Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

China-Linked APT3 Group Focuses Attacks on Hong Kong

A China-linked cyberespionage group has shifted its attention from the United States to Hong Kong, where it has targeted more than a dozen organizations over the past year.

A China-linked cyberespionage group has shifted its attention from the United States to Hong Kong, where it has targeted more than a dozen organizations over the past year.

FireEye reported last week that APT3, a threat actor believed to be sponsored by China, had targeted two Hong Kong government agencies in early August. The attackers had used spear-phishing emails to trick recipients into installing what the security firm said was a previously unseen piece of malware.

APT3, also known as UPS Team, Gothic Panda, Buckeye and TG-0110, has been active since at least 2009. The group’s attacks often involved zero-day vulnerabilities and flaws that had just been patched.

Many of the group’s earlier attacks focused on the United States, including government organizations. However, Symantec, which tracks the threat actor as Buckeye, noticed last year that the hackers had become increasingly interested in Hong Kong.

Symantec observed roughly 82 APT3 victims since the beginning of 2015, but experts pointed out that the group had cast a wide net and only 17 of these organizations were persistently targeted. The list of victims included 13 organizations in Hong Kong, three in the U.S. and one in the U.K.

While there were some periods last year when all three countries had been targeted, researchers noticed that the U.K. and the U.S. were no longer attacked starting with March 2016.

In the recent attacks observed by Symantec, mostly aimed at political entities in Hong Kong, APT3 used ZIP archives and Windows shortcut (.lnk) files to deliver a backdoor dubbed by the security firm Pirpi.

The infection method appears to be the same in the attacks observed by FireEye – a ZIP archive contains a shortcut file that downloads malware. However, the early August attacks spotted by FireEye did not leverage Pirpi, which has been around since 2010 and which the company tracks as Backdoor.APT.CookieCutter. Instead, the security firm said they involved a new malware tool.

Advertisement. Scroll to continue reading.

This suggests that China may have stepped up its attacks just before the Hong Kong legislative elections that took place on September 4. The Chinese government has been increasingly concerned about Hong Kong’s push for more political independence.

In addition to Pirpi, Symantec observed APT3 using various other tools, including keyloggers, remote command execution tools, system information harvesting tools, and browser password stealers. Researchers said the group appears to be focusing on file and print servers, which suggests they are mainly interested in stealing documents.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.