Defense companies and government agencies in Russia and Ukraine targeted by state-sponsored hackers
More than a dozen victims located across Ukraine, Russia, Belarus and Afghanistan were successfully targeted by state-sponsored hackers in a January 2022 campaign.
The campaign is believed to be focused on cyber espionage, but has targeted military-linked defense companies, government agencies and research institutes in the regions.
Kaspersky researchers attributed the attacks with a “high probability” to TA428, a state-sponsored hacking group linked to China.
There was a “significant overlap” in the tactics, tools and techniques used in these attacks with those in previous TA428-related hacks, and the malware infrastructure was also located in China, they said.
Highly sophisticated phishing campaigns have been used to gain initial access to a variety of systems, with some attacks resulting in hackers taking control of IT infrastructure.
Phishing campaigns were carefully crafted and in some cases used information that was not publicly available to make emails more legitimate, such as the full names of employees responsible for processing certain information.
The email contained a maliciously crafted Microsoft Office document that exploited CVE-2017-11882 vulnerability affecting outdated versions of Microsoft Equation Editor – a Microsoft Office component.
Although discovered as early as 2017, the exploit allows attackers to execute arbitrary code on a victim’s system without needing to enable VBA macros, unlike exploits of a similar nature.
The code executed by the malicious Office Document dropped the PortDoor malware which then allowed the attackers to control the systems via a backdoor capability and drop additional malware strains on the victim’s computer via the server. command and control (C2).
Researchers believe PortDoor was used in previous attacks by TA428, but the strain analyzed in the January attacks exhibited new abilities.
Various strains of malware were dropped on victims via PortDoor, with attackers using functions such as reading and modifying files, harvesting system information, stealing sensitive information, identifying devices connected to the network with security vulnerabilities, password hunting and remote code execution.
Attackers moved laterally across the network, from system to system, using a combination of stolen credentials, network scan results, and malware to establish connections to others machinery.
“Our research results demonstrate that spear phishing remains one of the most relevant threats to industrial companies and public institutions,” Kaspersky said.
“The series of attacks we have uncovered are not the first in the campaign and given that the attackers are achieving some degree of success, we believe it is highly likely that they will continue to carry out similar attacks. in the future,” he added. “Industrial enterprises and public institutions should take significant steps to successfully repel such attacks.”
China’s branded cyber espionage efforts
Cyber espionage is also a common motive for China-linked hacking groups. Numerous reports of Chinese state-sponsored hackers specifically targeting entities such as universities and the military have surfaced in recent years.
A leading Australian university has confirmed that it was the subject of a 19-year-old data breach in 2019, which is believed to be at the hands of China.
Experts speaking at the time said other Australian research centers had been targeted by Chinese hackers, as well as those elsewhere in Asia.
Earlier that year, China was also linked to attempts to steal maritime secrets through hacks at 27 different universities around the world.
More recently, UK and US national security services have expressed growing concern over China’s long-term ambitions with its rise in intellectual property theft and the many mergers and acquisitions in the region.
The State of Salesforce: The Future of Business
Three articles that look at the evolution of Salesforce and the future of the company
The Uphill Struggle to Migrate SAP to the Cloud May Be Over
A simplified, unified approach to delivering business transformation in the cloud
The Business Value of the Transformative Mainframe
Modernization on the mainframe
The Total Economic Impact™ of IBM FlashSystem
Cost savings and business benefits made possible by FlashSystem