Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Geo Focus: Asia
Chinese Hacking Groups Are Coordinating Their Attacks
Multiple Chinese Threat Groups Use Shared Infrastructure and Target Similar VictimsSecurity researchers have established strong links between Chinese cyberespionage group Sandman and a Chinese threat cluster that targets victims in the Middle East and South Asia.
See Also: Protecting Australia’s Vital Energy Grid with Stronger Security Culture
Research by SentinelOne, Microsoft and PwC threat intelligence found "substantial cooperation and coordination" between multiple Chinese threat groups on their choice of victims, shared infrastructure and tooling, and management practices.
SentinelOne researchers observed Sandman and a key Chinese threat actor, tracked by Microsoft as STORM-0866/Red Dev 40, running their malware in the same victim environments, sharing infrastructure control and displaying similarities in functionalities and design.
In August, SentinelOne researchers tracked Sandman using a modular backdoor based on LuaJIT, a just-in-time compiler for the Lua programming language, to target telecommunication companies in the Middle East, Western Europe and South Asia (see: Nation-State Actors Unleash Stealthy, LuaJIT-Based Malware).
The firm in March attributed a flurry of cyberattacks against Middle Eastern telecommunication providers to Chinese state-sponsored groups Gallium and APT41. The attackers infiltrated internet-facing Microsoft Exchange servers to deploy web shells and conduct lateral movement, reconnaissance, credential theft and data exfiltration.
Around the same time, Microsoft observed at least three Chinese threat clusters running the KEYPLUG backdoor in the same victim environments, some on the same endpoints. One of them was STORM-0866/Red Dev 40, which differed from other groups based on unique encryption keys for KEYPLUG C2 communication. The group also exhibited a greater focus on operational security by relying on cloud-based reverse proxy infrastructure to hide the true hosting locations of their C2 servers.
"A close examination of the implementation and C2 infrastructure of these distinct malware strains revealed indicators of shared development as well as infrastructure control and management practices, and some overlaps in functionalities and design, suggesting shared functional requirements by their operators," SentinelOne said.
Cybersecurity company Mandiant first analyzed the KEYPLUG backdoor in March 2022. The company said Chinese cyberespionage group APT41, also known as Shadowpad and BARIUM, had used the backdoor to infiltrate at least six U.S. state government networks in 2021.
According to Mandiant, KEYPLUG is a modular backdoor written in C++ that supports multiple network protocols for C2 communication. It features the unique capability of leveraging the WebSocket over TLS protocol through Cloudflare CDN edge servers to receive commands and send information to the command-and-control server.
In March, Recorded Future's Insikt Group said that a Chinese threat group associated with the Chinese Ministry of State Security and Chengdu-based 404 Network Technology used Windows and Linux variants of the KEYPLUG backdoor to target a wide range of organizations. The research firm said it had identified multiple infrastructure, technical and procedural overlaps between the threat group and APT41.
"Alongside KEYPLUG, we also identified RedGolf using Cobalt Strike, PlugX, and dynamic DNS domains, all of which are commonly used amongst many Chinese state-sponsored threat groups," it said.
SentinelOne said the similarities between Sandman's LuaDream backdoor and STORM-0866's KEYPLUG backdoor go far beyond their victimology. For instance, both backdoors first gather and exfiltrate system and user information in designated functions and use the same designated global data buffers to store incoming data from the C2 server. The two backdoors also implement designated functions for reading from, and writing to, these buffers.
"Throughout their execution, both LuaDream and KEYPLUG generate one-time integer values based on the system uptime returned by the GetTickCount function," the company said. "The backdoors calculate these values by applying modulo and/or addition operations to the system uptime. Some overlapping uses of the generated values are as sleep time intervals or protocol-specific keys, such as the Sec-WebSocket-Key packet header field that is used in the WebSocket opening handshake."