Reaper authors Chinese, possibly linked to cyberspy group ‘Black Vine’

The group behind the Anthem hack may be tied to a new IoT botnet.
(Getty Images)

The authors of a sophisticated strain of malware that’s been attacking Internet of Things devices are almost certainly Chinese and could be connected to a Beijing-linked cyber-espionage group believed behind the Anthem health insurance hack, according to new research.

Check Point Technologies — the Israeli cybersecurity outfit that was the first to publicly identify the malware, known variously as Reaper or IoTroop — said in a technical report released this weekend that the malware authors and operators are operating out of China.

“We have a very high degree of confidence about that judgement,” Yaniv Balmas, the firm’s security research group manager, told CyberScoop.

A rare feature of the malware, Balmas noted, was its use of a Lua environment. Lua is a lightweight, embeddable programming language designed to enable scripts to run. He said it made the malware “very agile … highly adaptable.”


Lua has rarely been used before in malware — both the Flame/Gauss malware framework and the Project Sauron Advanced Persistent Threat group made use of the language.

The Lua environment “allows an attacker to pivot in minutes from one kind of attack to another,” said Balmas. One minute, the botnet — consisting of tens of thousands of IoT devices like webcams and other connected consumer appliances — could be launching DDoS attacks; the next, it might be mining cryptocurrency, “depending on the script you send out.”

“These guys planned this out and designed it well,” Balmas said. “Many DDoS infrastructures, not all, but many, are thrown together in a very careless and unprofessional manner. This one is different.”

He added that an email address used to register an email domain used by the malware author had previously been used by a group known as “Black Vine,” which has ties to the Chinese government.

“This is not strong enough to attribute this new botnet to the same group,” reads the Check Point technical report. “However it does provide leads for future research.”


The email address used in both campaigns could easily belong to a reseller who had sold both Black Vine and the IoTroop/Reaper authors domains used in their hacking campaigns, explained Balmas.

“It’s an intriguing possible link,” he said, “Nothing more right now.”

Black Vine was identified by Symantec in August 2015 as a well-resourced cyber-espionage group that was behind the mammoth breach at health insurance giant Anthem.

Balmas said researchers were surprised by the fact that the authors did not appear to be fazed by all the attention their efforts were getting from cyber researchers. “Usually what happens [when we uncover and publicize a cybercrime operation of this type] is the attacker takes down his infrastructure. In this case, a few servers did go down, but they were up and running the next day … Right now, everything is active,” he said.

“It raises some questions about who these guys are,” he said.


The servers the authors used “are hosted all over the place,” Balmas said, in the U.S., Europe and the Far East. “We’ve been in touch with the most of the [internet service providers, or] ISPs,” he continued, “both independently and through law enforcement contacts.”

“We’ve haven’t heard back,” he said.

This article has been corrected to note that Lua has been used in malware before.

Shaun Waterman

Written by Shaun Waterman

Contact the reporter on this story via email, or follow him on Twitter @WatermanReports. Subscribe to CyberScoop to get all the cybersecurity news you need in your inbox every day at

Latest Podcasts