Three separate Chinese state-sponsored advanced persistent threat groups have been observed targeting victims, including US state governments, European diplomatic entities and Gmail accounts linked to the US government.
The first group, APT41, also known as Wicked Panda and Winti, is believed by researchers at Mandiant Inc. to have successfully compromised at least six US state government networks. The APT did so by exploiting vulnerable internet-facing web applications, including using zero-day or hitherto undiscovered vulnerabilities in the USAHerds application and Apache Log4j.
The campaign by APT41 ran between May 2021 and February 2022. Although Chinese state-sponsored actors targeting networks in the West are not new, the researchers note that one remarkable aspect is how quickly they act to exploit vulnerabilities when they become known.
In the case of the now-infamous Log4j vulnerability, the Chinese hackers were exploiting the vulnerability within hours of it being disclosed. The exploitation of the initial Log4j vulnerability – there ended up being multiple vulnerabilities – directly led to the compromise of two US state government networks as well as other targets in insurance and telecoms. Having gained access, APT41 then undertook extensive credential collection.
APT41 was linked by the BlackBerry Ltd. Research & Intelligence team to a range of previous campaigns in October. The US Department of Justice indicated five Chinese nationals and two Malaysians linked to the group in September.
“Based on my extensive experience in tracking nation-state adversaries, China is deeply concerned with knowing as much as they can at all times,” Aubrey Perin, lead nation-state threat intelligence analyst at information security and compliance firm Qualys Inc., told SiliconANGLE. “Their belief system around information being a public domain differs with the United States’ notion of intellectual property. As long as China is not spying for the sake of harming others, it is on brand for them to be poking about in ways that come to fruition in instances like these. ”
The second campaign, detailed by researchers at Proofpoint Inc., relates to the targeting of European diplomatic entities by China-aligned APT actor TA416. The group, also known as Mustang Panda or RedDelta, targeted European governments through an email reconnaissance campaign.
The campaign involved the APT initially using tracking pixels in benign emails to identify potential targets for future spear-phishing attacks, which involve sending emails apparently from a known sender to prompt targeted people to reveal confidential information. Once targets were identified, the group would send malicious URLs that would then install a variety of PlugX malware payloads.
Notably, the TA416 attacks have increased sharply since Russian troops began massing on the border of Ukraine.
The third campaign involves APT31, another Chinese state-sponsored hacking group also known as Judgment Panda and Zirconium. The group has been observed by the Google LLC Threat Analysis Group targeting Gmail accounts of users affiliated with the US government.
Google managed to detect the APT31 phishing campaign in February, with the emails automatically classified as spam and blocked by Gmail. According to Shane Huntley from Google TAG, those targeted were informed today of the attempts. APT31 was previously linked to attempts to hack the Trump and Biden campaigns before the last US election.
James McQuiggan, security awareness advocate at security awareness training company KnowBe4 Inc., noted that all organizations, including government entities, are targets of nation-states and cybercriminals.
“By phishing humans, they look at it as the more accessible way into the systems and infrastructure,” he said, adding that gaining access through a government employee’s email address is easy to bypass the technology and gain entry into the government infrastructure and systems. . ”