Kaspersky Uncloaks Cyber Espionage Campaign by China’s TA428 Since Jan 2022
Kaspersky didn’t name any of the victim organizations but said they were industrial plants, design bureaus, research institutes, government agencies, ministries, and departments.
Researchers at Kaspersky have uncovered a cyber espionage campaign targeting the military-industrial complex in Eastern Europe and Afghanistan. According to reports, the effort is being carried out by China’s TA428, a state-sponsored threat organization.
Kaspersky researchers said the cyberattack campaign was first seen in January 2022 and has since permeated a dozen organizations in Belarus, Russia, Ukraine, and Afghanistan. The cybersecurity company didn’t name any of these organizations but said they were industrial plants, design bureaus, research institutes, government agencies, ministries, and departments.
As is the case with over one in three cyberattacks, TA428 used phishing as the initial attack vector to infiltrate its targets. The threat actor deployed carefully crafted phishing emails using information only employees could have been privy to.
Kaspersky believes this information could have been obtained through previous attacks on the same organizations or others associated with them. The attackers did their homework before spying on one of the country’s most sensitive sectors.
Attached within the phishing email is a malicious Microsoft Word file (who’s surprised?) designed to exploit CVE-2017-11882, a 17-year-old memory corruption vulnerability in Microsoft Office (Equation Editor) and Office 360. It is a remote code execution vulnerability as soon as the infected document is opened.
“An analysis of document metadata has shown that, with a high degree of likelihood, the attackers stole the document (while it was still legitimate) from another military-industrial complex enterprise, after which they modified it using a weaponizer, a program designed to inject malicious code into documents.”
TA428 Initial Infection Chain | Source: Kaspersky
The attack is distinctive because, unlike other MS Office-based infections, this one doesn’t require macros to be enabled on the target system.
See More: Cyber Mercenaries, Surveillance-for-Hire Market On the Rise, Warns Meta
Once the infected Word file containing research and development-related content is opened, the malicious code drops an updated version of the PortDoor malware. PortDoor sets up as a Microsoft Word add-in that enables the remote attacker to gain control of the system.
The malware is one of the five backdoors in the entire attack chain that collects the target’s general information (computer name, IP addresses, etc.) and sends it to the malware command-and-control (C2) server.
Four of the other five, viz., nccTrojan, Logtu, Cotx, and DNSep, have been previously used by TA428. Kaspersky said CotSam is a new one.
“The attackers used six different backdoors at the same time – probably to set up redundant communication channels with infected systems in case one of the malicious programs was detected and removed by a security solution. The backdoors used provide extensive functionality for controlling infected systems and collecting confidential data.”
What follows is lateral movement using network scanning, vulnerability search and exploitation, password attack, and other functionalities of the Ladon hacking utility to further the infection in the victim network. It includes taking over the domain controller and gaining complete control of the organization’s workstations and servers.
Once the infection spreads to a significant portion of the victim organization’s IT infrastructure with domain administrator privileges, TA428 searches for sensitive documents and manually selects files to be exfiltrated from the compromised network.
Files are compressed and encrypted before archiving as password-protected ZIP files, sent to any stage one C2 server (positioned globally), and then redirected to a stage two C2 server in China.
Data Exfiltration in TA428’s Cyber Espionage Campaign | Source: Kaspersky
Chinese state-sponsored advanced persistent threat groups are known to conduct cyber espionage on western organizations, the most recent being Operation CuckooBees by the Winnti APT group.
Operation CuckooBees remained undetected since it began in 2019. It involved stealing proprietary information, trade secrets, R&D documents, source code and blueprints for various technologies, etc.
“The attack series that we have discovered is not the first in the campaign, and, given that the attackers achieve a certain degree of success, we believe it is highly likely that they will continue to conduct similar attacks in the future. Industrial enterprises and public institutions should take extensive measures to repel such attacks successfully,” Kaspersky concluded.
Let us know if you enjoyed reading this news on LinkedIn, Twitter, or Facebook. We would love to hear from you!
MORE ON CYBER ESPIONAGE
