A notorious Chinese cyberespionage group has been spotted targeting a data loss prevention (DLP) company that serves military and other government organizations.
Cybersecurity firm ESET analyzed the attack, which it managed to trace back to March 2021. Over the course of more than a year, the hackers conducted activities within the network of the targeted organization.
The victim is a DLP software development company located in an unnamed East Asian country. ESET’s report does mention possible links to a different attack aimed at South Korean companies and individuals, but it’s unclear if the DLP firm is from the same country.
Tick, also known as Bronze Butler and RedBaldKnight, has been around since at least 2006, mainly targeting entities in the APAC region with the goal of stealing intellectual property and classified information. The hackers have been known to use sophisticated methods — including zero-day vulnerabilities — in their attacks.
ESET has attributed the attack on the DLP company to Tick with high confidence, primarily based on the use of malware that is unique to this APT.
The attackers deployed three pieces of malware during this operation, including a new downloader named ShadowPy.
One interesting aspect of the attack observed by ESET is the fact that the hackers compromised update servers and tools used by the victim, but they apparently leveraged them to spread laterally within the company’s environment rather than for conducting a supply chain attack targeting its customers.
ESET did identify two customers who had received trojanized installers developed by the attackers, but researchers believe these malicious installers were transferred to the customers by mistake by the DLP firm’s employees during tech support activities rather than being distributed by the attackers.
“Using ESET telemetry, we didn’t identify any customers of the DLP company who had received any malicious files through the software developed by that company,” ESET said.
Related: Custom Chinese Malware Found on SonicWall Appliance
Related: EU Organizations Warned of Chinese APT Attacks
Related: Cybersecurity Firm Group-IB Repeatedly Targeted by Chinese APT
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Intel Boasts Attack Surface Reduction With New 13th Gen Core vPro Platform
- Dole Says Employee Information Compromised in Ransomware Attack
- High-Severity Vulnerabilities Found in WellinTech Industrial Data Historian
- CISA Expands Cybersecurity Committee, Updates Baseline Security Goals
- Exploitation of 55 Zero-Day Vulnerabilities Came to Light in 2022: Mandiant
- Organizations Notified of Remotely Exploitable Vulnerabilities in Aveva HMI, SCADA Products
- Waterfall Security, TXOne Networks Launch New OT Security Appliances
- Hitachi Energy Blames Data Breach on Zero-Day as Ransomware Gang Threatens Firm
Latest News
- US Charges 20-Year-Old Head of Hacker Site BreachForums
- Tesla Hacked Twice at Pwn2Own Exploit Contest
- CISA Ships ‘Untitled Goose Tool’ to Hunt for Microsoft Azure Cloud Infections
- Critical WooCommerce Payments Vulnerability Leads to Site Takeover
- PoC Exploit Published for Just-Patched Veeam Data Backup Solution Flaw
- CISA Gets Proactive With New Pre-Ransomware Alerts
- Watch on Demand: Supply Chain & Third-Party Risk Summit Sessions
- TikTok CEO Grilled by Skeptical Lawmakers on Safety, Content
