#1 Trusted Cybersecurity News Platform Followed by 3.45+ million
The Hacker News Logo
Subscribe to Newsletter

Chinese Hackers | Breaking Cybersecurity News | The Hacker News

Iranian Government Entities Under Attack by New Wave of BackdoorDiplomacy Attacks

Iranian Government Entities Under Attack by New Wave of BackdoorDiplomacy Attacks

Jan 18, 2023 Cyber Espionage / Cyber Risk
The threat actor known as  BackdoorDiplomacy  has been linked to a new wave of attacks targeting Iranian government entities between July and late December 2022. Palo Alto Networks Unit 42, which is tracking the activity under its  constellation-themed  moniker  Playful Taurus , said it observed the government domains attempting to connect to malware infrastructure previously identified as associated with the adversary. Also known by the names APT15, KeChang, NICKEL, and Vixen Panda, the Chinese APT group has a history of cyber espionage campaigns aimed at government and diplomatic entities across North America, South America, Africa, and the Middle East at least since 2010. Slovak cybersecurity firm ESET, in June 2021,  unpacked  the intrusions mounted by the hacking crew against diplomatic entities and telecommunication companies in Africa and the Middle East using a custom implant known as Turian. Then in December 2021, Microsoft  announced  the seizure of 42 domains operated
RedZei Chinese Scammers Targeting Chinese Students in the U.K.

RedZei Chinese Scammers Targeting Chinese Students in the U.K.

Jan 02, 2023 Online Scam / Cybersecurity
Chinese international students in the U.K. have been targeted by persistent Chinese-speaking scammers for over a year as part of an activity dubbed  RedZei  (aka RedThief). "The RedZei fraudsters have chosen their targets carefully, researched them and realized it was a rich victim group that is ripe for exploitation," cybersecurity researcher Will Thomas (@BushidoToken)  said  in a write-up published last week. The most notable aspect about the operation is the steps taken by the threat actors to bypass steps taken by users to prevent scam calls, using a new pay-as-you-go U.K. phone number for each wave so as to render phone number-based blocking ineffective. Thomas, pointing out the meticulous tradecraft employed by the scammers, said the threat actor alternates between SIMs from several mobile carriers such as Three, O2, EE, Tesco Mobile, and Telia. Indications are that the lucrative RedZei campaign may have started as far back as August 2019, with a report from The
cyber insurance

external linkEliminating SaaS Shadow IT is Now Available via a Free Self-Service Product

websitewww.wing.securitySaaS Security / Shadow IT
This new product provides IT and Security visibility into the risky SaaS apps employees are using.
Chinese Hackers Target Middle East Telecoms in Latest Cyber Attacks

Chinese Hackers Target Middle East Telecoms in Latest Cyber Attacks

Dec 06, 2022 Advanced Persistent Threat
A malicious campaign targeting the Middle East is likely linked to  BackdoorDiplomacy , an advanced persistent threat (APT) group with ties to China. The espionage activity, directed against a telecom company in the region, is said to have commenced on August 19, 2021 through the successful exploitation of  ProxyShell flaws  in the Microsoft Exchange Server. Initial compromise leveraged binaries vulnerable to side-loading techniques, followed by using a mix of legitimate and bespoke tools to conduct reconnaissance, harvest data, move laterally across the environment, and evade detection. "File attributes of the malicious tools showed that the first tools deployed by the threat actors were the NPS proxy tool and IRAFAU backdoor," Bitdefender researchers Victor Vrabie and Adrian Schipor said in a report shared with The Hacker News. "Starting in February 2022, the threat actors used another tool – [the] Quarian backdoor, along with many other scanners and proxy/tunnel
Chinese Cyber Espionage Hackers Using USB Devices to Target Entities in Philippines

Chinese Cyber Espionage Hackers Using USB Devices to Target Entities in Philippines

Nov 30, 2022
A threat actor with a suspected China nexus has been linked to a set of espionage attacks in the Philippines that primarily relies on USB devices as an initial infection vector. Mandiant, which is part of Google Cloud, is tracking the cluster under its uncategorized moniker  UNC4191 . An analysis of the artifacts used in the intrusions indicates that the campaign dates as far back as September 2021. "UNC4191 operations have affected a range of public and private sector entities primarily in Southeast Asia and extending to the U.S., Europe, and APJ," researchers Ryan Tomcik, John Wolfram, Tommy Dacanay, and Geoff Ackerman  said . "However, even when targeted organizations were based in other locations, the specific systems targeted by UNC4191 were also found to be physically located in the Philippines." The reliance on infected USB drives to propagate the malware is unusual if  not new . The  Raspberry Robin  worm, which has  evolved  into an initial access ser
U.S. Bans Chinese Telecom Equipment and Surveillance Cameras Over National Security Risk

U.S. Bans Chinese Telecom Equipment and Surveillance Cameras Over National Security Risk

Nov 26, 2022
The U.S. Federal Communications Commission (FCC) formally announced it will no longer authorize electronic equipment from Huawei, ZTE, Hytera, Hikvision, and Dahua, deeming them an "unacceptable" national security threat. All these Chinese telecom and video surveillance companies were previously included in the  Covered List  as of March 12, 2021. "The FCC is committed to protecting our national security by ensuring that untrustworthy communications equipment is not authorized for use within our borders, and we are continuing that work here," FCC Chairwoman Jessica Rosenworcel  said  in a Friday order. "These new rules are an important part of our ongoing actions to protect the American people from national security threats involving telecommunications." Pursuant to the ban, Hytera, Hikvision, and Dahua are required to document the safeguards the firms are putting in place on the sale of their devices for government use and surveillance of critical i
Chinese 'Mustang Panda' Hackers Actively Targeting Governments Worldwide

Chinese 'Mustang Panda' Hackers Actively Targeting Governments Worldwide

Nov 19, 2022
A notorious advanced persistent threat actor known as  Mustang Panda  has been linked to a spate of spear-phishing attacks targeting government, education, and research sectors across the world. The primary targets of the intrusions from May to October 2022 included counties in the Asia Pacific region such as Myanmar, Australia, the Philippines, Japan, and Taiwan, cybersecurity firm Trend Micro  said  in a Friday report.  Mustang Panda, also called Bronze President, Earth Preta, HoneyMyte, and Red Lich, is a China-based espionage actor believed to be active since at least July 2018. The group is known for its use of malware such as China Chopper and PlugX to collect data from compromised environments. Activities of the group chronicled by  ESET ,  Google, Proofpoint ,  Cisco Talos , and  Secureworks  this year have revealed the threat actor's pattern of using PlugX (and its variant called Hodur) to infect a wide range of entities in Asia, Europe, the Middle East, and the Ameri
Researchers Say China State-backed Hackers Breached a Digital Certificate Authority

Researchers Say China State-backed Hackers Breached a Digital Certificate Authority

Nov 15, 2022
A suspected Chinese state-sponsored actor breached a digital certificate authority as well as government and defense agencies located in different countries in Asia as part of an ongoing campaign since at least March 2022. Symantec, by Broadcom Software, linked the attacks to an adversarial group it tracks under the name  Billbug , citing the use of tools previously attributed to this actor. The activity appears to be driven by espionage and data-theft, although no data is said to have been stolen to date. Billbug , also called Bronze Elgin, Lotus Blossom, Lotus Panda,  Spring Dragon , and  Thrip , is an advanced persistent threat (APT) group that is believed to operate on behalf of Chinese interests. Primary targets include government and military organizations in South East Asia. Attacks mounted by the adversary in 2019 involved the use of backdoors like  Hannotog and Sagerunex , with the intrusions observed in Hong Kong, Macau, Indonesia, Malaysia, the Philippines, and Vietnam.
New "Earth Longzhi" APT Targets Ukraine and Asian Countries with Custom Cobalt Strike Loaders

New "Earth Longzhi" APT Targets Ukraine and Asian Countries with Custom Cobalt Strike Loaders

Nov 14, 2022
Entities located in East and Southeast Asia as well as Ukraine have been targeted at least since 2020 by a previously undocumented subgroup of  APT41 , a prolific Chinese advanced persistent threat (APT). Cybersecurity firm Trend Micro, which  christened  the espionage crew  Earth Longzhi , said the actor's long-running campaign can be split into two based on the toolset deployed to attack its victims. The first wave from May 2020 to February 2021 is said to have targeted government, infrastructure, and healthcare industries in Taiwan and the banking sector in China, whereas the succeeding set of intrusions from August 2021 to June 2022 infiltrated high-profile victims in Ukraine and several countries in Asia. This included defense, aviation, insurance, and urban development industries in Taiwan, China, Thailand, Malaysia, Indonesia, Pakistan, and Ukraine. The victimology patterns and the targeted sectors overlap with attacks mounted by a distinct subordinate group of  APT41
Chinese Hackers Using New Stealthy Infection Chain to Deploy LODEINFO Malware

Chinese Hackers Using New Stealthy Infection Chain to Deploy LODEINFO Malware

Nov 01, 2022
The Chinese state-sponsored threat actor known as Stone Panda has been observed employing a new stealthy infection chain in its attacks aimed at Japanese entities. Targets include media, diplomatic, governmental and public sector organizations, and think-tanks in Japan, according to  twin   reports  published by Kaspersky. Stone Panda , also called  APT10 , Bronze Riverside, Cicada, and Potassium, is a cyber  espionage group  known for its intrusions against organizations identified as strategically significant to China. The threat actor is believed to have been active since at least 2009. The group has also been linked to attacks using malware families like SigLoader, SodaMaster , and a web shell called Jackpot against multiple Japanese domestic organizations since April 2021, per cybersecurity firm Trend Micro, which is tracking the group under the name Earth Tengshe . The latest set of attacks, observed between March and June 2022, involve the use of a bogus Microsoft Word fi
Chinese Hackers Targeting Online Casinos with GamePlayerFramework Malware

Chinese Hackers Targeting Online Casinos with GamePlayerFramework Malware

Oct 19, 2022
An advanced persistent threat (APT) group of Chinese origin codenamed  DiceyF  has been linked to a string of attacks aimed at online casinos in Southeast Asia for years. Russian cybersecurity company Kaspersky said the activity aligns with another set of intrusions attributed to  Earth Berberoka  (aka  GamblingPuppet ) and  DRBControl , citing tactical and targeting similarities as well as the abuse of secure messaging clients. "Possibly we have a mix of espionage and [intellectual property] theft, but the true motivations remain a mystery," researchers Kurt Baumgartner and Georgy Kucherin  said  in a technical write-up published this week. The starting point of the investigation was in November 2021 when Kaspersky said it detected multiple  PlugX loaders  and other payloads that were deployed via an employee monitoring service and a security package deployment service. The initial infection method – the distribution of the framework through security solution packages
Chinese 'Spyder Loader' Malware Spotted Targeting Organizations in Hong Kong

Chinese 'Spyder Loader' Malware Spotted Targeting Organizations in Hong Kong

Oct 18, 2022
The China-aligned espionage-focused actor dubbed Winnti has set its sights on government organizations in Hong Kong as part of an ongoing campaign dubbed  Operation CuckooBees . Active since at least 2007,  Winnti  (aka APT41, Barium, Bronze Atlas, and Wicked Panda) is the name designated to a prolific cyber threat group that carries out Chinese state-sponsored espionage activity, predominantly aimed at stealing technology secrets from organizations in developed economies. The threat actor's campaigns have targeted healthcare, telecoms, high-tech, media, agriculture, and education sectors, with infection chains primarily relying on spear-phishing emails with attachments to initially break into the victims' networks. Earlier this May, Cybereason  disclosed  long-running attacks orchestrated by the group since 2019 to siphon intellectual property from technology and manufacturing companies mainly located in East Asia, Western Europe, and North America. The intrusions, clubb
Indian Energy Company Tata Power's IT Infrastructure Hit By Cyber Attack

Indian Energy Company Tata Power's IT Infrastructure Hit By Cyber Attack

Oct 15, 2022
Tata Power Company Limited, India's largest integrated power company, on Friday confirmed it was targeted by a cyber attack. The intrusion on IT infrastructure impacted "some of its IT systems," the company  said  in a filing with the National Stock Exchange (NSE) of India. It further said it has taken steps to retrieve and restore the affected machines, adding it put in place security guardrails for customer-facing portals to prevent unauthorized access. The Mumbai-based electric utility company, part of the Tata Group conglomerate, did not disclose any further details about the nature of the attack, or when it took place. That said, cybersecurity firm Recorded Future in April  disclosed  attacks mounted by China-linked adversaries targeting Indian power grid organizations. The network intrusions were said to have been aimed at "at least seven Indian State Load Despatch Centres (SLDCs) responsible for carrying out real-time operations for grid control and ele
New Chinese Cyberespionage Group Targeting IT Service Providers and Telcos

New Chinese Cyberespionage Group Targeting IT Service Providers and Telcos

Oct 14, 2022
Telecommunications and IT service providers in the Middle East and Asia are being targeted by a previously undocumented Chinese-speaking threat group dubbed WIP19 . The espionage-related attacks are characterized by the use of a stolen digital certificate issued by a Korean company called DEEPSoft to sign malicious artifacts deployed during the infection chain to evade detection. "Almost all operations performed by the threat actor were completed in a 'hands-on keyboard' fashion, during an interactive session with compromised machines," SentinelOne researchers Joey Chen and Amitai Ben Shushan Ehrlich  said  in a report this week. "This meant the attacker gave up on a stable [command-and-control] channel in exchange for stealth." WIP, short for work-in-progress, is the moniker assigned by SentinelOne to emerging or hitherto unattributed activity clusters,  similar  to the UNC####, DEV-####, and TAG-## designations given by Mandiant, Microsoft, and Reco
Chinese Espionage Hackers Target Tibetans Using New LOWZERO Backdoor

Chinese Espionage Hackers Target Tibetans Using New LOWZERO Backdoor

Sep 26, 2022
A China-aligned advanced persistent threat actor known as TA413 weaponized recently disclosed flaws in Sophos Firewall and Microsoft Office to deploy a never-before-seen backdoor called LOWZERO as part of an espionage campaign aimed at Tibetan entities. Targets primarily consisted of organizations associated with the Tibetan community, including enterprises associated with the Tibetan government-in-exile. The intrusions involved the exploitation of  CVE-2022-1040  and  CVE-2022-30190  (aka "Follina"), two remote code execution vulnerabilities in Sophos Firewall and Microsoft Office, respectively. "This willingness to rapidly incorporate new techniques and methods of initial access contrasts with the group's continued use of well known and reported capabilities, such as the Royal Road RTF weaponizer, and often lax infrastructure procurement tendencies," Recorded Future  said  in a new technical analysis. TA413, also known as LuckyCat, has been linked to rel
U.S. Adds 2 More Chinese Telecom Firms to National Security Threat List

U.S. Adds 2 More Chinese Telecom Firms to National Security Threat List

Sep 21, 2022
The U.S. Federal Communications Commission (FCC) has added Pacific Network Corp, along with its subsidiary ComNet (USA) LLC, and China Unicom (Americas) Operations Limited, to the list of communications equipment and services that have been deemed a threat to national security. The agency  said  the companies are subject to the Chinese government's exploitation, influence, and control, and could be forced to comply with requests for intercepting and misrouting communications, without the ability to challenge such requests. The Public Safety and Homeland Security Bureau further noted that equipment and services from ComNet and China Unicom could present an opportunity for the Chinese government to carry out espionage operations and gather intelligence against the U.S. Alternatively, they could also provide the Chinese government with a strategic capability to "target, collect, alter, block, and reroute network traffic." China Unicom also earned a place on the list fo
China Accuses NSA's TAO Unit of Hacking its Military Research University

China Accuses NSA's TAO Unit of Hacking its Military Research University

Sep 12, 2022
China has accused the U.S. National Security Agency (NSA) of conducting a string of cyberattacks aimed at aeronautical and military research-oriented Northwestern Polytechnical University in the city of Xi'an in June 2022. The National Computer Virus Emergency Response Centre (NCVERC) disclosed its findings last week, and accused the Office of Tailored Access Operations ( TAO ), a cyber-warfare intelligence-gathering unit of the National Security Agency (NSA), of orchestrating thousands of attacks against the entities located within the country. "The U.S. NSA's TAO has carried out tens of thousands of malicious cyber attacks on China's domestic network targets, controlled tens of thousands of network devices (network servers, Internet terminals, network switches, telephone exchanges, routers, firewalls, etc.), and stole more than 140GB of high-value data," the NCVERC  said . According to the U.S. Department of Justice ( DoJ ), Northwestern Polytechnical Unive
Chinese Hackers Used ScanBox Framework in Recent Cyber Espionage Attacks

Chinese Hackers Used ScanBox Framework in Recent Cyber Espionage Attacks

Aug 31, 2022
A months-long cyber espionage campaign undertaken by a Chinese nation-state group targeted several entities with reconnaissance malware so as to glean information about its victims and meet its strategic goals. "The targets of this recent campaign spanned Australia, Malaysia, and Europe, as well as entities that operate in the South China Sea," enterprise security firm Proofpoint  said  in a published in partnership with PwC. Targets encompass local and federal Australian Governmental agencies, Australian news media companies, and global heavy industry manufacturers which conduct maintenance of fleets of wind turbines in the South China Sea. Proofpoint and PwC attributed the intrusions with moderate confidence to a threat actor tracked by the two companies under the names TA423 and Red Ladon respectively, which is also known as APT40 and Leviathan. APT40 is the name designated to a China-based, espionage-motivated threat actor that's known to be active since 2013 and
China-backed APT41 Hackers Targeted 13 Organisations Worldwide Last Year

China-backed APT41 Hackers Targeted 13 Organisations Worldwide Last Year

Aug 18, 2022
The Chinese advanced persistent threat (APT) actor tracked as Winnti has targeted at least 13 organizations geographically spanning across the U.S, Taiwan, India, Vietnam, and China against the backdrop of four different campaigns in 2021. "The targeted industries included the public sector, manufacturing, healthcare, logistics, hospitality, education, as well as the media and aviation," cybersecurity firm Group-IB  said  in a report shared with The Hacker News. This also included the attack on Air India that came to light in June 2021 as part of a campaign codenamed  ColunmTK . The other three campaigns have been assigned the monikers DelayLinkTK, Mute-Pond, and Gentle-Voice based on the domain names used in the attacks. APT41, also known as Barium, Bronze Atlas, Double Dragon, Wicked Panda, or Winnti, is a  prolific   Chinese   cyber threat group  that's known to carry out state-sponsored espionage activity in parallel with financially motivated operations at least
Researchers Link Multi-Year Mass Credential Theft Campaign to Chinese Hackers

Researchers Link Multi-Year Mass Credential Theft Campaign to Chinese Hackers

Aug 17, 2022
A Chinese state-sponsored threat activity group named RedAlpha has been attributed to a multi-year mass credential theft campaign aimed at global humanitarian, think tank, and government organizations. "In this activity, RedAlpha very likely sought to gain access to email accounts and other online communications of targeted individuals and organizations," Recorded Future  disclosed  in a new report.  A lesser-known threat actor, RedAlpha was first  documented  by Citizen Lab in January 2018 and has a history of conducting cyber espionage and surveillance operations directed against the Tibetan community, some in India, to facilitate intelligence collection through the deployment of the NjRAT backdoor . "The campaigns [...] combine light reconnaissance, selective targeting, and diverse malicious tooling," Recorded Future  noted  at the time. Since then, malicious activities undertaken by the group have involved weaponizing as many as 350 domains that spoof leg
More Resources