A China-linked cyberespionage group has shifted its attention from the United States to Hong Kong, where it has targeted more than a dozen organizations over the past year.
FireEye reported last week that APT3, a threat actor believed to be sponsored by China, had targeted two Hong Kong government agencies in early August. The attackers had used spear-phishing emails to trick recipients into installing what the security firm said was a previously unseen piece of malware.
APT3, also known as UPS Team, Gothic Panda, Buckeye and TG-0110, has been active since at least 2009. The group’s attacks often involved zero-day vulnerabilities and flaws that had just been patched.
Many of the group’s earlier attacks focused on the United States, including government organizations. However, Symantec, which tracks the threat actor as Buckeye, noticed last year that the hackers had become increasingly interested in Hong Kong.
Symantec observed roughly 82 APT3 victims since the beginning of 2015, but experts pointed out that the group had cast a wide net and only 17 of these organizations were persistently targeted. The list of victims included 13 organizations in Hong Kong, three in the U.S. and one in the U.K.
While there were some periods last year when all three countries had been targeted, researchers noticed that the U.K. and the U.S. were no longer attacked starting with March 2016.
In the recent attacks observed by Symantec, mostly aimed at political entities in Hong Kong, APT3 used ZIP archives and Windows shortcut (.lnk) files to deliver a backdoor dubbed by the security firm Pirpi.
The infection method appears to be the same in the attacks observed by FireEye – a ZIP archive contains a shortcut file that downloads malware. However, the early August attacks spotted by FireEye did not leverage Pirpi, which has been around since 2010 and which the company tracks as Backdoor.APT.CookieCutter. Instead, the security firm said they involved a new malware tool.
This suggests that China may have stepped up its attacks just before the Hong Kong legislative elections that took place on September 4. The Chinese government has been increasingly concerned about Hong Kong’s push for more political independence.
In addition to Pirpi, Symantec observed APT3 using various other tools, including keyloggers, remote command execution tools, system information harvesting tools, and browser password stealers. Researchers said the group appears to be focusing on file and print servers, which suggests they are mainly interested in stealing documents.