APT

Chinese actors behind attacks on industrial enterprises and public institutions

China-linked threat actors targeted dozens of industrial enterprises and public institutions in Afghanistan and Europe.

In January 2022, researchers at Kaspersky ICS CERT uncovered a series of targeted attacks on military industrial enterprises and public institutions in Afghanistan and East Europe.

The attackers breached dozens of enterprises and in some cases compromised their IT infrastructure, taking over systems used to manage security solutions.

“All the victims identified are associated with the defense industry or are public institutions. The attack targeted industrial plants, design bureaus and research institutes, government agencies, ministries and departments in several East European countries (Belarus, Russia, and Ukraine), as well as Afghanistan.” reads the report published by Kaspersky.

The threat actors launched spear-phishing campaigns against the victims, in some cases, the messages contained information related to the victims which were not publicly available. This suggests that attackers had a deep knowledge of the targets, likely resulting from detailed preparatory work

The emails used weaponized Microsoft Word documents exploiting the CVE-2017-11882 vulnerability.

The CVE-2017-11882 flaw is a memory-corruption issue that affects all versions of Microsoft Office released between 2000 and 2017. The vulnerability affects the MS Office component EQNEDT32.EXE which is responsible for the insertion and editing of equations (OLE objects) in documents.

The component fails to properly handle objects in the memory, a bug that could be exploited by the attacker to execute malicious code in the context of the logged-in user.

Even if the flaw was patched in 2017, experts at Microsoft continue to see threat actors exploiting it in the wild.

The threat actors deploy multiple backdoors on the target systems, experts believe the attackers used them to create redundant channels of communication.

The information gathered by the experts led them into believing that the goal of the attacks was cyberespionage, the researchers linked the campaigns with a Chinese APT group tracked as TA428 (aka Colourful Panda, BRONZE DUDLEY). 

Some indirect evidence that links the attacks to a China-linked group is the use of hacking utilities that are popular in China, the use of a second-stage CnC server located in China, and the fact that the CnC server registration information includes an email address in the Chinese domain 163.com specified in the administrator’s contact data.

One of the backdoors used by the group is called PortDoor, it was first detailed by Cybereason researchers in April 2021. Cybereason researchers reported that a China-linked APT group targeted the Russian defense contractor Rubin involved in designing nuclear submarines for the Russian Navy.

The Portdoor backdoor implements multiple functionalities, including the ability to do reconnaissance, target profiling, delivery of additional payloads, privilege escalation, process manipulation static detection antivirus evasion, one-byte XOR encryption, AES-encrypted data exfiltration.

Other malware employed in the attacks linked to TA428 are nccTrojan, Logtu, Cotx, and DNSep, and previously undetected malware named CotSam.

Once gained control of a target’s IT infrastructure, threat actors started stealing sensitive information. Gathered files were packed into password-protected ZIP archives, then they were sent to one of the stage one malware C2 servers, which are located in different countries of the world.

In most cases, stage one C2 servers were used to redirect the data received to a stage two server in China.

“The attack series that we have discovered is not the first in the campaign and, given that the attackers achieve a certain degree of success, we believe it is highly likely that they will continue to conduct similar attacks in the future. Industrial enterprises and public institutions should take extensive measures to repel such attacks successfully.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, industrial enterprises)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

American fast-fashion firm Hot Topic hit by credential stuffing attacks

Hot Topic suffered credential stuffing attacks that exposed customers' personal information and partial payment data.…

26 mins ago

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

14 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

21 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

1 day ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

2 days ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

2 days ago

This website uses cookies.