Das IT-Sicherheitsunternehmen 401-TRG fasst in ihrer vor kurzem veröffentlichten, sehr umfangreichen Analyse „Burning Umbrella: An Intelligence Report on the Winnti Umbrella and Associated State-Sponsored Attackers“ (lokale Kopie) chinesische Cyber-Spionage-Aktivitäten von 2009 bis heute zusammen. Die Autoren kommen zu dem Schluß dass ein Großteil dieser Aktivitäten mutmaßlich staatlichen Ursprungs sind. Der Report stellt die einzelen Operationen sehr gut in einen zeitlichen Zusammenhang und verweist – wo sinnvoll – auf technische Details die Gemeinsamkeiten oder Veränderungen der Aktivitäten verdeutlichen:
The purpose of this report is to make public previously unreported links that exist between a number of Chinese state intelligence operations. These operations and the groups that perform them are all linked to the Winnti umbrella and operate under the Chinese state intelligence apparatus. Contained in this report are details about previously unknown attacks against organizations and how these attacks are linked to the evolution of the Chinese intelligence apparatus over the past decade. Based on our findings, attacks against smaller organizations operate with the objective of finding and exfiltrating code signing certificates to sign malware for use in attacks against higher value targets. Our primary telemetry consists of months to years of full fidelity network traffic captures. This dataset allowed us to investigate active compromises at multiple organizations and run detections against the historical dataset, allowing us to perform a large amount of external infrastructure analysis.