A group linked to China has targeted government agencies and defense companies in Eastern Europe

More than a dozen organizations in Eastern Europe and Afghanistan, including industrial factories, research institutes and government agencies, were targeted by an alleged Chinese-speaking hacking group earlier this year, according to new research.

The attacks, which were first observed in January and hit organizations in Russia, Belarus and Ukraine, have characteristics that led Kaspersky researchers to attribute them to the advanced persistent threat (APT) group TA428 with “a high degree of confidence,” the Moscow-based cybersecurity firm said in a report released Monday.

“Attackers were able to break into dozens of companies and even hijack IT infrastructure at some, taking control of the systems used to manage security solutions,” the researchers wrote.

TA428 is a China-linked cyber espionage group that has been tracked by cybersecurity researchers since 2019, but may have been active years earlier. The group targets organizations that have high strategic value for Beijing, including research institutes, government agencies and IT companies. The group’s previous attacks have focused on Russia and East Asia, using malicious rich text format (RTF) documents to deliver custom malware.

In attacks observed by Kaspersky researchers, victims were targeted with carefully crafted phishing emails containing non-public information that only someone working for the organization would have known. “This could indicate that the attackers did some preparatory work in advance (they may have obtained the information from previous attacks against the same organization or its employees or against other organizations or individuals associated with the organization victim),” the researchers said.

Microsoft Word documents attached to the phishing emails contained malicious code that used the CVE-2017-11882 vulnerability, which allowed hackers to deploy PortDoor malware to infected devices. PortDoor was seen last year in an attack on a Russian defense contractor involved in the design of nuclear submarines believed to be the work of a China-linked APT group – possibly TA428.

The attackers set up six different backdoors to control devices and collect information, likely as a failsafe if the security tools detect and remove the other backdoors. The malware and backdoors used in the attack were previously linked to TA428, except for a new backdoor called CotSam, the researchers said.

Once attackers gained a foothold in a targeted organization, they moved laterally to spread malware to other network-connected devices. The attackers then scanned the organization for sensitive data, collected it and exfiltrated it to servers based in different countries.

“In most of the cases, [those] the first-stage servers perform only one function – redirect received data to a second-stage server located in China,” the researchers said.

Kaspersky has warned public institutions and industrial companies to take “extensive measures” to repel attacks from the group, which has a proven track record in cyber espionage. “The series of attacks we have uncovered are not the first in the campaign and given that the attackers are achieving some degree of success, we believe it is highly likely that they will continue to carry out similar attacks. in the future,” the researchers said.

Adam is the founding editor of The Record by Recorded Future. He was previously a cybersecurity and privacy reporter for Protocol, and before that, he covered cybersecurity, AI, and other emerging technologies for the Wall Street Journal.

Ashley C. Reynolds