Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Cyberspying Aimed at Industrial Enterprises in Russia and Ukraine Linked to China

A recent cyberespionage operation aimed at industrial enterprises and public institutions in Eastern Europe and Afghanistan has been linked to a threat actor that is likely sponsored by the Chinese government.

A recent cyberespionage operation aimed at industrial enterprises and public institutions in Eastern Europe and Afghanistan has been linked to a threat actor that is likely sponsored by the Chinese government.

The campaign, detailed on Monday by Kaspersky, is believed to be the work of TA428, a group that has been tracked by cybersecurity companies since at least 2019. TA428 activities and the malware used by the group were previously detailed by Recorded Future, Group-IB, Proofpoint, Cybereason, Dr.Web, and NTT Security. The group is also known as Colourful Panda and Bronze Dudley.

Some of TA428’s more recent attacks, ones disclosed in 2021, focused on Russia, targeting government and military organizations. The attacks analyzed by Kaspersky’s ICS CERT unit were first seen in January 2022 and they are likely an extension of that campaign.

The attacks seen by Kaspersky were aimed at more than a dozen organizations in Russia, Ukraine, Belarus and Afghanistan. Victims included military industrial complex enterprises and public institutions. Specifically, the attacks were aimed at industrial plants, design bureaus, research institutes, and various types of government organizations.

According to Kaspersky, six different backdoor malware families were used in the attacks, most of which were previously linked to TA428. This includes threats known as PortDoor, nccTrojan, Cotx, DNSep, and Logtu. The cybersecurity firm also spotted what appears to be a new piece of malware, which it has named CotSam due to similarities with Cotx.

The malware is delivered using phishing emails that carry Word documents designed to exploit an older vulnerability for arbitrary code execution.

The attackers have been observed searching for sensitive data on compromised systems and exfiltrating it, which has led researchers to believe that the likely goal is espionage.

Kaspersky also pointed out that in at least one case, the attacker managed to gain access to a server hosting a system that controls cybersecurity solutions. This allowed them to modify settings for the endpoint security solutions used by the victim organization. In addition, the hackers have been seen using DLL hijacking and process hollowing in an effort to protect their malware from security software.

Advertisement. Scroll to continue reading.

Similar to other cybersecurity companies, Kaspersky believes it’s very likely that the hackers are Chinese. They are using hacking tools that are popular in China, they are leveraging Chinese services, and their work hours match the typical workday in China.

“The attack series that we have discovered is not the first in the campaign and, given that the attackers achieve a certain degree of success, we believe it is highly likely that they will continue to conduct similar attacks in the future. Industrial enterprises and public institutions should take extensive measures to repel such attacks successfully,” Kaspersky said.

Related: ICS Vendors Targeted in Espionage Campaign Focusing on Renewable Energy

Related: Mac Malware Used in Attacks Targeting Industrial Organizations in Middle East

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cyberwarfare

Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...