The Hacker News Logo
Subscribe to Newsletter
CrowdSec

The Hacker News - Cybersecurity News and Analysis: Chinese Hackers

State-Backed Hackers Using Ransomware as a Decoy for Cyber Espionage Attacks

State-Backed Hackers Using Ransomware as a Decoy for Cyber Espionage Attacks

June 24, 2022Ravie Lakshmanan
A China-based advanced persistent threat (APT) group is possibly deploying short-lived ransomware families as a decoy to cover up the true operational and tactical objectives behind its campaigns. The activity cluster, attributed to a hacking group dubbed  Bronze Starlight  by Secureworks, involves the deployment of post-intrusion ransomware such as LockFile, Atom Silo, Rook, Night Sky, Pandora, and LockBit 2.0. "The ransomware could distract incident responders from identifying the threat actors' true intent and reduce the likelihood of attributing the malicious activity to a government-sponsored Chinese threat group," the researchers  said  in a new report. "In each case, the ransomware targets a small number of victims over a relatively brief period of time before it ceases operations, apparently permanently." Bronze Starlight, active since mid-2021, is also tracked by Microsoft under the emerging threat cluster moniker DEV-0401, with the tech giant empha
Chinese Hackers Distributing SMS Bomber Tool with Malware Hidden Inside

Chinese Hackers Distributing SMS Bomber Tool with Malware Hidden Inside

June 23, 2022Ravie Lakshmanan
A threat cluster with ties to a hacking group called Tropic Trooper has been spotted using a previously undocumented malware coded in Nim language to strike targets as part of a newly discovered campaign. The novel loader, dubbed Nimbda, is "bundled with a Chinese language greyware 'SMS Bomber' tool that is most likely illegally distributed in the Chinese-speaking web," Israeli cybersecurity company Check Point  said  in a report. "Whoever crafted the Nim loader took special care to give it the same executable icon as the SMS Bomber that it drops and executes," the researchers said. "Therefore the entire bundle works as a trojanized binary." SMS Bomber, as the name indicates, allows a user to input a phone number (not their own) so as to flood the victim's device with messages and potentially render it unusable in what's a denial-of-service (DoS) attack. The fact that the binary doubles up as SMS Bomber and a backdoor suggests that t
Chinese Hackers Exploited Sophos Firewall Zero-Day Flaw to Target South Asian Entity

Chinese Hackers Exploited Sophos Firewall Zero-Day Flaw to Target South Asian Entity

June 17, 2022Ravie Lakshmanan
A sophisticated Chinese advanced persistent threat (APT) actor exploited a critical security vulnerability in Sophos' firewall product that came to light earlier this year to infiltrate an unnamed South Asian target as part of a highly-targeted attack. "The attacker implement[ed] an interesting web shell backdoor, create[d] a secondary form of persistence, and ultimately launch[ed] attacks against the customer's staff," Volexity  said  in a report. "These attacks aimed to further breach cloud-hosted web servers hosting the organization's public-facing websites." The zero-day flaw in question is tracked as  CVE-2022-1040  (CVSS score: 9.8), and concerns an authentication bypass vulnerability that can be weaponized to execute arbitrary code remotely. It affects Sophos Firewall versions 18.5 MR3 (18.5.3) and earlier. The cybersecurity firm, which issued a patch for the flaw on March 25, 2022, noted that it was abused to "target a small set of spec
Chinese Hackers Distribute Backdoored Web3 Wallets for iOS and Android Users

Chinese Hackers Distribute Backdoored Web3 Wallets for iOS and Android Users

June 13, 2022Ravie Lakshmanan
A technically sophisticated threat actor known as  SeaFlower  has been targeting Android and iOS users as part of an extensive campaign that mimics official cryptocurrency wallet websites intending to distribute backdoored apps that drain victims' funds. Said to be first discovered in March 2022, the cluster of activity "hint[s] to a strong relationship with a Chinese-speaking entity yet to be uncovered," based on the macOS usernames, source code comments in the backdoor code, and its abuse of Alibaba's Content Delivery Network (CDN). "As of today, the main current objective of SeaFlower is to modify Web3 wallets with backdoor code that ultimately exfiltrates the seed phrase," Confiant's Taha Karim  said  in a technical deep-dive of the campaign. Targeted apps include Android and iOS versions of Coinbase Wallet, MetaMask, TokenPocket, and imToken. SeaFlower's modus operandi involves setting up cloned websites that act as a conduit to download
Chinese 'Gallium' Hackers Using New PingPull Malware in Cyberespionage Attacks

Chinese 'Gallium' Hackers Using New PingPull Malware in Cyberespionage Attacks

June 13, 2022Ravie Lakshmanan
A Chinese advanced persistent threat (APT) known as Gallium has been observed using a previously undocumented remote access trojan in its espionage attacks targeting companies operating in Southeast Asia, Europe, and Africa. Called  PingPull , the "difficult-to-detect" backdoor is notable for its use of the Internet Control Message Protocol ( ICMP ) for command-and-control (C2) communications, according to new research published by Palo Alto Networks Unit 42 today. Gallium is notorious for its attacks primarily aimed at telecom companies dating as far back as 2012. Also tracked under the name  Soft Cell  by Cybereason, the state-sponsored actor has been  connected  to a broader set of attacks targeting five major telecom companies located in Southeast Asian countries since 2017. Over the past year, however, the group is said to have expanded its victimology footprint to include financial institutions and government entities located in Afghanistan, Australia, Belgium, Cam
A Decade-Long Chinese Espionage Campaign Targets Southeast Asia and Australia

A Decade-Long Chinese Espionage Campaign Targets Southeast Asia and Australia

June 09, 2022Ravie Lakshmanan
A previously undocumented Chinese-speaking advanced persistent threat (APT) actor dubbed  Aoqin Dragon  has been linked to a string of espionage-oriented attacks aimed at government, education, and telecom entities chiefly in Southeast Asia and Australia dating as far back as 2013. "Aoqin Dragon seeks initial access primarily through document exploits and the use of fake removable devices," SentinelOne researcher Joey Chen  said  in a report shared with The Hacker News. "Other techniques the attacker has been observed using include DLL hijacking,  Themida-packed files , and DNS tunneling to evade post-compromise detection." The group is said to have some level of tactical association with another threat actor known as  Naikon  (aka Override Panda), with the campaigns primarily directed against targets in Australia, Cambodia, Hong Kong, Singapore, and Vietnam. Infections chains mounted by Aoqin Dragon have banked on Asia-Pacific political affairs and pornographi
U.S. Agencies Warn About Chinese Hackers Targeting Telecoms and Network Service Providers

U.S. Agencies Warn About Chinese Hackers Targeting Telecoms and Network Service Providers

June 08, 2022Ravie Lakshmanan
U.S. cybersecurity and intelligence agencies have  warned  about China-based state-sponsored cyber actors leveraging network vulnerabilities to exploit public and private sector organizations since at least 2020. The widespread intrusion campaigns aim to exploit publicly identified security flaws in network devices such as Small Office/Home Office (SOHO) routers and Network Attached Storage (NAS) devices with the goal of gaining deeper access to victim networks. In addition, the actors used these compromised devices as route command-and-control (C2) traffic to break into other targets at scale, the U.S. National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI)  said  in a joint advisory. The perpetrators, besides shifting their tactics in response to public disclosures, are known to employ a mix of open-source and custom tools for reconnaissance and vulnerability scanning as well as to obscure and ble
Chinese "Twisted Panda" Hackers Caught Spying on Russian Defense Institutes

Chinese "Twisted Panda" Hackers Caught Spying on Russian Defense Institutes

May 22, 2022Ravie Lakshmanan
At least two research institutes located in Russia and a third likely target in Belarus have been at the receiving end of an espionage attack by a Chinese nation-state advanced persistent threat (APT). The attacks, codenamed " Twisted Panda ," come in the backdrop of Russia's military invasion of Ukraine, prompting a  wide range  of  threat actors  to swiftly adapt their campaigns on the ongoing conflict to distribute malware and stage opportunistic attacks. They have materialized in the form of social engineering schemes with topical war and sanctions-themed baits orchestrated to trick potential victims into clicking malicious links or opening weaponized documents. Israeli cybersecurity firm Check Point, which  disclosed  details of the latest intelligence-gathering operation, attributed it a Chinese threat actor, with connections to that of  Stone Panda  (aka  APT 10 , Cicada, or Potassium) and  Mustang Panda  (aka Bronze President, HoneyMyte, or RedDelta). Callin
Experts Uncover New Espionage Attacks by Chinese 'Mustang Panda' Hackers

Experts Uncover New Espionage Attacks by Chinese 'Mustang Panda' Hackers

May 06, 2022Ravie Lakshmanan
The China-based threat actor known as Mustang Panda has been observed refining and retooling its tactics and malware to strike entities located in Asia, the European Union, Russia, and the U.S. "Mustang Panda is a highly motivated APT group relying primarily on the use of topical lures and social engineering to trick victims into infecting themselves," Cisco Talos  said  in a new report detailing the group's evolving modus operandi. The group is known to have targeted a wide range of organizations since at least 2012, with the actor primarily relying on email-based social engineering to gain initial access to drop PlugX, a backdoor predominantly deployed for long-term access. Phishing messages attributed to the campaign contain malicious lures masquerading as official European Union reports on the ongoing conflict in Ukraine or Ukrainian government reports, both of which download malware onto compromised machines. Also observed are phishing messages tailored to ta
Ukraine War Themed Files Become the Lure of Choice for a Wide Range of Hackers

Ukraine War Themed Files Become the Lure of Choice for a Wide Range of Hackers

May 04, 2022Ravie Lakshmanan
A  growing number of threat actors  are using the ongoing Russo-Ukrainian war as a lure in various phishing and malware campaigns, even as critical infrastructure entities continue to be heavily targeted. "Government-backed actors from China, Iran, North Korea and Russia, as well as various unattributed groups, have used various Ukraine war-related themes in an effort to get targets to open malicious emails or click malicious links," Google Threat Analysis Group's (TAG) Billy Leonard  said  in a report. "Financially motivated and criminal actors are also using current events as a means for targeting users," Leonard added. One notable threat actor is Curious Gorge, which TAG has attributed to China People's Liberation Army Strategic Support Force (PLA SSF) and has been observed striking government, military, logistics and manufacturing organizations in Ukraine, Russia and Central Asia. Attacks aimed at Russia have singled out several governmental entiti
Chinese Hackers Caught Exploiting Popular Antivirus Products to Target Telecom Sector

Chinese Hackers Caught Exploiting Popular Antivirus Products to Target Telecom Sector

May 02, 2022Ravie Lakshmanan
A Chinese-aligned cyberespionage group has been observed striking the telecommunication sector in Central Asia with versions of malware such as ShadowPad and PlugX. Cybersecurity firm SentinelOne tied the intrusions to an actor it tracks under the name "Moshen Dragon," with tactical overlaps between the collective and another threat group referred to as Nomad Panda (aka  RedFoxtrot ). "PlugX and ShadowPad have a well-established history of use among Chinese-speaking threat actors primarily for espionage activity," SentinelOne's Joey Chen  said . "Those tools have flexible, modular functionality and are compiled via shellcode to easily bypass traditional endpoint protection products." ShadowPad , labeled a "masterpiece of privately sold malware in Chinese espionage," emerged as a successor to PlugX in 2015, even as variants of the latter have continually popped up as part of different campaigns associated with Chinese threat actors. Alth
Chinese "Override Panda" Hackers Resurface With New Espionage Attacks

Chinese "Override Panda" Hackers Resurface With New Espionage Attacks

May 02, 2022Ravie Lakshmanan
A Chinese state-sponsored espionage group known as Override Panda has resurfaced in recent weeks with a new phishing attack with the goal of stealing sensitive information. "The Chinese APT used a spear-phishing email to deliver a beacon of a Red Team framework known as 'Viper,'" Cluster25  said  in a report published last week. "The target of this attack is currently unknown but with high probability, given the previous history of the attack perpetrated by the group, it might be a government institution from a South Asian country." Override Panda, also called  Naikon , Hellsing, and Bronze Geneva, is known to operate on behalf of Chinese interests since at least 2005 to conduct intelligence-gathering operations targeting  ASEAN countries . Attack chains unleashed by the threat actor have involved the use of decoy documents attached to spear-phishing emails that are designed to entice the intended victims to open and compromise themselves with malware
Chinese Hackers Targeting Russian Military Personnel with Updated PlugX Malware

Chinese Hackers Targeting Russian Military Personnel with Updated PlugX Malware

April 27, 2022Ravie Lakshmanan
A China-linked government-sponsored threat actor observed striking European diplomatic entities in March may have been targeting Russian government officials with an updated version of a remote access trojan called  PlugX . Secureworks attributed the attempted intrusions to a threat actor it tracks as Bronze President, and by the wider cybersecurity community under the monikers Mustang Panda, TA416, HoneyMyte, RedDelta, and PKPLUG. "The war in Ukraine has prompted many countries to deploy their cyber capabilities to gain insight about global events, political machinations, and motivations," the cybersecurity firm  said  in a report shared with The Hacker News. "This desire for situational awareness often extends to collecting intelligence from allies and 'friends.'" Bronze President, active since at least July 2018, has a history of conducting espionage operations by leveraging custom and publicly available tools to compromise, maintain long-term access,
Chinese Hacker Groups Continue to Target Indian Power Grid Assets

Chinese Hacker Groups Continue to Target Indian Power Grid Assets

April 08, 2022Ravie Lakshmanan
China-linked adversaries have been attributed to an ongoing onslaught against Indian power grid organizations, one year after a  concerted campaign  targeting critical infrastructure in the country came to light. Most of the intrusions involved a modular backdoor named  ShadowPad , according to Recorded Future's Insikt Group, a sophisticated remote access trojan which has been  dubbed  a "masterpiece of privately sold malware in Chinese espionage." "ShadowPad continues to be employed by an ever-increasing number of People's Liberation Army (PLA) and Ministry of State Security (MSS)-linked groups, with its origins linked to known MSS contractors first using the tool in their own operations and later likely acting as a digital quartermaster," the researchers  said . The goal of the sustained campaign, the cybersecurity company said, is to facilitate intelligence gathering pertaining to critical infrastructure systems in preparation for future contingency
Researchers Trace Widespread Espionage Attacks Back to Chinese 'Cicada' Hackers

Researchers Trace Widespread Espionage Attacks Back to Chinese 'Cicada' Hackers

April 05, 2022Ravie Lakshmanan
A Chinese state-backed advanced persistent threat (APT) group known for singling out Japanese entities has been attributed to a new long-running espionage campaign targeting new geographies, suggesting a "widening" of the threat actor's targeting. The widespread intrusions, which are believed to have commenced at the earliest in mid-2021 and continued as recently as February 2022, have been tied to a group tracked as Cicada , which is also known as APT10, Stone Panda, Potassium, Bronze Riverside, or MenuPass Team. "Victims in this Cicada (aka APT10) campaign include government, legal, religious, and non-governmental organizations (NGOs) in multiple countries around the world, including in Europe, Asia, and North America," researchers from the Symantec Threat Hunter Team, part of Broadcom Software,  said  in a report shared with The Hacker News. "There is a strong focus on victims in the government and NGO sectors, with some of these organizations worki
Chinese Hackers Target VMware Horizon Servers with Log4Shell to Deploy Rootkit

Chinese Hackers Target VMware Horizon Servers with Log4Shell to Deploy Rootkit

April 01, 2022Ravie Lakshmanan
A Chinese advanced persistent threat tracked as Deep Panda has been observed exploiting the  Log4Shell vulnerability  in VMware Horizon servers to deploy a backdoor and a novel rootkit on infected machines with the goal of stealing sensitive data. "The nature of targeting was opportunistic insofar that multiple infections in several countries and various sectors occurred on the same dates,"  said  Rotem Sde-Or and Eliran Voronovitch, researchers with Fortinet's FortiGuard Labs, in a report released this week. "The victims belong to the financial, academic, cosmetics, and travel industries." Deep Panda , also known by the monikers Shell Crew, KungFu Kittens, and Bronze Firestone, is said to have been active since at least 2010, with recent attacks "targeting legal firms for data exfiltration and technology providers for command-and-control infrastructure building,"  according  to Secureworks. Cybersecurity firm CrowdStrike, which assigned the panda
Another Chinese Hacking Group Spotted Targeting Ukraine Amid Russia Invasion

Another Chinese Hacking Group Spotted Targeting Ukraine Amid Russia Invasion

March 26, 2022Ravie Lakshmanan
A Chinese-speaking threat actor called Scarab has been linked to a custom backdoor dubbed HeaderTip as part of a campaign targeting Ukraine since Russia embarked on an invasion last month, making it the second China-based hacking group after  Mustang Panda  to capitalize on the conflict. "The malicious activity represents one of the first public examples of a Chinese threat actor targeting Ukraine since the invasion began," SentinelOne researcher Tom Hegel  said  in a report published this week. SentinelOne's analysis follows an advisory from Ukraine's Computer Emergency Response Team (CERT-UA) earlier this week  outlining  a spear-phishing campaign that leads to the delivery of a RAR archive file, which comes with an executable that's designed to open a decoy file while stealthily dropping a malicious DLL called HeaderTip in the background. Scarab was  first documented  by the Symantec Threat Hunter Team, part of Broadcom Software, in January 2015, when i
Chinese APT Hackers Targeting Betting Companies in Southeast Asia

Chinese APT Hackers Targeting Betting Companies in Southeast Asia

March 24, 2022Ravie Lakshmanan
A Chinese-speaking advanced persistent threat (APT) has been linked to a new campaign targeting gambling-related companies in South East Asia, particularly Taiwan, the Philippines, and Hong Kong. Cybersecurity firm Avast dubbed the campaign  Operation Dragon Castling , describing its malware arsenal as a "robust and modular toolset." The ultimate motives of the threat actor are not immediately discernible as yet nor has it been linked to a known hacking group. While multiple initial access avenues were employed during the course of the campaign, one of the attack vectors involved leveraging a previously unknown remote code execution flaw in the WPS Office suite ( CVE-2022-24934 ) to backdoor its targets. The issue has since been addressed by Kingsoft Office, the developers of the office software. In the case observed by the Czech security firm, the vulnerability was used to drop a malicious binary from a fake update server with the domain update.wps[.]cn that triggers a m
Online Courses and Software

Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox daily.