Snynet Solution Logo
MON - SUN: 10 AM - 6 PM
+60 11 5624 8319


Chinese-speaking hackers increase activity and diversify cyberattack methods

Image Description

Advanced persistent threat (APT) groups or state-sponsored hackers have diversified their cyberattack methods in the second quarter of this year despite continuing to exploit the Covid-19 pandemic as a theme to lure potential victims.

Like other attackers, APT groups try to steal data, disrupt operations or destroy infrastructure. Unlike most cybercriminals, APT attackers pursue their objectives over months or years. They adapt to cyber defences and frequently retarget the same victim.

While Southeast Asia continues to be an active region for APT activities, Kaspersky has also observed heavy activity by Chinese-speaking groups in the second quarter, including ShadowPad, HoneyMyte, CactusPete, CloudComputating and SixLittleMonkeys.

The US government, two days ago, released information on a malware variant used by Chinese government-sponsored hackers in cyber espionage campaigns targeting governments, corporations and think tanks.

According to the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Defense (DoD), the new malware is a remote access Trojan (RAT) dubbed Taidoor.

The FBI and CISA had issued a warning in May this year that state-sponsored hackers are attempting to collect Covid-19 information after compromising organisations in the health care, pharmaceutical and research industry sectors.

With so much legitimate remote access happening across the networks and hosts, Matt Walmsley, EMEA Director at Vectra, told TechRadar Pro Middle East that there’s plenty of opportunities for RATs to operate undiscovered for extended periods as they hide in plain sight. 

“They are a particularly useful tool for nation state-level threat actors who want to perform extended reconnaissance and maintain a point of persistence inside target organisations. That certainly seems to be the case here with activity being linked back to China from 2008,” he said.

Signatures exist for the most common RATs, but he said that skilled attackers can easily customise or build their own RATs using common remote desktop tools such as RDP to exert remote access.

Christopher Hills, Deputy CTO at BeyondTrust, said that what is interesting about Taidoor is the primary target and information they are after as a result of using this malicious malware.

“I don’t know if we should be flattered that they are interested in the Covid-19 information, treatments, patients, stats, etc. or if we should be asking the bigger question ‘why’?”

 “What good is this information to them, and how will they use it? At the end of the day, it’s still a compromise or breach of data; something we should be securing and should know is safe. Ultimately though, it goes back to the saying, it’s not a matter of ‘if’ we get breached, but ‘when’, and how will we be prepared to handle the breach,” he said.

Targeting new platforms

Sam Curry, Chief Security Officer, Cybereason, said that the newest revelations regarding China's repeated attempts to steal IP from US-based public and private organisations will result in strong denial of involvement as their talking points always include something about how shocked they are and that, as a nation, they aren't involved in espionage or nation-state hacking.

“In reality, it's a game of 'Xi said,' 'she said' with China looking to distance itself from damning evidence, while at the same time ramping up their efforts to embarrass the US by hacking into networks and stealing government secrets, manufacturing designs, research statistics and patent-pending vaccines or anything else not kept away from their snooping eyes,” he said.

Moreover, he said that cyber-attacks in a time of a pandemic on government entities, healthcare companies and research infrastructure are diabolical.

“In any other theatre besides cyber, that would be a clear act of war and subject to diplomatic, economic and potentially military reprisals. Some nation-states are treating the Covid crisis as a continuation of the age-old game of tit-for-tat, and it’s shameful,” he said.

Kaspersky researchers have seen the continued development of APT arsenals on different fronts – from targeting new platforms and active vulnerability exploitation to shifting to new tools entirely. 

According to industry experts, China has the most number of active APTs and threat actor groups when compared to other countries, followed by Russia, Iran and North Korea.

Chinese groups

APT 1, APT 2, APT 3, APT 4, APT 5, APT 6, APT 9, APT 10, APT 12, APT 14, APT 15, APT 16, APT 17, APT 18, APT 19, APT 20, APT 21, APT 22, APT 23, APT 26, APT 27, APT 30, APT 31, APT 40, Group 72 or Axiom, Barium,  Blackgear, Blue Termite or Cloudy Omega, Bronze Butler or Tick, DragonOK, Elderwood or Sneaky Panda, GhostNet or Snooping Dragon, CactusPete, Goblin Panda or Cycldek, Hidden Lynx or Aurora Panda, Lead, Lotus Blossom or Spring Dragon, Lucky Cat, Moafee, Mofang, Mustang Panda, Naikon or Lotus Panda, Night Dragon, Nitro or Covert Grove, PassCV, PittyTiger or Pitty Panda, Platinum, Rancor, Scarlet Mimic, Shadow Network, Snake Wine, Suckfly, TA459, Taidoor, Temper Panda, Thrip, Blackfly or Wicked Panda, Pacha Group, Rocke.

Russian groups

APT 28, APT 29, TeamSpy Crew, TeleBots, TEMP.Veles, Turla or Waterbug, Blackfly, Wicked Panda, Grim Spider, Lunar Spider, Pinchy Spider, Dragonfly 2.0, Buhtrap, Cobalt Group or Cobalt Spide, Corkow or Metel, Wizard Spider, Zombie Spider, Energetic Bear or Dragonfly,  FIN7, Gamaredon Group, Inception Framework, Lurk, MoneyTaker, Operation BugDrop, Roaming Tiger, RTM and Iron Viking or Voodoo Bear.

Iranian groups

APT33, Gold Lowell or Boss Spider, Cadelle, Chafer or APT 39, Charming Kitten or NewsBeef, CopyKittens or Slayer Kitten, Cutting Kitten, DarkHydrus or LazyMeerkat, DNSpionage, Domestic Kitten, Flying Kitten or Ajax Security Team,  Group5, Infy or Prince of Persia, Iridium, Leafminer or  Raspite, Mabna Institute or Silent Librarian, Madi, APT 35, MuddyWater,  APT 34 or OilRig,  Greenbug and  Sima.

North Korean groups

Covellite, Kimsuky or Velvet Chollima, Lazarus Group, Andariel or Silent Chollima, APT 38, APT 37, ScarCruft and Stolen Pencil.

Geopolitics remains key motive

Vicente Diaz, security researcher, Global Research and Analysis Team, Kaspersky, said that geopolitics remains an important motive for some APT threat actors, as shown in the activities of MuddyWater, the compromise of the Middle East Eye website and the campaigns of CloudComputating and HoneyMyte groups.

As it is clear from the activities of Lazarus and BlueNoroff, he said that financial gain is another driver for some threat actors – including the use of ransomware attacks and APT threat actors continue to exploit software vulnerabilities.

According to a study sponsored by IBM Security and conducted by the Ponemon Institute in 17 countries between October 2019 and April 2020, the costliest malicious breaches were caused by nation-state actors, at an average of $4.43m while hacktivists were responsible for malicious breaches that cost an average of $4.28m while breaches caused by financially motivated cybercriminals cost an average of $4.23m.

The study showed that a majority of malicious breaches, 53%, were caused by financially motivated attackers. Nation-state threat actors were involved in 13% of malicious breaches; hacktivists in 13% and 21% of this type of data breach was caused by attackers of unknown motivation.

“We see that the actors continue to invest in improvements to their toolsets, diversify attack vectors and even shift to new types of targets. Cybercriminals do not stop at what they have achieved already but continually develop new tactics, techniques and procedures and so should those who want to protect themselves and their organisations from attack,” Diaz said.


05 Aug 2020



Other Blog

  • Microsoft sounds alarm over 'highly evasive' banking malware

    Microsoft’s cybersecurity researchers have noticed an uptick in the use of a malware delivery technique known as HTML smuggling in email campaigns that deploy banking malware, remote access Trojans (RATs), and other malicious payloads. 

    HTML smuggling enables attackers to conceal an encoded script within a specially crafted HTML attachment, which assembles the malicious payload right on the victim’s machine.

    “This technique is highly evasive because it could bypass standard perimeter security controls, such as web proxies and email gateways, that often only check for suspicious attachments (for example, EXE, ZIP, or DOCX) or traffic based on signatures and patterns,” note the researchers. 

    TechRadar needs you!

    We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.

    >> Click here to start the survey in a new window

    The technique proves to be effective against most protection solutions like antivirus apps and firewalls because they only see what appears to be non-threatening HTML and JavaScript traffic, which the researchers can also be obfuscated to further trick the protection mechanisms.

    Malware silk route

    The researchers share that HTML smuggling has been popularly used in banking malware campaigns, against targets in Brazil, Mexico, Spain, Peru, and Portugal. Furthermore, beyond banking malware campaigns, sophisticated, and targeted cyberattacks have also been observed to incorporate HTML smuggling in their arsenal. 

    They note that between July and August, open source intelligence (OSINT) community signals showed an uptick in the use of HTML smuggling in campaigns that deliver remote access Trojans (RATs) such as AsyncRAT/NJRAT, followed by an email campaign in September that leveraged HTML smuggling to deliver the Trickbot malware.

    “The surge in the use of HTML smuggling in email campaigns is another example of how attackers keep refining specific components of their attacks by integrating highly evasive techniques,” note the researchers, adding how Microsoft 365 Defender uses multiple techniques including machine learning (ML) to protect against such threats.

    Read More
  • Microsoft 365 is getting a significant security boost

    Application Guard for Office opens unsafe files in sandboxes to prevent them from infecting a user's system with malware.

    Read More
  • Microsoft will soon kill off Windows 10 November 2019 Update

    November 2019 Update users are now being forced to upgrade, whether they want to or not.

    Read More
  • What kind of laptop do you need for college work, really?

    With laptops, you truly 'get what you pay for,' but that doesn't mean you should pay for stuff you don't really need.

    Read More

Find Out More About Us

Want to hire best people for your project? Look no further you came to the right place!

Contact Us