Pierluigi Paganini February 10, 2020

Malaysia’s MyCERT issued a security alert to warn of a hacking campaign targeting government officials that was carried out by the China-linked APT40 group.

Malaysia’s Computer Emergency Response Team (MyCERT) warns of a cyber espionage campaign carried out by the China-linked APT40 group aimed at Malaysian government officials.

The attackers aimed at stealing confidential documents from government systems after having infected them with malware.

“MyCERT observed an increase in number of artifacts and victims involving a campaign against Malaysian Government officials by a specific threat group.” reads the alert issued by MyCERT. “The group motives is believe to be  data theft and exfiltration.”

The attackers used spear-phishing messages sent to government officials, they posed as a journalist, an individual from a trade publication, or individuals from a relevant military organization or non-governmental organization (NGO).

The messages contained links to weaponized Office documents stored on Google Drive. Once the documents are opened and the victims have enabled the macros, the dropper is executed.

The attackers exploit the CVE-2014-6352 and CVE-2017-0199 Office vulnerabilities to drop and execute the malware on the victim’s computer.

“The group’s operations tend to target government-sponsored projects and take large amounts of information specific to such projects, including proposals, meetings, financial data, shipping information, plans and drawings, and raw data,” continues MyCERT.

It is not clear if the attackers have exfiltrated sensitive documents from government officials.

The advisory doesn’t explicitly attribute the campaign to the Chinese APT, but references included in the alert point to the APT40 hacking group.

The cyber-espionage group tracked as APT40 (aka TEMP.Periscope, TEMP.Jumper, and Leviathan), apparently linked to the Chinese government, is focused on targeting countries important to the country’s Belt and Road Initiative (i.e. Cambodia, Belgium, Germany, Hong Kong, Philippines, Malaysia, Norway, Saudi Arabia, Switzerland, the United States, and the United Kingdom).

Experts believe that APT40 is a state-sponsored Chinese APT group due to its alignment with Chinese state interests and technical artifacts suggesting the actor is based in China.

The APT40 group has been active since at least 2013 and appears to be focused on supporting naval modernization efforts of the Government of Beijing. Threat actors target engineering, transportation, and defense sectors, experts observed a specific interest in maritime technologies.

The cyberspies also targeted research centres and universities involved in naval research with the intent to access advanced technology to push the growth of the Chinese naval industry.

The list of victims of the APT40 group also includes organizations with operations in Southeast Asia or involved in South China Sea disputes.

In January, a group of anonymous security researchers that calls itself Intrusion Truth has discovered that the APT40 uses 13 front companies operating in the island of Hainan to recruit hackers.

Intrusion Truth did not associate the group from Hainan with a specific Chinese APT group, but FireEye and Kaspersky researchers believe that the China-linked group is the APT40 (aka TEMP.Periscope, TEMP.Jumper, and Leviathan).

Pierluigi Paganini

(SecurityAffairs – APT40, China)

[adrotate banner=”5″]

[adrotate banner=”13″]