Search This Blog

Showing posts with label Chinese Hackers. Show all posts

The US has linked major cyber attacks against Russia with Chinese hackers

 Solar JSOC spoke about a series of cyber attacks on Russian government systems in 2020. According to the American Company Sentinel Labs, the ThunderCats group, which is associated with China, is behind the attacks

Sentinel Labs, an American cybersecurity company, said that China is involved in a series of targeted hacker attacks on Russian government systems in 2020.

The report was prepared on the basis of a study by Rostelecom-Solar JSOC (a subsidiary of Rostelecom responsible for cybersecurity), conducted jointly with the National Coordination Center for Computer Incidents (NCCCI, established by the FSB). It said that in the past year, attackers attacked the federal executive authorities (FOIV) several times, using phishing and vulnerability of web applications published on the Internet, as well as hacking the infrastructure of contractors.

According to Rostelecom-Solar and the NCCCI, hackers developed malicious software called Mail-O, which used the cloud storages of Yandex and Mail.ru Group to download the collected data. Attackers disguised network activity under the legitimate Yandex Disk and Disk-O utilities. Experts said that they acted in the interests of a foreign state, but did not specify which one.

Analysts at Sentinel Labs studied how Mail-O works, as described by Russian experts, and concluded that ThunderCats hackers (part of the larger hacker group TA428, which is associated with China) were behind the attacks. They suggested that Mail-O is a variant of the more well-known malware PhantomNet or SManager. It was used by attackers from TA428 during cyber attacks on resources in Southeast Asia, including Vietnam.

According to Anastasia Tikhonova, head of the sophisticated cyber threat research department of the Threat Intelligence department of Group-IB, Russian organizations are regularly attacked by pro-government groups from different countries, "including China." It should be noted that the largest number of active pro-government groups (23) are concentrated in China.

In early May, E Hacking News reported that Chinese hackers attacked the Rubin Central Design Bureau for Marine Engineering (СKB Rubin), which designs submarines for the Russian Navy, by sending images of a submarine with malicious code to its CEO. 


China-Based Hackers Luring Indians into Fake Tata Motors Scam

 

On Thursday, cyber-security researchers in India announced the discovery of a malicious free present marketing campaign managed by China-based hackers to gather personal user data. The marketing campaign is pretending to be an offer from Tata Motors, the biggest automobile manufacturing company in India, reports IANS.

The analysis workforce at New Delhi-based CyberPeace Foundation received some malicious links via WhatsApp, related to a free gift offer from Tata Motors, accumulating personal information about customers together with their browser and system information. 

“The campaign is pretended to be an offer from Tata Motors but hosted on the third-party domain instead of the official website of Tata Motors which makes it more suspicious,” the research team stated.

This malicious campaign being operated on a fake website is titled “Tata Motors Cars, Celebrates sales exceeding 30 million”. On the landing page, a congratulations message is displayed with an attractive photo of a Tata Safari car. Users are asked to participate in a quick survey to get a free TATA Safari vehicle. 

“Also, at the bottom of this page, a section comes up which seems to be a Facebook comment section where many users have commented about how the offer is beneficial,” the researchers revealed.

After clicking the OK button, users are given three chances to win the prize. After finishing all the attempts, it says that the user has won “TATA SAFARI”.

“Congratulations! You did it! You won the TATA SAFARI!” Clicking on the ‘OK’ button, it then instructs users to share the campaign with friends on WhatsApp. The user doesn’t actually end up winning the car, the page simply keeps redirecting the user to multiple advertisements webpages. The Foundation recommended that people avoid opening such messages sent via social platforms.

According to the researchers, hackers are using Cloudflare technologies to hide the real IP addresses of the front-end domain names used in the free gifts from Tata Motors campaign. The CyberPeace Foundation, a think tank and non-governmental organization of experts in the field of cybersecurity and policy, has collaborated with Autobot Infosec Private Limited to investigate this realization that these sites are online fraud.

Myanmar President’s Office Hacked for the Second Time

 

A cyber-espionage hacking gang is suspected of breaking into the Myanmar president's office website and injecting a backdoor trojan into a customized Myanmar font package accessible for download on the home page. ESET, a Slovak security firm, discovered the attack on Wednesday, June 02, 2021. 

The software employed in the attack resembles malware strains used in previous spear-phishing efforts intended at Myanmar targets by a Chinese state-sponsored hacker outfit known as Mustang Panda, RedEcho, or Bronze President, according to researchers. 

Mustang Panda is mostly focused on non-governmental organizations (NGOs). It employs Mongolian language decoys and themes, as well as shared malware such as Poison Ivy and PlugX, to attack its targets. Their attack chain looks something like this: 

• A malicious link is disguised using the goo.gl link shortening tool and sent to a Google Drive folder.

• When you click on the Google Drive link, you'll be taken to a zip file that contains a.Ink file disguised as a.pdf file. 

• The user is redirected to a Windows Scripting Component (.wsc) file when they open the file. This file can be found on a malicious microblogging website.
 
• A VBScript and a PowerShell script from the Twitter page are included in the.Ink file to get the fake PDF file. 
 
• A Cobalt Strike (https://know.netenrich.com/threatintel/malware/Cobalt % 20Strike) payload is created by the PowerShell script. 

• The threat actor can operate the system remotely using Cobalt Strike's connection to the command-and-control IP address. 

Mustang Panda has a history of carefully constructed email-based attacks; for this operation, the gang appears to have modified a Myanmar Unicode font package available for download on the Myanmar presidency's website. “In the archive, attackers added a Cobalt Strike loader [named] Acrobat.dll, that loads a Cobalt Strike shellcode,” the ESET team wrote in a Twitter thread. 

This loader, according to researchers, pings a command and control (C&C) server at 95.217.1[.]81. The loader resembled other malware copies that had previously been transmitted as file attachments in spear-phishing efforts directed at Myanmar targets.

The archives show signs of an advanced and stealthy cyber-espionage operation hidden in files named “NUG Meeting Report.zip,” “Proposed Talking Points for ASEAN-Japan Summit.rar,” “MMRS Geneva,” “2021-03-11.lnk,” and “MOHS-3-covid.rar,” even if ESET said it has yet to officially confirm Mustang Panda's involvement beyond a doubt.

This is the second time the Myanmar president's office has been hacked in order to launch a watering hole attack. The first incident occurred between November 2014 and May 2015, when the site was used to disseminate a version of the EvilGrab malware by another alleged Chinese cyber-espionage group.

Chinese hackers attacked a Russian developer of military submarines

Chinese hackers reportedly attacked the Rubin Central Design Bureau for Marine Engineering (СKB Rubin), which designs submarines for the Russian Navy, by sending images of a submarine with malicious code to its CEO. Experts believe the hackers are acting in the interests of the Chinese government.

According to cybersecurity company Cybereason, in April, Chinese hackers attacked the Russian CKB Rubin. The attack began with a fake letter that the hackers sent to the general director of CKB Rubin allegedly on behalf of the JCS “Concern “Sea Underwater Weapon – Gidropribor”, the State Research Centre of the Russian Federation.

The letter contained a malicious attachment in a file with images of an autonomous unmanned underwater vehicle. "It is very likely that hackers attacked Gidropribor or some other institution before that," the author of the Telegram channel Secator believes.

The RoyalRoad malware attachment used in the CKB Rubin attack is one of the tools that guarantees delivery of malicious code to the end system, which is most often used by groups of Asian origin, said Igor Zalewski, head of the Solar JSOC CERT Cyber Incident Investigation Department at Rostelecom-Solar.

Cybereason pointed out that the attack on CKB Rubin has similarities to the work of Tonto and TA428 groups. Both have been previously seen in attacks on Russian organizations associated with science and defense.

It is worth noting that the CKB Rubin traces its history back to 1901. More than 85% of the submarines which were part of the Soviet and Russian Navy at various times were built according to its designs.

According to Igor Zalevsky, the main Rubin's customer is the Ministry of Defense, CKB Rubin deals with critically important and unique information related to the military-industrial complex of the Russian Federation which explains the interest of cyber-criminals.

Experts believe that such attacks will gain momentum because specialized cyber centers are being created due to aggravation of information confrontation between states.

Information security expert Denis Batrankov noted that designers are attacked for the sake of industrial espionage mainly by special services of other states. "The problem is that we all use software, which has many hacking methods that are not yet known. Intelligence agencies are buying new vulnerabilities from the black market for millions of dollars,” added he.


Chinese APT Actors Attack Russian Defense In An Espionage Attack

An earlier anonymous backdoor malware, called PortDoor, is probably being used by Chinese APT (advanced persistent threat) hackers to attack Russian defense system, according to reports. Cybersecurity firm 'Cybereason Nocturnus' looked into hackers specifically targeting Rubin Design Bureau, an organization that builds submarines for Russian Navy Federation. The main target was director general named Igor Vladimirovich, who received a phishing mail, say experts. The attack started with "Royalroad weoponizer" aka RTF exploit builder/8.t Dropper, which, according to cybersecurity experts, is a tool used by Chinese APT's to orchestrate their attacks, like Tick, Tonto Team and TA428. 


RoyalRoad makes weaponized RTF documents that attack vulnerabilities CVE-2017-11882, CVE-2018-0798 and CVE-2018-0802) in Equation Editor of Microsoft. RoyalRoad's use in the attack is the reason why the victim suspects Chinese hackers to be behind the attack. Cybereason analysis said, "the accumulated evidence, such as the infection vector, social-engineering style, use of RoyalRoad against similar targets, and other similarities between the newly discovered backdoor sample and other known Chinese APT malware, all bear the hallmarks of a threat actor operating on behalf of Chinese state-sponsored interests." 

A Subtle Spying Malware 

Experts found the malware stealing unique PortDoor sample when the corrupt RTF file is opened, which is built cautiously to stealth. It has various functions that include spying, target profiling, delivering additional payloads, process manipulation, privilege escalation, AES- encrypted data exfiltration, static detection antivirus evasion, one-byte XOR encryption and much more. If deployed, backdoor decodes strings with the help of hard-coded 0xfe XOR key in order to get configuration info. It includes C2C server address, target locator, and other trivial information. 

Cybersecurity report said, "the backdoor is able to hide most of its main functionality and avoid static detection of suspicious API calls by dynamically resolving its API calls instead of using static imports." "Lastly, we are also aware that there could be other groups, known or yet unknown, that could be behind the attack and the development of the PortDoor backdoor,” researchers concluded. “We hope that as time goes by, and with more evidence gathered, the attribution could be more concrete."

Thousands of U.S. Organizations Attacked in a Chinese Cyber-Espionage Campaign

 

Microsoft Exchange servers have become the latest victim of Chinese-sponsored cyber-attack. Chinese hackers targeted the Microsoft Exchange Servers earlier this week exploiting the zero-day vulnerabilities. The vulnerabilities in servers allowed the hackers to target thousands of organizations around the globe.

According to the security experts, the group known as ‘Hafnium’ is responsible for targeting Microsoft’s Exchange servers and exploiting more than tens of thousands of email servers. As per a computer security expert, more than 30,000 US organizations, and hundreds of thousands worldwide have been targeted in recent days by an unusually aggressive Chinese cyber-espionage campaign.

Hafnium has targeted several US-based companies in the past including law firms, universities, infectious disease researchers, defense contractors, think tanks, and NGOs.

Brian Kerbs, independent cybersecurity first reported the 30,000 figure on Friday and posted a note on his website reading, this cyber-espionage campaign has exploited recently discovered flaws in Microsoft Exchange servers, stealing email, and corrupting computer servers with tools that allowed threat actors to take control remotely. He reported that insiders said threat actors have ‘seized control’ of thousands of computer systems around the globe using password-protected software tools.

White House spokeswoman Jennifer Psaki stated in a press conference - “We are concerned that there are a large number of victims and are working with our partners to understand the scope of this. Network owners also need to consider whether they have already been compromised and should take appropriate steps.” 

Microsoft Executive Tom Burt said the company had released updates to patch the security vulnerabilities, which apply to on-premises versions of the software rather than cloud-based versions, and requested customers to apply them and also highlighted that threat actors belonged to China but operated through leased virtual private servers in the United States. 

“We know that many nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems”, he wrote in his blog post.

AIVD says they face cyber attacks from Russia and China every day

According to the head of the country's General Intelligence and Security Service, these hackers break into the computers of companies and educational institutions

The head of the General Intelligence and Security Service of the Netherlands (AIVD), Erik Akerboom, said that the country's special services allegedly "every day" catch hackers from China and Russia, who, according to him, break into the computers of companies and educational institutions. At the same time, the head of the AIVD did not provide any evidence.

"Every day we catch hackers from both China and Russia hacking into the computers of companies and educational institutions," the head of AIVD said in an interview with Vu Magazine.

According to Akerboom, the target of these hackers is vital infrastructure, such as drinking water, banks, telecommunications, and energy networks." However, he did not give an example of any specific cyberattack.

In 2018, the Ministry of Defense of the Netherlands said that the country's special services prevented a hacker attack on the Organization for the Prohibition of Chemical Weapons (OPCW), which four Russian citizens allegedly tried to carry out. According to the head of department Ankh Beyleveld, the suspects with diplomatic passports were expelled from the Netherlands on April 13. The Russian Foreign Ministry called such accusations "another staged propaganda" action and said that the unleashed "anti-Russian espionage campaign" causes serious harm to bilateral relations.

Besides, in December 2020, the Netherlands was accused of the espionage of two Russian diplomats, calling them employees of the Foreign Intelligence Service undercover. The Russians were declared persona non grata. In response, Moscow sent two employees of the Dutch Embassy from Russia. The accusations of activities incompatible with the diplomatic status of the Russians were called "unfounded and defamatory".

Recall that recently Washington accused Moscow of large-scale cyber attacks, which were allegedly carried out in order to get intelligence data. The representative of the Russian Ministry of Foreign Affairs, Maria Zakharova, said in response that such statements by the United States about hacker attacks allegedly by Russia have already become routine.

Chinese Hackers Cloned Exploit Tool Belonging to NSA

 

A Chinese hacking group allegedly "cloned" and deployed a zero-day exploit created by the U.S. National Security Agency's Equation Group before Microsoft fixed the Windows vulnerability that was being misused in 2017, as indicated by an analysis published on Monday by Check Point Research. For quite a long while, researchers had presumed the Chinese hacking group known as APT31 or Zirconium had built up an exploit tool to take advantage of a vulnerability tracked as CVE-2017-0005 and found in more seasoned renditions of Windows, like Windows 7 and Windows 8, as indicated by the report. 

The report brings up additional questions about how some of the NSA's most valued cyberweapons have been found or stolen by nation-state hacking groups and then turned on their developers over the years. In May 2019, Symantec published a similar report that found another group of hackers had taken and exploited cyber tools developed by the NSA. Both the Symantec and Check Point research show that the burglary of NSA Equation Group devices by these groups seems to have occurred before the hacking group known as the Shadow Brokers first began publishing the agency's exploits in 2016. 

Security research previously noted that a zero-day exploit was created for CVE-2017-0005, called "Jian," in 2014 and initially deployed it in 2015. The exploit was utilized for a very long time before Microsoft at last issued a patch for it in 2017. Whenever exploited, this bug could permit an attacker to escalate privileges inside an undermined device and afterward acquire full control, the researchers note. Microsoft published its fix for CVE-2017-0005 in March 2017, when the company was forced to issue multiple fixes for the exploits related to the Shadow Brokers "Lost in Translation" leak, Check Point notes. 

A further investigation by Check Point found that Jian was not an original creation, but rather a clone of a zero-day exploit for more seasoned renditions of Windows created by the NSA Equation Group in 2013 and initially called "EpMe" by the agency, as per the new report. 

 In another case documented by Symantec in 2019, APT3 "Buckeye" was connected to assaults utilizing Equation Group tools in 2016, before the Shadow Brokers leak.

New Self-Spreading Golang Worm Dropping XMRig Miner on Servers

 

Security researchers at Intezer have found a new self-spreading worm written in GoLang. The malware variant has been actively targeting both Windows and Linux servers, predominantly since December 2020. Researchers noted that the worm developed by China-based hackers attempts to mine Monero, an open-source cryptocurrency launched in 2014 which gained immense popularity and wide acceptance for its privacy-oriented features.
 
GoLang's rich library ecosystem makes it a top preference for malware developers, who can infiltrate the systems without being detected while working with GoLang's smooth malware creation process. The language makes it easier for hackers to bypass security as the malware written in GoLang is large-sized and scanning large files is beyond the capabilities of most of the antivirus software.

The 'GoLang' malware that has been dropping XMRig cryptocurrency miners on Windows and Linux servers, has worm-like capabilities that let it propagate itself to other systems through brute-forcing. 

The worm attacks application servers, non-HTTP services, and web application frameworks; it has targeted public-facing services rather than "the end-users". MySQL, Tomcat admin panel, and Jenkins are some of its latest victims. Besides, these public-facing services with weak passwords, the malware operators have also tried to compromise Oracle WebLogic Server by exploiting its remote code execution vulnerability – CVE-2020-14882, in an older variant.

Attack Execution 

The worm on the Command and Control (C&C) server was periodically updated by the operators, signifying the current "active" status of the malware. Once the target is being successfully compromised, the attack proceeds with deploying the loader script, a Golang binary worm, and an XMRig Miner – three files hosted on the aforesaid C&C server.

While giving insights into the matter, Chad Anderson, Senior Security Researcher at DomainTools said, “While it’s certainly alarming that there were no detections for this worm’s initial sample, that’s not surprising as Golang malware analysis tooling has still been playing a bit of catch up in the automation space,” 
 
“We would expect that with the rise in cryptocurrency prices over the last few weeks that actors looking to cash in for a few extra dollars would cause a surge in mining malware,” he further added. 
 
“The fact that the worm’s code is nearly identical for both its PE and ELF malware—and the ELF malware going undetected in VirusTotal—demonstrates that Linux threats are still flying under the radar for most security and detection platforms,” the report by Intezer read.

Spear-Phishing Campaigns Targeting Tibet and Taiwan

 

Tibetan community is being targeted by a Spear-phishing campaign; it is suspected that malicious actors behind these operations are the ones formerly involved in campaigns attacking Taiwanese legislators as discovered in May 2020 during an investigation. Reportedly, the group is employing a novel malware variant called MESSAGEMANIFOLD, similar to the one employed in the abovementioned campaigns, further solidifying the links discovered between both the campaigns. 

Several other overlaps have also been noted between both the activities, including the application of the same email themes and identical hosting provider. Furthermore,  both the campaigns made use of Google Drive links for downloading the malware. 

The campaigners are attacking strategic targets that somehow align with the Chinese Government’s affairs. The threat actors used spear-phishing emails with the theme ‘conference invitations’, which included a direct download Google Drive link. According to the researchers two Google Drive links were there, with the name “dalailama-Invitations [.]exe” file. 

About the Attacks

The dropped files (HTTP POST) were being used for the requests to communicate with the control and command server which uses a fixed URL pattern, and for the next stage, malware needs a specific response. Those domains were being used in both campaigns were organized on AS 42159 (Zemlyaniy Dmitro Leonidovich) and AS 42331 (PE Freehost). 

Recent cyberattacks on Taiwanese and Tibetan entities don't come as a surprise, it has been observed that Beijing-based malicious actors actively attack these states in accordance with their state interests. A recent study at IBM disclosed that an email phishing scheme attacking Germany and Italy based COVID-19 vaccine supply chains. Other targets included the Czech Republic and South Korea amid a few more. 

Given the highly customized nature of the attacks against particular targets chosen strategically, the activity could possibly be aligned with Chinese nation-backed attackers; however, as of now, the campaigns could not be affiliated to a recognized cyber threat group. Therefore, experts have recommended employing a trustworthy anti-malware solution. Users are also advised to avoid opening attachments from anonymous sources. 

Chinese State-Sponsored Hackers Exploiting Zerologon Vulnerability

 

Chinese state-sponsored threat actors have been observed exploiting the Zerologon vulnerability in a global campaign targeting businesses from multiple industries in Japan and 17 other regions across the world including the United States and Europe. The attacked industries include engineering, automotive, managed service providers, and pharmaceutical. 

According to the information gathered by Symantec’s Broadcom division, these attacks have been attributed to the Cicada group also known as APT10, Cloud Hopper, or Stone Panda. 
 
The attackers are known for their sophistication, in certain cases, they were recorded to have hidden their suspicious acts effectively and remained undetected while operating for around a complete year. Previously, the state-backed actors have stolen data from militaries, businesses, and intelligence, and seemingly, Japanese subsidiaries are their newly found target. 
 
The links between the attacks and Cicada have been drawn based on the similar obfuscation methods and shellcode on loader DLLs to deliver malicious payloads, being used as noticed in the past along with various other similarities like living-off-the-land tools, backdoor QuasarRAT final payloads commonly employed by the hacking group. 
 
"The initial Cloud Analytics alert allowed our threat hunting team to identify further victims of this activity, build a more complete picture of this campaign, and attribute this activity to Cicada," Symantec said in their report. 
 
"The companies hit are, in the main, large, well-known organizations, many of which have links to Japan or Japanese companies, which is one of the main factors tying the victims together," the report further read. 
 
In September, Iranian-sponsored hacking group MuddyWater (MERCURY and SeedWorm) was seen to be actively exploiting Zerologon vulnerability. Another hacking group that exploited Zerologon was the financially-motivated TA505 threat group, also known as Chimborazo.
 
"The affected companies are from manufacturing, construction, and government-related industries, with top victims having around $143 billion, $33 billion and $2 billion yearly revenue," as per a report published by KELA, an Israel based Cybersecurity organization. 

"[M]ore and more threat actors, Advanced APT group and nation-state actors are considering Japanese organizations as valuable targets and are actively attacking them via opportunistic and targeted attacks," KELA further added.

Microsoft Confirms Cyber-Attacks on Biden and Trump Campaigns

Microsoft reports breaching of email accounts belonging to individuals associated with the Biden and Trump election campaigns by Chinese, Iranian, and Russian state-sponsored hackers. 

Tom Burt, Corporate VP for Customer Security and Trust at Microsoft, revealed the occurrences in a detailed blog post after Reuters announced about a portion of the Russian attacks against the Biden camp. 

"Most of these assaults" were recognized and blocked, which is what he added later and revealed in the blog post with respect to the additional attacks and furthermore affirmed a DNI report from August that asserted that Chinese and Iranian hackers were likewise focusing on the US election process.

 As indicated by Microsoft, the attacks conducted by Russian hackers were connected back to a group that the organization has been tracking under the name of Strontium and the cybersecurity industry as APT28 or Fancy Bear. 

 While Strontium generally carried out the spear-phishing email attacks, as of late, the group has been utilizing 'brute-force' and password spraying techniques as an integral technique to breaching accounts. 

Then again, the attacks by Iranian hackers originated from a group tracked as Phosphorous (APT35, Charming Kitten, and the Ajax Security Group). 

These attacks are a continuation of a campaign that began a year ago, and which Microsoft recognized and cautioned about in October 2019. At that point, Microsoft cautioned that the hackers focused on "a 2020 US presidential campaign" yet didn't name which one. 

Through some open-source detective work, a few individuals from the security community later linked the attacks to the Trump campaign. 

What's more, only a couple of days back Microsoft affirmed that the attacks are indeed focused on the Trump campaign, yet in addition unveiled a new activity identified with the said group. The attacks were likewise identified by Chinese groups. 

While presently there are several hacking groups that are assumed to work under orders and the security of the Chinese government, Microsoft said that the attacks focusing on US campaigns originated from a group known as Zirconium (APT31), which is a similar group that Google spotted not long ago, in June. 

Microsoft says it detected thousands of attacks coordinated by this group between March 2020 and September 2020, with the hackers accessing almost some 150 accounts during that time period.


Chinese hackers targeted about five Russian developers of banking software

Chinese hacker group Winnti attacked at least five Russian developers of banking software, as well as a construction company. According to Positive Technologies, the names of banks and developers are not disclosed.

Positive Technologies noted that the implantation of special malicious code by hackers at the development stage potentially allows them to get access to Bank data. After the code is implemented onto the infected machine, a full-fledged backdoor is loaded to investigate the network and steal the necessary data.

Andrey Arsentiev, head of analytics and special projects at InfoWatch, explained that previously Winnti hacked industrial and high-tech companies from Taiwan and Europe through attacks on the software supply chain, but now, apparently, it has decided to switch to Russian companies.

According to him, there is a rather complex software supply chain in the financial sector, so Winnti may be interested not only in obtaining direct financial benefits but also in corporate espionage. As for the construction industry, Chinese hackers may be aimed at obtaining trade secrets, which in turn may be related to the plans of Chinese companies to expand into the Russian market. Mr. Arsentiev came to the conclusion that, in this way, hacker attacks would allow studying the strategy of potential competitors

Nikolay Murashov, deputy director of the National Coordination Center for Computer Incidents, said that organizations involved in software development and system integration accounted for about a third of all targeted attacks in the Russian Federation in recent years.

According to Mikhail Kondrashin, technical director of Trend Micro, attacks specifically on software developers for banks open up endless opportunities for subsequent attacks. The appearance of such attacks actually changes the rules of information security in the field of development: it is no longer just about developing secure code, but rather protecting the infrastructure itself.

A Rise in New Cyberspying by a Suspected Chinese Group Detected By a U.S Cybersecurity Firm


A surge in new cyberspying by a speculated Chinese group that dates as far back as to late January was recently being observed by a U.S. cybersecurity firm. 

Happening around the time when the worldwide pandemic COVID-19 began to spread outside the borders of the Chinese, a publicly-traded cybersecurity company, FireEye Inc. (FEYE.O) said in a report that it had detected a spike in movement from a hacking group it calls "APT41" that began on Jan. 20 and focused on more than 75 of its customers, from manufacturers and media companies to medicinal and healthcare services associations and non-profits. 

The report stated that it was “one of the broadest campaigns by a Chinese cyber espionage actor we have observed in recent years.”

In its report, FireEye said that APT41 abused the recently revealed defects and flaws in the software created by Cisco (CSCO.O), Citrix (CTXS.O) and others to attempt to break into scores of companies' networks in the US, Canada, Britain, Mexico, Saudi Arabia, Singapore and in excess of a dozen other nations. 

Despite the fact that it declined to identify the affected customers, the Chinese Foreign Ministry didn't directly address FireEye's charges yet said in a statement that China was “a victim of cybercrime and cyberattack.”

Matt Webster, an analyst with Secureworks – Dell Technologies' (DELL.N) cybersecurity arm – said in an email that his group had likewise observed proof of the said increased movement from Chinese hacking groups over the last few weeks. 

Specifically, he said his group had recently spotted new digital infrastructure related to APT41 – which Secureworks calls “Bronze Atlas." 

Even though relating hacking campaigns to a particular nation or entity is mostly loaded with ‘uncertainty’, however, FireEye said it had evaluated "with moderate confidence" that APT41 was made out of Chinese government contractors. 

John Hultquist, FireEye's head of analysis, said the said surge was astounding in light of the fact that hacking activity ascribed to China has commonly become increasingly focused and further added that “This broad action is a departure from that norm.”

Hackers Working For the Chinese Government Tracking Movements of Ethnic Uighurs




Hackers working for the Chinese government are said to have been tracking the movements of ethnic Uighurs, a mostly Muslim minority, which is viewed as a security threat by Beijing. The hacks are a part of a rather extensive cyber-espionage campaign focused on “high-value individuals” such as diplomats and foreign military personnel, the sources said.

As a part of the campaign, various groups of Chinese hackers have compromised telecoms operators in nations including Turkey, Kazakhstan, India, Thailand and Malaysia, the four sources said.

China is currently confronting growing international criticism over its treatment of Uighurs in Xinjiang , as the members from the group have been subject to mass confinements in what China calls  “vocational training”  centres as well as 'widespread state surveillance'.

The nation has more than once denied association in any cyber-attacks or any abuse of the Uighur people, whose religious and cultural rights Beijing says are completely ensured, and the Chinese Foreign Ministry said any hacking charges should be upheld by legitimate proof.

“We would again like to stress that China is a resolute safeguarder of internet security. We consistently and resolutely oppose and crack down on any forms of internet attacks,” a ministry statement said.

While government authorities in India and Thailand declined to remark in regards to the specific telecoms operators that were undermined, officials in Malaysia, Kazakhstan and Turkey refused to promptly react to the requests for comments.

Chinese Hackers Attacked Eight Major Technology Service Providers




Eight largest technology service providers were attacked by the hackers of China’s Ministry of State Security; they attempted to access sensitive commercial information and secrets from their clients across the world.

In December, last year, a vicious operation was outlined in formal charges filed in the U.S.; it was designed to illegally access the Western intellectual property with motives of furthering China’s economic interests.

According to the findings made by Reuters, the list of the compromised technology service providers include Tata Consultancy Services, Dimension Data, Hewlett Packard Enterprise, Computer Sciences Corporation, HPE’s spun-off services arm, IBM, DXC Technology, Fujitsu and NTT Data.

Furthermore, various clients of the service providers such as Ericsson also fall prey to the attack.
However, IBM previously stated that it lacks evidence on any secret commercial information being compromised by any of these attacks.

Referencing from the statements given by HPE, they worked diligently for their “customers to mitigate this attack and protect their information.” Meanwhile, DXC told that it had, “robust security measures in place” in order to keep their clients secure.

Commenting on the matter and denying the accusations and any sort of involvement in the attacks, the Chinese government said, “The Chinese government has never in any form participated in or supported any person to carry out the theft of commercial secrets,”

“While there have been attacks on our enterprise network, we have found no evidence in any of our extensive investigations that Ericsson’s infrastructure has ever been used as part of a successful attack on one of our customers,” a spokesperson of Ericsson told as the company said, it doesn’t comment on specific cybersecurity matters.



Chinese espionage campaign hit telecommunications firms around the world






Hackers have breached into the systems of more than a dozen global telecommunications companies and have to hold on a large amount of personal as well as corporate data, researchers from a cybersecurity company said on Tuesday.

Security researchers from a cybersecurity firm Cybereason, which is a collaboration of US-Israel, said that the attackers compromised companies in more than 30 countries. 

The main aim behind this espionage is to gather information about individuals who are working in government, law enforcement and politics. The group is linked to a Chinese cyber-espionage campaign.

The tools used by hackers were similar to other attacks which were carried out by Beijing, but the country denied of involvement in any kind of mischievous activity. 

Lior Div, chief executive of Cybereason. “For this level of sophistication, it’s not a criminal group. It is a government that has capabilities that can do this kind of attack,” he told Reuters.

Cybereason said in a blog post. “They built a perfect espionage environment. They could grab information as they please on the targets that they are interested in.”



“We managed to find not just one piece of software, we managed to find more than five different tools that this specific group used,” Div said.

Australian Universities' Servers hacked, data back from 19 Years stolen






The Australian National University (ANU) confirmed on Tuesday hackers breached their cyber defense system in order to access sensitive data, including students bank and passport details going back 19 years. 

The university said they discovered the breach two weeks ago only, and it was carried out by some ‘’sophisticated operator.”

Last year in July, they thwarted an attempt to hack their network system. According to media reports at that time, the bid originated in China. 

“National community agencies are recruiting directly out of ANU,” said Fergus Hanson, head of the International Cyber Policy Centre at think-tank the Australian Strategic Policy Institute. “To have information around particular people who are working in different departments... that would be very useful.” 

Australia’s cyber intelligence agency said they are still investigating who was behind the attack.

“It does appear to be the work of a sophisticated actor,” a representative of the Australian Signals Directorate said in an emailed statement. “It is too early to speculate about connections to other compromises.”

However, China has always denied its involvement in any kind of hacking attacks and its embassy in Australia did not respond to a request from Reuters for comment.


Chinese hackers attacked Russian companies and government agencies for 9 years



Russian Security Companies Positive Technologies and Kaspersky Lab discovered a cyber group which for several years stole data from more than 20 Russian companies and government agencies. The expert said that such groups are usually engaged in political intelligence or industrial espionage.

The hacker group has been working for at least 9 years. The names of the companies attacked by hackers were not disclosed. But it is specified that 24 Russian important organizations were attacked.

According to Positive Technologies, the attackers used Chinese developers to create their tools and used during the attacks Chinese IP addresses. Moreover, the keys for some versions of malicious programs are found on specialized forums where people from China communicate.

Positive Technologies gave the name TaskMasters to the hacker group because it created specific tasks in the task scheduler that allows hackers to execute commands of the operating system and run software at a certain point in time. After penetration into local networks of the enterprises, leaks of information were used for espionage.

Kaspersky Labs said they have been tracking the activity of this group since 2016, and they call it BlueTraveler. According to experts, hackers attack more often government agencies, mainly from Russia and the CIS. In addition, they confirm that the attackers speak Chinese and the methods used by Asian attackers is popular for political intelligence or industrial espionage.

An interesting fact is that the attacks of Asian hackers for years remained unnoticed by antivirus or information security services. Hackers downloaded without trace gigabytes of information, files, documents and drawings to their servers.

Known hackers of financial institutions prefer the method using the task scheduler. Namely, the Russian-speaking groups Cobalt and MoneyTaker use this method.

It is worth noting that at the end of 2018, cybersecurity experts reported that the financial sector of Russia for the year lost at least 3 billion rubles from cyber attacks.

A Hacker Group, 'Barium' on a Supply Chain Hijacking Spree



One of the most fatal forms of hacking is a software supply chain attack as it involves illicitly accessing a developer's network and placing the malicious code into the software updates and applications that users consider and trust the most.

In a single attempt, supply chain hackers can potentially place their ransomware onto thousands or millions of computer systems, they can do so without even a single trace of malicious activity. With time, this trick has gained a lot of traction and has become more advanced and difficult to be identified. Supply chain attacks follow a similar pattern and have been used by the associated companies as their core tool.

Basically, supply chain attacks exploit various software dissemination channels and over the last three years, these attacks have been majorly linked to a group of Chinese hackers. Reportedly, they are popularly known as ShadowHammer, Barium, Wicked Panda and ShadowPad, the name varies along with the security firms.

The trick demonstrates the massive potential of ShadowHammer to destroy computer systems on a large scale along with exploiting vulnerabilities present in a fundamental model which governs the code employed by users on their systems, such destructive ability possessed by Barium is a matter of great concern for security researchers.

Referencing from the statements given by Vitaly Kamluk, the director of the Asia research team for security firm Kaspersky, "They're poisoning trusted mechanisms," "they’re the champions of this. With the number of companies they’ve breached, I don’t think any other groups are comparable to these guys."

"When they abuse this mechanism, they’re undermining trust in the core, foundational mechanisms for verifying the integrity of your system,"

"This is much more important and has a bigger impact than regular exploitation of security vulnerabilities or phishing or other types of attacks. People are going to stop trusting legitimate software updates and software vendors."

On being asked, Marc-Etienne Léveillé, a security researcher, said, "In terms of scale, this is now the group that is most proficient in supply chain attacks,"

"We’ve never seen anything like this before. It’s scay because they have control over a very large number of machines

"If [Barium] had deployed a ransomware worm like that through one of these attacks, it would be a far more devastating attack than NotPetya," said another expert on the matter.