Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Chinese Attack Groups Operate in Parallel in Cyber Espionage Campaigns: FireEye

Researchers at FireEye have discovered two attack campaigns being orchestrated by different groups in separate regions of China that appear to be operating in parallel.

Researchers at FireEye have discovered two attack campaigns being orchestrated by different groups in separate regions of China that appear to be operating in parallel.

The attack campaigns are focused on different targets. According to a team of FireEye researchers, the first group – which has been named Moafee – appears to operate from the Guangdong Province and is targeting military and government organizations in countries with interests in the South China Sea. This includes targets within the defense industry in the United States.

The second group, known as DragonOK, is focused on high-tech and manufacturing companies in Japan and Taiwan with the likely goal of economic espionage, according to the researchers.

“It seems that both groups, while operating in distinctly different regions, either 1) collaborate, 2) receive the same training), 3) share a common toolkit supply chain, or 4) some combination of these scenarios, which means they are employing a ‘production line’-type approach to initiating cyber attacks to breach defenses,” the researchers blogged. “Both campaigns use similar tools, techniques and procedures (TTPs) – including custom-built backdoors and remote-administration tools (RATs) to infiltrate their targets’ networks.”

Moafee and DragonOK both use the HUC Packet Transmit Tool (HTRAN) proxy tool to hide their geographical locations, and use password-protected documents and large file sizes to disguise their attacks. Among the tools used by both groups are Mongall, Nflog, PoisonIvy and CT/NewCT/NewCT2.

Advertisement. Scroll to continue reading.

“Both Moafee and DragonOK favor spear-phishing emails as an attack vector, often employing a decoy to deceive the victim,” according to the researchers. “The emails are well crafted and audience specific, even written in the intended victim’s native language. Attachments are typically sent as an executable file embedded in a ZIP archive or a password-protected Microsoft Office document. We also observed both groups using decoy documents that are presented to the victim while the malware runs in the background.”

The Moafee group was observed running HTRAN proxies on multiple command and control servers operated on CHINANET and hosted in Guangdong Province. DragonOK was seen running HTRAN to proxy their command and control servers as well. Their command and control servers were also operated on CHINANET but are hosted in the Jiangsu Province.

The researchers blogged that they also found a third, separate group that appears to use the same tools, techniques and procedures, including the same custom backdoors and RATs. However, the researchers stated they do not have enough insight to establish a connection to the other two groups.

FireEye plans to publish a report in the future about the two related campaigns.

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Cyberwarfare

Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Cybercrime

On the first anniversary of Russia’s invasion of Ukraine, cybersecurity companies summarize the cyber operations they have seen and their impact.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...