Israeli, Singaporean research firms uncover new targets for Chinese cyber attacks
以色列、新加坡研究發現中國網絡攻擊的新目標
Russian federal agencies, Southeast Asian telecom networks among those compromised
TAIPEI (Taiwan News) — Reports released this week by Israeli and Singaporean cybersecurity research firms link Chinese threat groups to a number of recent attacks around the world.
The revelations come just two weeks after the U.S., EU, and NATO blamed the Chinese state for a wide array of sophisticated attacks on Microsoft Exchange servers earlier this year, and it shows Chinese threat groups are targeting a broad range of countries, not just Western democracies.
According to a report released on Tuesday (Aug. 3) by Singapore-headquartered company Group-IB, a cohort of state-sponsored threat groups from China was likely behind a series of attacks against Russian government authorities last year.
The report reveals similarities between the virus tool “Webdav-O” that was used in the attack and typically associated with Chinese threat group “TA428” with a popular Trojan called "BlueTraveller” that is commonly deployed by another Chinese group named “TaskMasters.”
Group-IB researchers Anastasia Tikhonova and Dmitry Kupin found similarities between the source code and command processes of the two and suspect the Webdav-O virus may actually be an updated version of BlueTraveller.
“Chinese hacker groups actively exchange tools and infrastructure," the researchers said. "This means one Trojan can be configured and modified by hackers from different departments with various objectives."
"Either both Chinese hacker groups (TA428 and TaskMasters) attacked Russian federal executive authorities in 2020 or that there is one united Chinese hacker group made up of different units,” they concluded.
Meanwhile, Israeli firm Cybereason’s report, “DeadRinger: Exposing Chinese Threat Actors Targeting Major Telcos,'' analyzed three campaigns that infiltrated Southeast Asian telecom providers, connecting the attacks to Chinese groups Soft Cell, Naikon, and Group-3390. The researchers said all three are “suspected to be operating on behalf of Chinese state interests.”
The report also noted that “the threat actors exploited recently disclosed vulnerabilities in Microsoft Exchange Servers to gain access to the targeted networks.”
Telecoms were targeted to spy on corporations, political figures, government officials, political activists, and dissident factions of interest to the Chinese government, per the report. Although the attacks were discovered this year, evidence shows the attackers first infiltrated the networks in 2017 and remained undetected for at least three years.
While these attacks took aim at Southeast Asian telecoms, the attacks could potentially be repeated against companies in other regions around the world.
The Biden administration is trying to build international consensus on how to respond to China’s cyberattacks, U.S. National Security Council Adviser Anne Neuberger said at the Aspen Security Forum on Wednesday. This is the main reason why the U.S. has so far held back on sanctioning China over the Microsoft Exchange server attack, she said.
The recent Annual Cyber Threat Landscape Report by Israeli firm Deep Instinct found an 800% increase in global cyber and ransomware attacks since 2019.
