Chinese APT group hacker in front of laptop showing compromise of government organizations

Chinese APT Group Compromised at Least 70 Government Organizations in 23 Different Countries

A Chinese APT group that has been in action since at least early 2022 is specializing in targeting government organizations via their public-facing servers, according to a new report from Trend Micro.

The report warns that the group spends most of its time targeting governments in Southeast Asia, but has been spotted in other regions. The hackers target employees with spearphishing emails and can be recognized by their unique backdoors that have not been seen in the wild before.

Chinese APT group appears to be an offshoot of older hacking team

The new team of hackers appears to be an offshoot of a Chinese APT group called “Earth Lusca” that specializes in cyber espionage but has a broader range of target types (to include NGOs and private companies). This group has also been seen hacking for profit, having compromised cryptocurrency and gambling outfits.

The newer Chinese APT group, “Earth Krahang,” tends to focus on government organizations and infrastructure. Trend Micro researchers managed to compromise one of the group’s servers and extract multiple files that provide insight into its operations, including attack tool log files and samples of its malware.

The group spends much of its time scanning public-facing servers for files that might contain login credentials or otherwise open a door into the government infrastructure; it also identifies specific employees to target and sends them spearphishing emails as a means of entry. The spearphishing emails generally include a malicious attachment that appears to be a document about some geopolitical issue that would be relevant to the employee.

The Chinese APT group also likes to brute force Exchange servers connected to government organizations via their “Outlook on the Web” (OWA) portals. The group uses a custom Python script in tandem with the tool “ruler” to probe for accounts that may have weak passwords that are fairly easily guessed, and compromised accounts are then used to enhance the authenticity of spearphishing attempts.

Since 2023 the Chinese APT group has been running a custom backdoor called XDealer that is found in two different versions, for targeting both Windows and Linux machines. The malware is the most advanced of the group’s portfolio and has the ability to log keystrokes, copy clipboard data and take screenshots. The group appears to have stolen valid code signing certificates from two private Chinese companies (a human resources contractor and a game development firm) to support its malicious executables.

Victim count spread throughout the world, but activity highest among Asian government organizations

Trend Micro finds the Chinese APT group has compromised at least 70 victims over the last two years, in 23 different countries. But the group’s logs indicate it has targeted over 110 organizations in 10 additional nations.

Government organizations in the group’s corner of the world are the center of its activity, and this is where most of its confirmed compromises are seen. The Chinese APT group has breached targets in essentially all of the Asia-Pacific nations, and the handful it has not breached it has at least targeted. Japan seems to be the only major player in the region it has left alone thus far, along with China’s ally North Korea.

Of its 70 confirmed victims thus far, 48 have been government organizations. Nearly all of the targets that were attacked but not successfully breached were also government organizations, including attempts made in the United States. The group most frequently attempts to break into Foreign Affairs ministries and departments.

Trend Micro believes that both of the Chinese APT groups may well be working for I-Soon, the private hacking contractor that was recently exposed as working for the Chinese government on espionage projects. The company was exposed by what appears to be a disgruntled former employee who leaked a trove of internal documents. The researchers think that the two groups have been run as separate operations for the most part, but have become increasingly intertwined in recent months.

One thing that is clear about the group is that while it has its own custom backdoors, it is not using the type of cutting-edge tools and tactics that one would expect from one of the APT groups run more directly by the Chinese military. It also does not appear to deploy zero day vulnerabilities and mostly uses well-known open source tools; all of these elements support the theory that it is a private hack-for-hire group, of the kind that the I-Soon leaks exposed as being extremely common and in fierce competition with each other for government contracts.

Max Gannon, Cyber Intelligence Analysis Manager at Cofense, notes that though the group is not among the world’s most dangerous threats it is nevertheless “highly motivated” and displays sophistication in its work: “What is noteworthy about this attack is the hackers also hosted malicious payloads on compromised government infrastructure and in some cases used government infrastructure for VPN services. This adds an extra layer of obfuscation that may bypass well-trained employees as well as some automated defenses. The threat actors use a large number of open-source tools to repeatedly and effectively attack targets across a large attack surface. This shows a dedication that is typically only seen in highly motivated threat actors (such as well-paid ransomware groups targeting large corporations) or those operating on behalf of nation-states. This makes this campaign worth noting for government entities who may be targets.”