Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Geo Focus: Asia

3 Chinese Espionage Groups Attacking Southeast Asia

Three suspected Chinese espionage actors aimed a series of cyberattacks against an unnamed Southeast Asian country's critical infrastructure, healthcare and government organizations. Researchers attributed the hacks to APT group Mustang Panda, known for espionage attacks on foreign governments.

See Also: Fog of War | How the Ukraine Conflict Transformed the Cyber Threat Landscape

Palo Alto Network's Unit 42 researchers in early 2023 found evidence of three distinct Chinese cyberespionage groups - Mustang Panda, Gallium and Gelsemium - carrying out simultaneous cyber operations targeting a single Southeast Asian country. The espionage actors conducted long-term surveillance of their targets before launching the attacks.

Researchers attributed many attacks to Chinese advanced persistent threat group Mustang Panda, which Palo Alto tracks as Stately Taurus. The cyberespionage group first surfaced in Q1 2021 and typically uses ToneShell and ShadowPad backdoors to gather intelligence and maintain persistence inside victim networks.

Mustang Panda has historically been associated with espionage attacks on foreign governments, nongovernmental organizations and groups considered hostile to Chinese interests. Security firm Eset reported in March that the group had been using a previously unseen malware backdoor in attacks on governmental organizations in Europe and Asia (see: Chinese APT Group Deploying New Malware Backdoor).

Unit 42 researchers also reported with moderate confidence that another Chinese cyberespionage group, popularly known as Gallium and tracked by Palo Alto as Alloy Taurus APT, had run a parallel espionage campaign using a cluster of novel backdoors and hacking tools to establish persistence in victim networks and conduct reconnaissance.

Gallium began the espionage campaign in early 2022, using Exchange Server vulnerabilities to deploy a large number of web shells that facilitate the injection of malware specially crafted for target environments.

The espionage group also used two previously unknown backdoors - dubbed Zapoa and ReShell, remote access Trojans such as GhostCringe and Quasar, and the brute-forcing tool Kerbrute to infiltrate targeted organizations' networks. The hackers used these tools to steal credentials, move laterally inside networks and gain access to domain controllers.

"Our analysis of the activity showed a repetitive style of attack, in which the threat actor attacked in waves. Each wave started with web server exploitation as well as installation of web shells and reconnaissance. This was then followed by the deployment of additional tools," the researchers said.

The Gelsemium APT group also conducted espionage activity between Q3 and Q4 2022, specifically targeting vulnerable IIS servers and focusing on conducting discreet reconnaissance and maintaining persistent access to targeted networks.

The cyberespionage group's involvement in this campaign was confirmed by its use of two rarely seen backdoors, OwlProxy and SessionManager. They were previously attributed to the group and observed in a 2020 espionage campaign targeting several entities in Laos.

SessionManager is a custom backdoor that enables its operators to upload and download files from a compromised web server, run commands, and use the web server as a proxy to communicate with additional systems on the network. OwlProxy malware is also an HTTP proxy with backdoor functionality and was used in an April 2020 attack that targeted the Taiwanese government.

Gelsemium also used several hacking tools - such as Cobalt Strike, SpoolFool and EarthWorm - to enable malware to communicate with the command-and-control server and execute commands, connect the local area network of the infected network to the C2 server, and exploit a Windows Print Spooler elevation of privilege vulnerability to create administrator accounts.