Connect with us

Hi, what are you looking for?



Chinese APT Hacks 48 Government Organizations

Earth Krahang, likely a penetration team of Chinese government contractor I-Soon, has compromised 48 government entities worldwide.

An advanced persistent threat (APT) actor likely operating on behalf of the Chinese government has compromised dozens of foreign government entities worldwide, Trend Micro reports.

Referred to as Earth Krahang, the hacking group appears linked to Earth Lusca, which is believed to be a penetration team within the Chinese company I-Soon. Leaked documents recently showed that I-Soon is a private contractor linked to the Ministry of Public Security, China’s top policing agency.

Earth Krahang, Trend Micro says, is focused on cyberespionage, and is believed to have compromised at least 70 organizations across 23 different countries, mainly in Asia and America, but also in Europe and Africa. The APT has targeted at least 100 other entities across 35 countries as well.

Victims include government entities, foreign affairs ministries, and organizations in the education, telecommunications, logistics, finance, healthcare, manufacturing, military, and other sectors.

“We found that at least 48 government organizations were compromised, with a further 49 other government entities being targeted. Foreign Affairs ministries and departments were a top target, compromising 10 such organizations and targeting five others,” Trend Micro noted.

Earth Krahang, Trend Micro says, was seen compromising government infrastructure to host malicious payloads, proxy traffic, and send spear-phishing emails targeting other governmental entities.

“Earth Krahang abuses the trust between governments to conduct their attacks. We found that the group frequently uses compromised government web servers to host their backdoors and send download links to other government entities via spear phishing emails,” Trend Micro notes.

The threat actor would also build VPNs on compromised public-facing servers to access the victims’ networks and harvest email credentials using brute-force attacks.

Advertisement. Scroll to continue reading.

According to Trend Micro, operational errors allowed it to tap into the APT’s servers and retrieve malware samples and configuration and log files.

The group was seen employing open source tools to scan victims’ web-facing servers, brute-forcing directories to collect sensitive information, and exploiting command execution vulnerabilities in OpenFire (CVE-2023-32315) and Oracle Web Applications Desktop Integrator (CVE-2022-21587).

Earth Krahang would send spear-phishing emails containing attachments or embedded URLs leading to malware execution. In one instance, a compromised government email account was used to send a malicious attachment to roughly 800 accounts belonging to the same organization.

Following initial access, the APT would deploy the SoftEther VPN to connect to the victim environment, would use task scheduling to obtain persistence, enable remote desktop connections, scan the network, extract credentials from memory dumps, move laterally, and escalate privileges.

To maintain access to the victim’s systems, the threat actor would deploy Cobalt Strike, as well as two custom backdoors named Reshell and XDealer. In some instances, Earth Krahang also deployed PlugX and ShadowPad variants on victim’s systems.

Trend Micro’s investigation into Earth Krahang revealed links to other Chinese threat actors, including a strong connection to Earth Lusca, due to overlaps in infrastructure and the preference of initial stage backdoors.

With Earth Lusca previously found to be I-Soon’s penetration team and recently leaked documents showing that the company’s penetration team is organized in two different subgroups, “Earth Krahang could be another penetration team under the same company,” Trend Micro says.

“Given the importance of Earth Krahang’s targets and their preference of using compromised government email accounts, we strongly advise organizations to adhere to security best practices, including educating employees and other individuals involved with the organization on how to avoid social engineering attacks,” the cybersecurity firm concludes.

Related: Chinese Cyberspies Target Tibetans via Watering Hole, Supply Chain Attacks

Related: Chinese Cyberspies Use New Malware in Ivanti VPN Attacks

Related: US Gov Disrupts SOHO Router Botnet Used by Chinese APT Volt Typhoon

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Shay Mowlem has been named CMO of runtime and application security company Contrast Security.

Attack detection firm Vectra AI has appointed Jeff Reed to the newly created role of Chief Product Officer.

Shaun Khalfan has joined payments giant PayPal as SVP, CISO.

More People On The Move

Expert Insights

Related Content

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.


Ask any three people to define cyberwar and you will get three different answers. But as global geopolitics worsen and aggressive cyberattacks increase, this...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


Mandiant's Chief analyst urges critical infrastructure defenders to work on finding and removing traces of Volt Typhoon, a Chinese government-backed hacking team caught in...


A China-linked hackers are exploiting a vulnerability (CVE-2022-42475 ) in Fortinet FortiOS SSL-VPN, Mandiant claims.


In a campaign called Volt Typhoon, Microsoft says Chinese government hackers were siphoning data from critical infrastructure organizations in Guam, a U.S. territory in...