Search This Blog

Showing posts with label Chinese Hackers. Show all posts

Chinese hackers attacked a Russian developer of military submarines

Chinese hackers reportedly attacked the Rubin Central Design Bureau for Marine Engineering (СKB Rubin), which designs submarines for the Russian Navy, by sending images of a submarine with malicious code to its CEO. Experts believe the hackers are acting in the interests of the Chinese government.

According to cybersecurity company Cybereason, in April, Chinese hackers attacked the Russian CKB Rubin. The attack began with a fake letter that the hackers sent to the general director of CKB Rubin allegedly on behalf of the JCS “Concern “Sea Underwater Weapon – Gidropribor”, the State Research Centre of the Russian Federation.

The letter contained a malicious attachment in a file with images of an autonomous unmanned underwater vehicle. "It is very likely that hackers attacked Gidropribor or some other institution before that," the author of the Telegram channel Secator believes.

The RoyalRoad malware attachment used in the CKB Rubin attack is one of the tools that guarantees delivery of malicious code to the end system, which is most often used by groups of Asian origin, said Igor Zalewski, head of the Solar JSOC CERT Cyber Incident Investigation Department at Rostelecom-Solar.

Cybereason pointed out that the attack on CKB Rubin has similarities to the work of Tonto and TA428 groups. Both have been previously seen in attacks on Russian organizations associated with science and defense.

It is worth noting that the CKB Rubin traces its history back to 1901. More than 85% of the submarines which were part of the Soviet and Russian Navy at various times were built according to its designs.

According to Igor Zalevsky, the main Rubin's customer is the Ministry of Defense, CKB Rubin deals with critically important and unique information related to the military-industrial complex of the Russian Federation which explains the interest of cyber-criminals.

Experts believe that such attacks will gain momentum because specialized cyber centers are being created due to aggravation of information confrontation between states.

Information security expert Denis Batrankov noted that designers are attacked for the sake of industrial espionage mainly by special services of other states. "The problem is that we all use software, which has many hacking methods that are not yet known. Intelligence agencies are buying new vulnerabilities from the black market for millions of dollars,” added he.


Chinese APT Actors Attack Russian Defense In An Espionage Attack

An earlier anonymous backdoor malware, called PortDoor, is probably being used by Chinese APT (advanced persistent threat) hackers to attack Russian defense system, according to reports. Cybersecurity firm 'Cybereason Nocturnus' looked into hackers specifically targeting Rubin Design Bureau, an organization that builds submarines for Russian Navy Federation. The main target was director general named Igor Vladimirovich, who received a phishing mail, say experts. The attack started with "Royalroad weoponizer" aka RTF exploit builder/8.t Dropper, which, according to cybersecurity experts, is a tool used by Chinese APT's to orchestrate their attacks, like Tick, Tonto Team and TA428. 


RoyalRoad makes weaponized RTF documents that attack vulnerabilities CVE-2017-11882, CVE-2018-0798 and CVE-2018-0802) in Equation Editor of Microsoft. RoyalRoad's use in the attack is the reason why the victim suspects Chinese hackers to be behind the attack. Cybereason analysis said, "the accumulated evidence, such as the infection vector, social-engineering style, use of RoyalRoad against similar targets, and other similarities between the newly discovered backdoor sample and other known Chinese APT malware, all bear the hallmarks of a threat actor operating on behalf of Chinese state-sponsored interests." 

A Subtle Spying Malware 

Experts found the malware stealing unique PortDoor sample when the corrupt RTF file is opened, which is built cautiously to stealth. It has various functions that include spying, target profiling, delivering additional payloads, process manipulation, privilege escalation, AES- encrypted data exfiltration, static detection antivirus evasion, one-byte XOR encryption and much more. If deployed, backdoor decodes strings with the help of hard-coded 0xfe XOR key in order to get configuration info. It includes C2C server address, target locator, and other trivial information. 

Cybersecurity report said, "the backdoor is able to hide most of its main functionality and avoid static detection of suspicious API calls by dynamically resolving its API calls instead of using static imports." "Lastly, we are also aware that there could be other groups, known or yet unknown, that could be behind the attack and the development of the PortDoor backdoor,” researchers concluded. “We hope that as time goes by, and with more evidence gathered, the attribution could be more concrete."

Thousands of U.S. Organizations Attacked in a Chinese Cyber-Espionage Campaign

 

Microsoft Exchange servers have become the latest victim of Chinese-sponsored cyber-attack. Chinese hackers targeted the Microsoft Exchange Servers earlier this week exploiting the zero-day vulnerabilities. The vulnerabilities in servers allowed the hackers to target thousands of organizations around the globe.

According to the security experts, the group known as ‘Hafnium’ is responsible for targeting Microsoft’s Exchange servers and exploiting more than tens of thousands of email servers. As per a computer security expert, more than 30,000 US organizations, and hundreds of thousands worldwide have been targeted in recent days by an unusually aggressive Chinese cyber-espionage campaign.

Hafnium has targeted several US-based companies in the past including law firms, universities, infectious disease researchers, defense contractors, think tanks, and NGOs.

Brian Kerbs, independent cybersecurity first reported the 30,000 figure on Friday and posted a note on his website reading, this cyber-espionage campaign has exploited recently discovered flaws in Microsoft Exchange servers, stealing email, and corrupting computer servers with tools that allowed threat actors to take control remotely. He reported that insiders said threat actors have ‘seized control’ of thousands of computer systems around the globe using password-protected software tools.

White House spokeswoman Jennifer Psaki stated in a press conference - “We are concerned that there are a large number of victims and are working with our partners to understand the scope of this. Network owners also need to consider whether they have already been compromised and should take appropriate steps.” 

Microsoft Executive Tom Burt said the company had released updates to patch the security vulnerabilities, which apply to on-premises versions of the software rather than cloud-based versions, and requested customers to apply them and also highlighted that threat actors belonged to China but operated through leased virtual private servers in the United States. 

“We know that many nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems”, he wrote in his blog post.

AIVD says they face cyber attacks from Russia and China every day

According to the head of the country's General Intelligence and Security Service, these hackers break into the computers of companies and educational institutions

The head of the General Intelligence and Security Service of the Netherlands (AIVD), Erik Akerboom, said that the country's special services allegedly "every day" catch hackers from China and Russia, who, according to him, break into the computers of companies and educational institutions. At the same time, the head of the AIVD did not provide any evidence.

"Every day we catch hackers from both China and Russia hacking into the computers of companies and educational institutions," the head of AIVD said in an interview with Vu Magazine.

According to Akerboom, the target of these hackers is vital infrastructure, such as drinking water, banks, telecommunications, and energy networks." However, he did not give an example of any specific cyberattack.

In 2018, the Ministry of Defense of the Netherlands said that the country's special services prevented a hacker attack on the Organization for the Prohibition of Chemical Weapons (OPCW), which four Russian citizens allegedly tried to carry out. According to the head of department Ankh Beyleveld, the suspects with diplomatic passports were expelled from the Netherlands on April 13. The Russian Foreign Ministry called such accusations "another staged propaganda" action and said that the unleashed "anti-Russian espionage campaign" causes serious harm to bilateral relations.

Besides, in December 2020, the Netherlands was accused of the espionage of two Russian diplomats, calling them employees of the Foreign Intelligence Service undercover. The Russians were declared persona non grata. In response, Moscow sent two employees of the Dutch Embassy from Russia. The accusations of activities incompatible with the diplomatic status of the Russians were called "unfounded and defamatory".

Recall that recently Washington accused Moscow of large-scale cyber attacks, which were allegedly carried out in order to get intelligence data. The representative of the Russian Ministry of Foreign Affairs, Maria Zakharova, said in response that such statements by the United States about hacker attacks allegedly by Russia have already become routine.

Chinese Hackers Cloned Exploit Tool Belonging to NSA

 

A Chinese hacking group allegedly "cloned" and deployed a zero-day exploit created by the U.S. National Security Agency's Equation Group before Microsoft fixed the Windows vulnerability that was being misused in 2017, as indicated by an analysis published on Monday by Check Point Research. For quite a long while, researchers had presumed the Chinese hacking group known as APT31 or Zirconium had built up an exploit tool to take advantage of a vulnerability tracked as CVE-2017-0005 and found in more seasoned renditions of Windows, like Windows 7 and Windows 8, as indicated by the report. 

The report brings up additional questions about how some of the NSA's most valued cyberweapons have been found or stolen by nation-state hacking groups and then turned on their developers over the years. In May 2019, Symantec published a similar report that found another group of hackers had taken and exploited cyber tools developed by the NSA. Both the Symantec and Check Point research show that the burglary of NSA Equation Group devices by these groups seems to have occurred before the hacking group known as the Shadow Brokers first began publishing the agency's exploits in 2016. 

Security research previously noted that a zero-day exploit was created for CVE-2017-0005, called "Jian," in 2014 and initially deployed it in 2015. The exploit was utilized for a very long time before Microsoft at last issued a patch for it in 2017. Whenever exploited, this bug could permit an attacker to escalate privileges inside an undermined device and afterward acquire full control, the researchers note. Microsoft published its fix for CVE-2017-0005 in March 2017, when the company was forced to issue multiple fixes for the exploits related to the Shadow Brokers "Lost in Translation" leak, Check Point notes. 

A further investigation by Check Point found that Jian was not an original creation, but rather a clone of a zero-day exploit for more seasoned renditions of Windows created by the NSA Equation Group in 2013 and initially called "EpMe" by the agency, as per the new report. 

 In another case documented by Symantec in 2019, APT3 "Buckeye" was connected to assaults utilizing Equation Group tools in 2016, before the Shadow Brokers leak.

New Self-Spreading Golang Worm Dropping XMRig Miner on Servers

 

Security researchers at Intezer have found a new self-spreading worm written in GoLang. The malware variant has been actively targeting both Windows and Linux servers, predominantly since December 2020. Researchers noted that the worm developed by China-based hackers attempts to mine Monero, an open-source cryptocurrency launched in 2014 which gained immense popularity and wide acceptance for its privacy-oriented features.
 
GoLang's rich library ecosystem makes it a top preference for malware developers, who can infiltrate the systems without being detected while working with GoLang's smooth malware creation process. The language makes it easier for hackers to bypass security as the malware written in GoLang is large-sized and scanning large files is beyond the capabilities of most of the antivirus software.

The 'GoLang' malware that has been dropping XMRig cryptocurrency miners on Windows and Linux servers, has worm-like capabilities that let it propagate itself to other systems through brute-forcing. 

The worm attacks application servers, non-HTTP services, and web application frameworks; it has targeted public-facing services rather than "the end-users". MySQL, Tomcat admin panel, and Jenkins are some of its latest victims. Besides, these public-facing services with weak passwords, the malware operators have also tried to compromise Oracle WebLogic Server by exploiting its remote code execution vulnerability – CVE-2020-14882, in an older variant.

Attack Execution 

The worm on the Command and Control (C&C) server was periodically updated by the operators, signifying the current "active" status of the malware. Once the target is being successfully compromised, the attack proceeds with deploying the loader script, a Golang binary worm, and an XMRig Miner – three files hosted on the aforesaid C&C server.

While giving insights into the matter, Chad Anderson, Senior Security Researcher at DomainTools said, “While it’s certainly alarming that there were no detections for this worm’s initial sample, that’s not surprising as Golang malware analysis tooling has still been playing a bit of catch up in the automation space,” 
 
“We would expect that with the rise in cryptocurrency prices over the last few weeks that actors looking to cash in for a few extra dollars would cause a surge in mining malware,” he further added. 
 
“The fact that the worm’s code is nearly identical for both its PE and ELF malware—and the ELF malware going undetected in VirusTotal—demonstrates that Linux threats are still flying under the radar for most security and detection platforms,” the report by Intezer read.

Spear-Phishing Campaigns Targeting Tibet and Taiwan

 

Tibetan community is being targeted by a Spear-phishing campaign; it is suspected that malicious actors behind these operations are the ones formerly involved in campaigns attacking Taiwanese legislators as discovered in May 2020 during an investigation. Reportedly, the group is employing a novel malware variant called MESSAGEMANIFOLD, similar to the one employed in the abovementioned campaigns, further solidifying the links discovered between both the campaigns. 

Several other overlaps have also been noted between both the activities, including the application of the same email themes and identical hosting provider. Furthermore,  both the campaigns made use of Google Drive links for downloading the malware. 

The campaigners are attacking strategic targets that somehow align with the Chinese Government’s affairs. The threat actors used spear-phishing emails with the theme ‘conference invitations’, which included a direct download Google Drive link. According to the researchers two Google Drive links were there, with the name “dalailama-Invitations [.]exe” file. 

About the Attacks

The dropped files (HTTP POST) were being used for the requests to communicate with the control and command server which uses a fixed URL pattern, and for the next stage, malware needs a specific response. Those domains were being used in both campaigns were organized on AS 42159 (Zemlyaniy Dmitro Leonidovich) and AS 42331 (PE Freehost). 

Recent cyberattacks on Taiwanese and Tibetan entities don't come as a surprise, it has been observed that Beijing-based malicious actors actively attack these states in accordance with their state interests. A recent study at IBM disclosed that an email phishing scheme attacking Germany and Italy based COVID-19 vaccine supply chains. Other targets included the Czech Republic and South Korea amid a few more. 

Given the highly customized nature of the attacks against particular targets chosen strategically, the activity could possibly be aligned with Chinese nation-backed attackers; however, as of now, the campaigns could not be affiliated to a recognized cyber threat group. Therefore, experts have recommended employing a trustworthy anti-malware solution. Users are also advised to avoid opening attachments from anonymous sources. 

Chinese State-Sponsored Hackers Exploiting Zerologon Vulnerability

 

Chinese state-sponsored threat actors have been observed exploiting the Zerologon vulnerability in a global campaign targeting businesses from multiple industries in Japan and 17 other regions across the world including the United States and Europe. The attacked industries include engineering, automotive, managed service providers, and pharmaceutical. 

According to the information gathered by Symantec’s Broadcom division, these attacks have been attributed to the Cicada group also known as APT10, Cloud Hopper, or Stone Panda. 
 
The attackers are known for their sophistication, in certain cases, they were recorded to have hidden their suspicious acts effectively and remained undetected while operating for around a complete year. Previously, the state-backed actors have stolen data from militaries, businesses, and intelligence, and seemingly, Japanese subsidiaries are their newly found target. 
 
The links between the attacks and Cicada have been drawn based on the similar obfuscation methods and shellcode on loader DLLs to deliver malicious payloads, being used as noticed in the past along with various other similarities like living-off-the-land tools, backdoor QuasarRAT final payloads commonly employed by the hacking group. 
 
"The initial Cloud Analytics alert allowed our threat hunting team to identify further victims of this activity, build a more complete picture of this campaign, and attribute this activity to Cicada," Symantec said in their report. 
 
"The companies hit are, in the main, large, well-known organizations, many of which have links to Japan or Japanese companies, which is one of the main factors tying the victims together," the report further read. 
 
In September, Iranian-sponsored hacking group MuddyWater (MERCURY and SeedWorm) was seen to be actively exploiting Zerologon vulnerability. Another hacking group that exploited Zerologon was the financially-motivated TA505 threat group, also known as Chimborazo.
 
"The affected companies are from manufacturing, construction, and government-related industries, with top victims having around $143 billion, $33 billion and $2 billion yearly revenue," as per a report published by KELA, an Israel based Cybersecurity organization. 

"[M]ore and more threat actors, Advanced APT group and nation-state actors are considering Japanese organizations as valuable targets and are actively attacking them via opportunistic and targeted attacks," KELA further added.

Microsoft Confirms Cyber-Attacks on Biden and Trump Campaigns

Microsoft reports breaching of email accounts belonging to individuals associated with the Biden and Trump election campaigns by Chinese, Iranian, and Russian state-sponsored hackers. 

Tom Burt, Corporate VP for Customer Security and Trust at Microsoft, revealed the occurrences in a detailed blog post after Reuters announced about a portion of the Russian attacks against the Biden camp. 

"Most of these assaults" were recognized and blocked, which is what he added later and revealed in the blog post with respect to the additional attacks and furthermore affirmed a DNI report from August that asserted that Chinese and Iranian hackers were likewise focusing on the US election process.

 As indicated by Microsoft, the attacks conducted by Russian hackers were connected back to a group that the organization has been tracking under the name of Strontium and the cybersecurity industry as APT28 or Fancy Bear. 

 While Strontium generally carried out the spear-phishing email attacks, as of late, the group has been utilizing 'brute-force' and password spraying techniques as an integral technique to breaching accounts. 

Then again, the attacks by Iranian hackers originated from a group tracked as Phosphorous (APT35, Charming Kitten, and the Ajax Security Group). 

These attacks are a continuation of a campaign that began a year ago, and which Microsoft recognized and cautioned about in October 2019. At that point, Microsoft cautioned that the hackers focused on "a 2020 US presidential campaign" yet didn't name which one. 

Through some open-source detective work, a few individuals from the security community later linked the attacks to the Trump campaign. 

What's more, only a couple of days back Microsoft affirmed that the attacks are indeed focused on the Trump campaign, yet in addition unveiled a new activity identified with the said group. The attacks were likewise identified by Chinese groups. 

While presently there are several hacking groups that are assumed to work under orders and the security of the Chinese government, Microsoft said that the attacks focusing on US campaigns originated from a group known as Zirconium (APT31), which is a similar group that Google spotted not long ago, in June. 

Microsoft says it detected thousands of attacks coordinated by this group between March 2020 and September 2020, with the hackers accessing almost some 150 accounts during that time period.


Chinese hackers targeted about five Russian developers of banking software

Chinese hacker group Winnti attacked at least five Russian developers of banking software, as well as a construction company. According to Positive Technologies, the names of banks and developers are not disclosed.

Positive Technologies noted that the implantation of special malicious code by hackers at the development stage potentially allows them to get access to Bank data. After the code is implemented onto the infected machine, a full-fledged backdoor is loaded to investigate the network and steal the necessary data.

Andrey Arsentiev, head of analytics and special projects at InfoWatch, explained that previously Winnti hacked industrial and high-tech companies from Taiwan and Europe through attacks on the software supply chain, but now, apparently, it has decided to switch to Russian companies.

According to him, there is a rather complex software supply chain in the financial sector, so Winnti may be interested not only in obtaining direct financial benefits but also in corporate espionage. As for the construction industry, Chinese hackers may be aimed at obtaining trade secrets, which in turn may be related to the plans of Chinese companies to expand into the Russian market. Mr. Arsentiev came to the conclusion that, in this way, hacker attacks would allow studying the strategy of potential competitors

Nikolay Murashov, deputy director of the National Coordination Center for Computer Incidents, said that organizations involved in software development and system integration accounted for about a third of all targeted attacks in the Russian Federation in recent years.

According to Mikhail Kondrashin, technical director of Trend Micro, attacks specifically on software developers for banks open up endless opportunities for subsequent attacks. The appearance of such attacks actually changes the rules of information security in the field of development: it is no longer just about developing secure code, but rather protecting the infrastructure itself.

A Rise in New Cyberspying by a Suspected Chinese Group Detected By a U.S Cybersecurity Firm


A surge in new cyberspying by a speculated Chinese group that dates as far back as to late January was recently being observed by a U.S. cybersecurity firm. 

Happening around the time when the worldwide pandemic COVID-19 began to spread outside the borders of the Chinese, a publicly-traded cybersecurity company, FireEye Inc. (FEYE.O) said in a report that it had detected a spike in movement from a hacking group it calls "APT41" that began on Jan. 20 and focused on more than 75 of its customers, from manufacturers and media companies to medicinal and healthcare services associations and non-profits. 

The report stated that it was “one of the broadest campaigns by a Chinese cyber espionage actor we have observed in recent years.”

In its report, FireEye said that APT41 abused the recently revealed defects and flaws in the software created by Cisco (CSCO.O), Citrix (CTXS.O) and others to attempt to break into scores of companies' networks in the US, Canada, Britain, Mexico, Saudi Arabia, Singapore and in excess of a dozen other nations. 

Despite the fact that it declined to identify the affected customers, the Chinese Foreign Ministry didn't directly address FireEye's charges yet said in a statement that China was “a victim of cybercrime and cyberattack.”

Matt Webster, an analyst with Secureworks – Dell Technologies' (DELL.N) cybersecurity arm – said in an email that his group had likewise observed proof of the said increased movement from Chinese hacking groups over the last few weeks. 

Specifically, he said his group had recently spotted new digital infrastructure related to APT41 – which Secureworks calls “Bronze Atlas." 

Even though relating hacking campaigns to a particular nation or entity is mostly loaded with ‘uncertainty’, however, FireEye said it had evaluated "with moderate confidence" that APT41 was made out of Chinese government contractors. 

John Hultquist, FireEye's head of analysis, said the said surge was astounding in light of the fact that hacking activity ascribed to China has commonly become increasingly focused and further added that “This broad action is a departure from that norm.”

Hackers Working For the Chinese Government Tracking Movements of Ethnic Uighurs




Hackers working for the Chinese government are said to have been tracking the movements of ethnic Uighurs, a mostly Muslim minority, which is viewed as a security threat by Beijing. The hacks are a part of a rather extensive cyber-espionage campaign focused on “high-value individuals” such as diplomats and foreign military personnel, the sources said.

As a part of the campaign, various groups of Chinese hackers have compromised telecoms operators in nations including Turkey, Kazakhstan, India, Thailand and Malaysia, the four sources said.

China is currently confronting growing international criticism over its treatment of Uighurs in Xinjiang , as the members from the group have been subject to mass confinements in what China calls  “vocational training”  centres as well as 'widespread state surveillance'.

The nation has more than once denied association in any cyber-attacks or any abuse of the Uighur people, whose religious and cultural rights Beijing says are completely ensured, and the Chinese Foreign Ministry said any hacking charges should be upheld by legitimate proof.

“We would again like to stress that China is a resolute safeguarder of internet security. We consistently and resolutely oppose and crack down on any forms of internet attacks,” a ministry statement said.

While government authorities in India and Thailand declined to remark in regards to the specific telecoms operators that were undermined, officials in Malaysia, Kazakhstan and Turkey refused to promptly react to the requests for comments.

Chinese Hackers Attacked Eight Major Technology Service Providers




Eight largest technology service providers were attacked by the hackers of China’s Ministry of State Security; they attempted to access sensitive commercial information and secrets from their clients across the world.

In December, last year, a vicious operation was outlined in formal charges filed in the U.S.; it was designed to illegally access the Western intellectual property with motives of furthering China’s economic interests.

According to the findings made by Reuters, the list of the compromised technology service providers include Tata Consultancy Services, Dimension Data, Hewlett Packard Enterprise, Computer Sciences Corporation, HPE’s spun-off services arm, IBM, DXC Technology, Fujitsu and NTT Data.

Furthermore, various clients of the service providers such as Ericsson also fall prey to the attack.
However, IBM previously stated that it lacks evidence on any secret commercial information being compromised by any of these attacks.

Referencing from the statements given by HPE, they worked diligently for their “customers to mitigate this attack and protect their information.” Meanwhile, DXC told that it had, “robust security measures in place” in order to keep their clients secure.

Commenting on the matter and denying the accusations and any sort of involvement in the attacks, the Chinese government said, “The Chinese government has never in any form participated in or supported any person to carry out the theft of commercial secrets,”

“While there have been attacks on our enterprise network, we have found no evidence in any of our extensive investigations that Ericsson’s infrastructure has ever been used as part of a successful attack on one of our customers,” a spokesperson of Ericsson told as the company said, it doesn’t comment on specific cybersecurity matters.



Chinese espionage campaign hit telecommunications firms around the world






Hackers have breached into the systems of more than a dozen global telecommunications companies and have to hold on a large amount of personal as well as corporate data, researchers from a cybersecurity company said on Tuesday.

Security researchers from a cybersecurity firm Cybereason, which is a collaboration of US-Israel, said that the attackers compromised companies in more than 30 countries. 

The main aim behind this espionage is to gather information about individuals who are working in government, law enforcement and politics. The group is linked to a Chinese cyber-espionage campaign.

The tools used by hackers were similar to other attacks which were carried out by Beijing, but the country denied of involvement in any kind of mischievous activity. 

Lior Div, chief executive of Cybereason. “For this level of sophistication, it’s not a criminal group. It is a government that has capabilities that can do this kind of attack,” he told Reuters.

Cybereason said in a blog post. “They built a perfect espionage environment. They could grab information as they please on the targets that they are interested in.”



“We managed to find not just one piece of software, we managed to find more than five different tools that this specific group used,” Div said.

Australian Universities' Servers hacked, data back from 19 Years stolen






The Australian National University (ANU) confirmed on Tuesday hackers breached their cyber defense system in order to access sensitive data, including students bank and passport details going back 19 years. 

The university said they discovered the breach two weeks ago only, and it was carried out by some ‘’sophisticated operator.”

Last year in July, they thwarted an attempt to hack their network system. According to media reports at that time, the bid originated in China. 

“National community agencies are recruiting directly out of ANU,” said Fergus Hanson, head of the International Cyber Policy Centre at think-tank the Australian Strategic Policy Institute. “To have information around particular people who are working in different departments... that would be very useful.” 

Australia’s cyber intelligence agency said they are still investigating who was behind the attack.

“It does appear to be the work of a sophisticated actor,” a representative of the Australian Signals Directorate said in an emailed statement. “It is too early to speculate about connections to other compromises.”

However, China has always denied its involvement in any kind of hacking attacks and its embassy in Australia did not respond to a request from Reuters for comment.


Chinese hackers attacked Russian companies and government agencies for 9 years



Russian Security Companies Positive Technologies and Kaspersky Lab discovered a cyber group which for several years stole data from more than 20 Russian companies and government agencies. The expert said that such groups are usually engaged in political intelligence or industrial espionage.

The hacker group has been working for at least 9 years. The names of the companies attacked by hackers were not disclosed. But it is specified that 24 Russian important organizations were attacked.

According to Positive Technologies, the attackers used Chinese developers to create their tools and used during the attacks Chinese IP addresses. Moreover, the keys for some versions of malicious programs are found on specialized forums where people from China communicate.

Positive Technologies gave the name TaskMasters to the hacker group because it created specific tasks in the task scheduler that allows hackers to execute commands of the operating system and run software at a certain point in time. After penetration into local networks of the enterprises, leaks of information were used for espionage.

Kaspersky Labs said they have been tracking the activity of this group since 2016, and they call it BlueTraveler. According to experts, hackers attack more often government agencies, mainly from Russia and the CIS. In addition, they confirm that the attackers speak Chinese and the methods used by Asian attackers is popular for political intelligence or industrial espionage.

An interesting fact is that the attacks of Asian hackers for years remained unnoticed by antivirus or information security services. Hackers downloaded without trace gigabytes of information, files, documents and drawings to their servers.

Known hackers of financial institutions prefer the method using the task scheduler. Namely, the Russian-speaking groups Cobalt and MoneyTaker use this method.

It is worth noting that at the end of 2018, cybersecurity experts reported that the financial sector of Russia for the year lost at least 3 billion rubles from cyber attacks.

A Hacker Group, 'Barium' on a Supply Chain Hijacking Spree



One of the most fatal forms of hacking is a software supply chain attack as it involves illicitly accessing a developer's network and placing the malicious code into the software updates and applications that users consider and trust the most.

In a single attempt, supply chain hackers can potentially place their ransomware onto thousands or millions of computer systems, they can do so without even a single trace of malicious activity. With time, this trick has gained a lot of traction and has become more advanced and difficult to be identified. Supply chain attacks follow a similar pattern and have been used by the associated companies as their core tool.

Basically, supply chain attacks exploit various software dissemination channels and over the last three years, these attacks have been majorly linked to a group of Chinese hackers. Reportedly, they are popularly known as ShadowHammer, Barium, Wicked Panda and ShadowPad, the name varies along with the security firms.

The trick demonstrates the massive potential of ShadowHammer to destroy computer systems on a large scale along with exploiting vulnerabilities present in a fundamental model which governs the code employed by users on their systems, such destructive ability possessed by Barium is a matter of great concern for security researchers.

Referencing from the statements given by Vitaly Kamluk, the director of the Asia research team for security firm Kaspersky, "They're poisoning trusted mechanisms," "they’re the champions of this. With the number of companies they’ve breached, I don’t think any other groups are comparable to these guys."

"When they abuse this mechanism, they’re undermining trust in the core, foundational mechanisms for verifying the integrity of your system,"

"This is much more important and has a bigger impact than regular exploitation of security vulnerabilities or phishing or other types of attacks. People are going to stop trusting legitimate software updates and software vendors."

On being asked, Marc-Etienne Léveillé, a security researcher, said, "In terms of scale, this is now the group that is most proficient in supply chain attacks,"

"We’ve never seen anything like this before. It’s scay because they have control over a very large number of machines

"If [Barium] had deployed a ransomware worm like that through one of these attacks, it would be a far more devastating attack than NotPetya," said another expert on the matter.






During ransomware attack, student's GCSE coursework seized

Sir John Colfox Academy, in Bridport, was the target of hackers, believed to be from China, after a member of staff mistakenly opened an email that contained virus and infected the school’s entire computer network. The email claimed to be from a teacher at another Dorset school.

Hackers seized pupil’s GCSE courework of the secondary school and demanded cash or returning it.

The Sir John Colfox Academy has about 1,000 pupils. The coursework was from one subject submitted by Year 11 students, which was saved on the school' system.

Head teacher David Herbert said: "We are liaising with the relevant exam boards about this specific issue."

Police have launched an investigation into the cyber attack.

Neither police nor the school have said how much money was demanded for the return of the coursework, but police say no money has been paid.

Russian Hacking Trouble for the Cyber World



According to data analysis by computer security company CrowdStrike, Russian hacking attack team spares only 19 minutes to the victim to respond to the attack. The next fastest group were North-Koreans who took two hours to jump to the next server to spread the attack,the third on the list comes Chinese attackers who on average gives four hours to the victim to foil their target attack.

Statistically the calculated time is coined as  “dubbed time“ and is the time attacker takes to jump from one network to another to spread the attack. Introducing the concept, CrowdStrike wrote in its report “shows how much time defenders have on average to detect an initial intrusion, investigate it and eject the attacker before sensitive data can be stolen or destroyed.”

According to the author, Pete Singer, the new analysis is eye-opening, "These stats are driven by a whole variety of factors, among them the skills and capability, the relative risk each is making in their likelihood of getting caught and the consequences. No matter how you look at it, an average of 18 minutes is quite amazing given the scale."

The Russians hackers have attacked many defense and military establishments throughout Europe and NATO since last year. Russian hackers were alleged to attack PyeongChang Winter Olympic Games in 2018.

Chris Krebs, DHS Cybersecurity and Infrastructure Security Agency Director, told defenseone.com recently, “We are doubling down on election security in advance of the 2020 election. Despite what some of the reporting might be, election security and countering foreign influence efforts aren’t going anywhere.”

According to a research from Arizona state University, researchers revealed that the exploiting a known vulnerability depended greatly on the country of the attacker.For Instance, the researchers looked at the Dark Web chat rooms , If attackers were discussing  vulnerabilities in National Database and If the hackers discussing the bug were Chinese, the chances to exploit the vulnerability in question was nine percent, But if the conversation was between Russians, then the probability of exploiting vulnerability is forty percent.

New Ransomware Strain Hits the Chinese Web; Infects 100K PCs




More than 100,000 Chinese users have had their Windows PCs infected with yet another strain of ransomware that encodes their records and files all the while requesting a 110 yuan (~$16) ransom. The inadequately composed ransomware is known to have been scrambling local documents and taking credentials for various Chinese online services.

As of now there has been no threat made to international users as the ransomware is only determined to focusing on the Chinese web only.

The individual or the group behind the activity are only utilizing Chinese-themed applications to appropriate the ransomware by means of local sites and discussions at the same time asking for ransom payments through the WeChat payment service, just accessible in China and the contiguous areas.


A report from Chinese security firm Huorong, the malware, named 'WeChat Ransom' in a few reports, came into existence on December 1 and the quantity of infected systems has developed to more than 100,000 as of December 4.

Security specialists who analysed the attack said that other than encoding records, the ransomware additionally incorporated an information-stealing component that collected login credentials for a few Chinese online services, like Alipay, Baidu Cloud, NetEase 163, Tencent QQ, and Taobao, Tmall, and Jingdong.

Chinese security organizations examining the malware concur that it is a long way from a complex risk that can be effortlessly defeated. Although it professes to delete the decryption key if the victim neglects to pay the ransom by a specific date, document recuperation is as yet conceivable in light of the fact that the key is hardcoded in the malware.

Specialists from Huorong examining this ransomware string have found a name, a cell phone number, a QQ account, and an email address that could enable police to identify and catch the thief.

This most recent ransomware campaign anyway is additionally not the first occasion when those Chinese-based ransomware creators have utilized WeChat as a ransom payment dealing strategy. The ones who committed this deadly error in the past have been captured by the officials within months.

The Chinese police, in general, have a decent reputation of capturing the hackers within weeks or months after a specific malware crusade stands out as truly newsworthy.