Skip to main content

Chinese-speaking hackers increase activity and diversify cyberattack methods

(Image credit: Future)

Advanced persistent threat (APT) groups or state-sponsored hackers have diversified their cyberattack methods in the second quarter of this year despite continuing to exploit the Covid-19 pandemic as a theme to lure potential victims.

Like other attackers, APT groups try to steal data, disrupt operations or destroy infrastructure. Unlike most cybercriminals, APT attackers pursue their objectives over months or years. They adapt to cyber defences and frequently retarget the same victim.

While Southeast Asia continues to be an active region for APT activities, Kaspersky has also observed heavy activity by Chinese-speaking groups in the second quarter, including ShadowPad, HoneyMyte, CactusPete, CloudComputating and SixLittleMonkeys.

The US government, two days ago, released information on a malware variant used by Chinese government-sponsored hackers in cyber espionage campaigns targeting governments, corporations and think tanks.

According to the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Defense (DoD), the new malware is a remote access Trojan (RAT) dubbed Taidoor.

The FBI and CISA had issued a warning in May this year that state-sponsored hackers are attempting to collect Covid-19 information after compromising organisations in the health care, pharmaceutical and research industry sectors.

With so much legitimate remote access happening across the networks and hosts, Matt Walmsley, EMEA Director at Vectra, told TechRadar Pro Middle East that there’s plenty of opportunities for RATs to operate undiscovered for extended periods as they hide in plain sight. 

“They are a particularly useful tool for nation state-level threat actors who want to perform extended reconnaissance and maintain a point of persistence inside target organisations. That certainly seems to be the case here with activity being linked back to China from 2008,” he said.

Signatures exist for the most common RATs, but he said that skilled attackers can easily customise or build their own RATs using common remote desktop tools such as RDP to exert remote access.

Christopher Hills, Deputy CTO at BeyondTrust, said that what is interesting about Taidoor is the primary target and information they are after as a result of using this malicious malware.

“I don’t know if we should be flattered that they are interested in the Covid-19 information, treatments, patients, stats, etc. or if we should be asking the bigger question ‘why’?”

 “What good is this information to them, and how will they use it? At the end of the day, it’s still a compromise or breach of data; something we should be securing and should know is safe. Ultimately though, it goes back to the saying, it’s not a matter of ‘if’ we get breached, but ‘when’, and how will we be prepared to handle the breach,” he said.

Targeting new platforms

Sam Curry, Chief Security Officer, Cybereason, said that the newest revelations regarding China's repeated attempts to steal IP from US-based public and private organisations will result in strong denial of involvement as their talking points always include something about how shocked they are and that, as a nation, they aren't involved in espionage or nation-state hacking.

“In reality, it's a game of 'Xi said,' 'she said' with China looking to distance itself from damning evidence, while at the same time ramping up their efforts to embarrass the US by hacking into networks and stealing government secrets, manufacturing designs, research statistics and patent-pending vaccines or anything else not kept away from their snooping eyes,” he said.

Moreover, he said that cyber-attacks in a time of a pandemic on government entities, healthcare companies and research infrastructure are diabolical.

“In any other theatre besides cyber, that would be a clear act of war and subject to diplomatic, economic and potentially military reprisals. Some nation-states are treating the Covid crisis as a continuation of the age-old game of tit-for-tat, and it’s shameful,” he said.

Kaspersky researchers have seen the continued development of APT arsenals on different fronts – from targeting new platforms and active vulnerability exploitation to shifting to new tools entirely. 

According to industry experts, China has the most number of active APTs and threat actor groups when compared to other countries, followed by Russia, Iran and North Korea.

Chinese groups

APT 1, APT 2, APT 3, APT 4, APT 5, APT 6, APT 9, APT 10, APT 12, APT 14, APT 15, APT 16, APT 17, APT 18, APT 19, APT 20, APT 21, APT 22, APT 23, APT 26, APT 27, APT 30, APT 31, APT 40, Group 72 or Axiom, Barium,  Blackgear, Blue Termite or Cloudy Omega, Bronze Butler or Tick, DragonOK, Elderwood or Sneaky Panda, GhostNet or Snooping Dragon, CactusPete, Goblin Panda or Cycldek, Hidden Lynx or Aurora Panda, Lead, Lotus Blossom or Spring Dragon, Lucky Cat, Moafee, Mofang, Mustang Panda, Naikon or Lotus Panda, Night Dragon, Nitro or Covert Grove, PassCV, PittyTiger or Pitty Panda, Platinum, Rancor, Scarlet Mimic, Shadow Network, Snake Wine, Suckfly, TA459, Taidoor, Temper Panda, Thrip, Blackfly or Wicked Panda, Pacha Group, Rocke.

Russian groups

APT 28, APT 29, TeamSpy Crew, TeleBots, TEMP.Veles, Turla or Waterbug, Blackfly, Wicked Panda, Grim Spider, Lunar Spider, Pinchy Spider, Dragonfly 2.0, Buhtrap, Cobalt Group or Cobalt Spide, Corkow or Metel, Wizard Spider, Zombie Spider, Energetic Bear or Dragonfly,  FIN7, Gamaredon Group, Inception Framework, Lurk, MoneyTaker, Operation BugDrop, Roaming Tiger, RTM and Iron Viking or Voodoo Bear.

Iranian groups

APT33, Gold Lowell or Boss Spider, Cadelle, Chafer or APT 39, Charming Kitten or NewsBeef, CopyKittens or Slayer Kitten, Cutting Kitten, DarkHydrus or LazyMeerkat, DNSpionage, Domestic Kitten, Flying Kitten or Ajax Security Team,  Group5, Infy or Prince of Persia, Iridium, Leafminer or  Raspite, Mabna Institute or Silent Librarian, Madi, APT 35, MuddyWater,  APT 34 or OilRig,  Greenbug and  Sima.

North Korean groups

Covellite, Kimsuky or Velvet Chollima, Lazarus Group, Andariel or Silent Chollima, APT 38, APT 37, ScarCruft and Stolen Pencil.

Geopolitics remains key motive

Vicente Diaz, security researcher, Global Research and Analysis Team, Kaspersky, said that geopolitics remains an important motive for some APT threat actors, as shown in the activities of MuddyWater, the compromise of the Middle East Eye website and the campaigns of CloudComputating and HoneyMyte groups.

As it is clear from the activities of Lazarus and BlueNoroff, he said that financial gain is another driver for some threat actors – including the use of ransomware attacks and APT threat actors continue to exploit software vulnerabilities.

According to a study sponsored by IBM Security and conducted by the Ponemon Institute in 17 countries between October 2019 and April 2020, the costliest malicious breaches were caused by nation-state actors, at an average of $4.43m while hacktivists were responsible for malicious breaches that cost an average of $4.28m while breaches caused by financially motivated cybercriminals cost an average of $4.23m.

The study showed that a majority of malicious breaches, 53%, were caused by financially motivated attackers. Nation-state threat actors were involved in 13% of malicious breaches; hacktivists in 13% and 21% of this type of data breach was caused by attackers of unknown motivation.

“We see that the actors continue to invest in improvements to their toolsets, diversify attack vectors and even shift to new types of targets. Cybercriminals do not stop at what they have achieved already but continually develop new tactics, techniques and procedures and so should those who want to protect themselves and their organisations from attack,” Diaz said.