According to Kaspersky researchers, Beijing-backed cyber spies used specially crafted phishing emails and six different backdoors to penetrate and then steal confidential data from military and industry groups, government agencies and other public institutions.
We are told that the Security Workshop’s Industrial Control Systems (ICS) Response Team initially detected a series of targeted attacks in January that compromised more than a dozen organizations in multiple countries around the world. Eastern Europe, including Belarus, Russia, Ukraine and Afghanistan.
“Attackers were able to break into dozens of companies and even hijack IT infrastructure at some, taking control of the systems used to manage security solutions,” the team wrote in a report released on Monday.
Kaspersky attributed the attacks “with a high degree of confidence” to the Chinese cybercrime gang TA428, which has a history of targeting military and research institutes in East Asia and Russia.
The ICS research team identified China-based malware and command-and-control servers, and added that this more recent series of attacks are “highly likely” to be an extension of a campaign. of ongoing cyber espionage, previously spotted by other research teams.
They also look a lot like another campaign, dubbed Twisted Panda, run by Chinese cyberspies and targeting Russian defense institutes, uncovered by Check Point Research in May.
According to Kaspersky, the attackers gained access to the company’s networks via phishing emails, some of which contained organization-specific information that was not publicly available.
“This could indicate that the attackers did some preparatory work in advance (they may have obtained the information from previous attacks against the same organization or its employees, or against other organizations or individuals associated with the victim organization),” the researchers explained.
Presumably, because these specially crafted attacks included confidential information about the victim organization, it was easier for the attackers to trick some employees into opening the email – and an attached Microsoft Word document. The Word document contained malicious code, which exploited the CVE-2017-11882 vulnerability to deploy the PortDoor malware to the infected machine without any additional user activity. For example, the user did not need to enable macros, as is usually the case in these types of attacks.
The PortDoor malware is a relatively new backdoor allegedly developed by Chinese state-sponsored groups and was also used in a 2021 phishing attack against a Russian-based defense contractor that designs nuclear submarines. for the Navy of the Russian Federation.
Kaspersky says its team has identified a new version of PortDoor that establishes persistence, then collects information about the infected computer and can be used to control the system remotely while installing additional malware.
In addition to PortDoor, attackers used six other backdoors to control infected systems and steal confidential data. Some of them (nccTrojan, Logtu, Cotx and DNSep) have already been attributed to TA428. However, a sixth backdoor, dubbed CotScam, is new, according to Kaspersky.
After infecting an initial computer, the attackers moved laterally, using credentials stolen earlier in the attack to spread malware to other devices on the corporate network. And they used the Ladon hacking tool, which combines network scanning, vulnerability scanning capabilities, exploitation, password attack and other nefarious features for this lateral movement, we are told. -we.
Kaspersky points to this use of the Ladon utility, which is said to be popular among Chinese cybercriminals, as another indicator that TA42 is behind these spying efforts.
After gaining administrator privileges on the infected machines, the criminals manually searched and selected files to steal containing sensitive data about the victim organization before uploading these files to servers hosted in different countries. These servers then forwarded the private information to a second-stage server in China.
“Given that the attackers had some success, we believe it is very likely that similar attacks will happen again in the future,” Kaspersky warned. “Industrial companies and public institutions should do a lot of work to successfully thwart such attacks.” ®