive command line interface and scripting language for Windows. Collection efforts indicate that conversations are taking place in China about PowerShell exploitation, especially over the past year. Hacker websites did not have many “how-to” articles, first-hand claims of use, or discussion of TTP that would suggest its popularity in the hacker population, but the nature of PowerShell exploitation and various methods of intrusion have been covered in Chinese-language articles. There is more discussion at Chinese cyber security websites and vulnerability databases, indicating that it is considered a serious cyber problem in the Chinese commercial world. However, no specifics were found concerning Chinese actors using PowerShell for malicious activity either against Chinese or foreign targets.
Publication date: 26 July 2016; information cutoff date: 8 June 2016
Handling Requirements: Traffic Light Protocol (TLP) AMBER
Attribution/Threat Actors: Criminal or state actors who are organized, highly technical, proficient, well-funded professionals working in teams to discover new vulnerabilities and develop exploits.
Actor Type: Adversary capabilities have been assessed as Tier IV. Criminal or state actors who are organized, highly technical, proficient, well-funded professionals working in teams to discover new vulnerabilities and develop exploits.
Previous Reporting: None
Industries Targeted: Financial, Defense Industrial Base, Multi Sectors
This report was published in its entirety to the Financial Services ISAC and Red Sky Alliance portal on July 26, 2016. For more information, contact Wapack Labs at 844-4-WAPACK.