An advanced persistent threat (APT) actor likely operating on behalf of the Chinese government has compromised dozens of foreign government entities worldwide, Trend Micro reports.
Referred to as Earth Krahang, the hacking group appears linked to Earth Lusca, which is believed to be a penetration team within the Chinese company I-Soon. Leaked documents recently showed that I-Soon is a private contractor linked to the Ministry of Public Security, China’s top policing agency.
Earth Krahang, Trend Micro says, is focused on cyberespionage, and is believed to have compromised at least 70 organizations across 23 different countries, mainly in Asia and America, but also in Europe and Africa. The APT has targeted at least 100 other entities across 35 countries as well.
Victims include government entities, foreign affairs ministries, and organizations in the education, telecommunications, logistics, finance, healthcare, manufacturing, military, and other sectors.
“We found that at least 48 government organizations were compromised, with a further 49 other government entities being targeted. Foreign Affairs ministries and departments were a top target, compromising 10 such organizations and targeting five others,” Trend Micro noted.
Earth Krahang, Trend Micro says, was seen compromising government infrastructure to host malicious payloads, proxy traffic, and send spear-phishing emails targeting other governmental entities.
“Earth Krahang abuses the trust between governments to conduct their attacks. We found that the group frequently uses compromised government web servers to host their backdoors and send download links to other government entities via spear phishing emails,” Trend Micro notes.
The threat actor would also build VPNs on compromised public-facing servers to access the victims’ networks and harvest email credentials using brute-force attacks.
According to Trend Micro, operational errors allowed it to tap into the APT’s servers and retrieve malware samples and configuration and log files.
The group was seen employing open source tools to scan victims’ web-facing servers, brute-forcing directories to collect sensitive information, and exploiting command execution vulnerabilities in OpenFire (CVE-2023-32315) and Oracle Web Applications Desktop Integrator (CVE-2022-21587).
Earth Krahang would send spear-phishing emails containing attachments or embedded URLs leading to malware execution. In one instance, a compromised government email account was used to send a malicious attachment to roughly 800 accounts belonging to the same organization.
Following initial access, the APT would deploy the SoftEther VPN to connect to the victim environment, would use task scheduling to obtain persistence, enable remote desktop connections, scan the network, extract credentials from memory dumps, move laterally, and escalate privileges.
To maintain access to the victim’s systems, the threat actor would deploy Cobalt Strike, as well as two custom backdoors named Reshell and XDealer. In some instances, Earth Krahang also deployed PlugX and ShadowPad variants on victim’s systems.
Trend Micro’s investigation into Earth Krahang revealed links to other Chinese threat actors, including a strong connection to Earth Lusca, due to overlaps in infrastructure and the preference of initial stage backdoors.
With Earth Lusca previously found to be I-Soon’s penetration team and recently leaked documents showing that the company’s penetration team is organized in two different subgroups, “Earth Krahang could be another penetration team under the same company,” Trend Micro says.
“Given the importance of Earth Krahang’s targets and their preference of using compromised government email accounts, we strongly advise organizations to adhere to security best practices, including educating employees and other individuals involved with the organization on how to avoid social engineering attacks,” the cybersecurity firm concludes.
Related: Chinese Cyberspies Target Tibetans via Watering Hole, Supply Chain Attacks
Related: Chinese Cyberspies Use New Malware in Ivanti VPN Attacks
Related: US Gov Disrupts SOHO Router Botnet Used by Chinese APT Volt Typhoon
