How Chinese Hacking Groups Target RussiaReports From Group-IB, Positive Technologies Offer Details
Meanwhile, Positive Technologies reports that Chinese hacking group APT31 is now using a new dropper to infect Russian systems with malware.
Researchers at Group-IB say the perpetrators in an attack on Russian authorities last year appear to be either Chinese state-sponsored hacker groups TA428 and TaskMasters or a united Chinese hacker group made up of different units.
TA428, operational since 2013, targets government agencies in East Asia that control information technology, domestic and foreign policy and economic development, Group-IB says. TaskMasters, active at least since 2010, attacks industrial and energy enterprises, government agencies and transport companies primarily based in Russia and the Commonwealth of Independent States - former Soviet states.
The exact version of the malware used in the 2020 attacks in Russia, called Webdav-O x64 Trojan, has been active since at least 2018, Group-IB says. Webdav-O malware has a set of commands similar to Trojan BlueTraveller, aka RemShell, which was previously linked to China’s TaskMasters.
SentinelOne in June reported Mail-O malware was being used to attack Russian authorities. Mail-O has been linked to Chinese hacker group TA428, which uses a Trojan called Albaniiutas in its attacks; Group-IB says Albaniiutas is an updated version of BlueTraveller.
Group-IB researchers conclude that TaskMasters is most likely behind the attacks, using an improved version of the Webdav-O Trojan. But TA428 involvement is also possible, or a consortium of attackers could be involved.
Group-IB analysts believe one large hacker group consisting of several intelligence units of the People's Liberation Army of China is likely involved because they detected the same tool used in different configurations over the same review period, report author Anastasia Tikhonova, who heads Group-IB's APT research, tells Information Security Media Group. China likely has a range of divisions, each with specific responsibilities, she says.
"The fact that the attackers do not change the core code means that they aren’t afraid of being exposed, and continue employing tried and tested instruments that give them access to networks of various companies," Tikhonova says. "They also may see little sense in spending resources on new development projects - their instruments are upgraded free of charge, borrowing the functionalities of legitimate cloud services."
Chinese hacker groups routinely exchange tools and infrastructure, according to Tikhonova. "Two different groups can develop the same Trojan, adjusting its functionality, and then distribute it in different ways.
Another Recent Campaign
Separately, researchers at Positive Technologies report a Chinese hacking group, APT31, is now targeting Russian speakers with a newly identified dropper that delivers remote access Trojans to steal data. Phishing is the initial attack vector, Positive Technology reports.
The malware seeks to avoid detection by self-deleting after its goal is accomplished. It deletes all the files it creates, along with registry keys, the researchers say.
"In some cases, such as in attacks in Mongolia, the dropper was signed with a valid digital signature that was most likely stolen, indicating the attacker’s high level of knowledge," the researchers say.
The malware created a malicious library and a vulnerable DLL side-loading application on the infected computer. The application launched by the dropper activates one of the functions of the loaded malicious library, after which control of the infected computer is given to the malicious code.
Daniil Koloskov, senior threat analysis specialist at Positive Technologies, says that the malicious library has the exact same name as part of Visual C++ for Microsoft Visual Studio and uses apparently legitimate names to export data.
Positive Technologies researchers also detected a link to a phishing domain, inst.rsnet-devel[.]com, which imitates the domain of Russian federal government bodies.
The researchers compared the detected malware with previous analysis of APT31, which has been active since at least 2016, and found numerous overlaps in functionality, techniques and mechanisms used.
They were unable to identify the specific organizations or sectors that were attacked, but Koloskov says APT31's key interests have been cyberespionage and collection of sensitive data of strategic importance, with particular interest in the public sector around the world.
Over the past year, APT31 has started to use new versions of malware and its infrastructure has grown, says Denis Kuvshinov, head of threat analysis at Positive Technologies.
"The group has not previously attacked Russia, suggesting that it is expanding to countries where its increasing activity can be detected,” he adds.