China’s elite hackers expand target list to European Union – Christian Vasquez
– [[{“value”:”
China’s elite government-backed hackers are using legitimate VPN tools to camouflage their presence on the expanding list of victim networks, according to a new report from the cybersecurity firm ESET.
Released Thursday, ESET’s report on the latest state-backed cybersecurity threats detail a growing target list that experts believe is a concerted effort to further Beijing’s intelligence goals.
The Chinese-linked group, referred to as MirrorFace, typically targets the region around Japan, however MirrorFace was recently seen targeting an organization in the European Union.
“For the first time, we observed MirrorFace targeting a diplomatic organization within the EU, a region that remains a focal point for several China-, North Korea-, and Russia-aligned threat actors. Many of these groups are particularly focused on governmental entities and the defense sector,” Jean-Ian Boutin, director of threat research at ESET, said in a statement.
ESET did not name the organization targeted. However, MirrorFace’s spearphishing email was related to the world exposition EXPO 2025 to be held next year in Osaka, Japan. As such, the report notes that the motivation likely remains Japanese-focused.
The Slovakia-based firm also found evidence that the recently revealed a Chinese-linked group dubbed “CloudSourcerer” has been around longer than initially believed. This group was also seen targeting the European Union.
CloudSourcerer was first documented by Kaspersky in June for targeting the Russian government. At the time, the Russian-based cyber firm believed the cyberespionage tool used in the campaign made its debut appearance in May. However, ESET researchers found two samples uploaded to VirusTotal in February and July. The researchers note that they believe with “high confidence” that the samples were not tampered with, while establishing “activity of the group back to at least early 2022.”
In addition to expanding the target list, Chinese hackers — such as Flax Typhoon, which just had part of its infrastructure dismantled by the FBI in September — are also finding new ways to stay undetected.
Mathieu Tartare, senior malware researcher at ESET, said that “one trend that we noticed among several China-aligned threat actors is the use of SoftEther VPN instead of their usual implants or backdoors.”
ESET found that Chinese-linked hackers have taken to deploying SoftEther VPN, a legitimate open-source program used by businesses for remote connections, “instead of their usual implants or backdoors,” Tartare said. He noted that the Chinese-linked hackers install the VPN on victim machines as an easy solution to maintain connection, while also blending into the victim’s legitimate traffic.
“We believe the attackers realize it’s a pretty useful tool to deploy a VPN software instead of a fully-fledged backdoor because it’s a legitimate software; it allows you to easily create a bridge between your organization and the victim organization,” Tartare said.
Webworm, a cyberespionage group linked to China, used the VPN software to target government organizations that belong to the EU instead of a “full-featured backdoor” tool set the hackers typically use, the firm said.
“We believe that there might have been targeting some individual in Ecuador based on the decoy document that was used in the spearfishing email,” Tartare said.
Tartare noted that organizations looking to protect themselves should consider any SoftEther VPN executables deployed on the network as suspicious. “Especially when this executable does not have the right filename,” he continued, adding that organizations should block SoftEther VPN executables if there is no reason for it to be on the network.
ESET’s APT update also included changes in tactics, techniques, and procedures from Russia,North Korea and Iran.
Iran, for instance, has leveled up activity with MuddyWater — a hacking group linked to the country’s Ministry of Intelligence and Security that has been around since 2017 — from cyberespionage to support for diplomatic and potentially kinetic operations.
ESET noted “potential indicators” that MuddyWater’s targeting of a transportation organization in Israel “may be gathering information to support military activities.” MuddyWater was seen moving laterally and exhilarating credentials on internal networks in an “unusual” way that could indicate Iran is looking to target the critical sector.
“In light of the current tensions and conflicts in the Middle East, it makes sense that Iran-aligned groups would look to target critical industries like transportation,” the report said.
Russian hackers, meanwhile, are increasingly using one-day vulnerabilities on webmail servers like Roundcube and Zimbra. ESET researchers said that the spearphishing emails usually contain cross-site scripting exploits.
The post China’s elite hackers expand target list to European Union appeared first on CyberScoop.
“}]] – Read More – CyberScoop
