Listen to this story
A cyberattack targeting Asian and European countries, including Ukraine, Russia, Belarus, and Afghanistan, was discovered by Kaspersky researchers. The attack has been connected to cyber espionage, which was conducted to infiltrate governmental and military institutions in east European countries.
According to the report, the techniques used in the attack were highly linked to malicious actors known as TA428, a Chinese malware known to have previously attacked organizations in Asia and Eastern Europe.
The attack was discovered in January 2022 and successfully compromised networks in target countries’ organizations. The target industries included industrial plants, government agencies, and government ministries.
The attackers’ goal
According to Kaspersky, the attack analysis indicates that the attackers’ priority was “cyber espionage,” a form of cyber spying attack where the attackers attempt to access sensitive information from a government body or organization to gain economic and political advantages.
The Chinese hackers used spear phishing emails to conduct cyber espionage and exploited the CVE-2017-11882 Microsoft Office vulnerability to deploy PortDoor malware.
The researchers were able to track back the attack because, in April 2021, PortDoor was again used by the Chinese-backed hackers to hack into the system of a defense contractor that designs submarines for the Russian Navy.
The Chinese hacker organization has a history of attacking government institutions using malware strains tied to TA428 and has also used nccTrojan, Logtu, Cotx, DNSep, and a more recent variant of the malware called CotSam.
Stolen data traced back to China
The attackers searched through the organization’s data, per reports, and sent the confidential files via command-and-control (C2) servers. They used passport-protected zip archives to send the data through a Chinese IP address, which helped the researchers trace back the attackers. The analysis also revealed that the same “C2 servers” path had previously been used in operations launched by other Chinese APT groups.