Cyberspying Aimed at Industrial Enterprises in Russia and Ukraine Linked to China

A recent cyberespionage operation aimed at industrial enterprises and public institutions in Eastern Europe and Afghanistan has been linked to a threat actor that is likely sponsored by the Chinese government.

The campaign, detailed on Monday by Kaspersky, is believed to be the work of TA428, a group that has been tracked by cybersecurity companies since at least 2019. TA428 activities and the malware used by the group were previously detailed by Recorded Future, Group-IB, Proofpoint, Cybereason, Dr.Web, and NTT Security. The group is also known as Colourful Panda and Bronze Dudley.

Some of TA428’s more recent attacks, ones disclosed in 2021, focused on Russia, targeting government and military organizations. The attacks analyzed by Kaspersky’s ICS CERT unit were first seen in January 2022 and they are likely an extension of that campaign.

The attacks seen by Kaspersky were aimed at more than a dozen organizations in Russia, Ukraine, Belarus and Afghanistan. Victims included military industrial complex enterprises and public institutions. Specifically, the attacks were aimed at industrial plants, design bureaus, research institutes, and various types of government organizations.

According to Kaspersky, six different backdoor malware families were used in the attacks, most of which were previously linked to TA428. This includes threats known as PortDoor, nccTrojan, Cotx, DNSep, and Logtu. The cybersecurity firm also spotted what appears to be a new piece of malware, which it has named CotSam due to similarities with Cotx.

The malware is delivered using phishing emails that carry Word documents designed to exploit an older vulnerability for arbitrary code execution.

The attackers have been observed searching for sensitive data on compromised systems and exfiltrating it, which has led researchers to believe that the likely goal is espionage.

Kaspersky also pointed out that in at least one case, the attacker managed to gain access to a server hosting a system that controls cybersecurity solutions. This allowed them to modify settings for the endpoint security solutions used by the victim organization. In addition, the hackers have been seen using DLL hijacking and process hollowing in an effort to protect their malware from security software.

Similar to other cybersecurity companies, Kaspersky believes it’s very likely that the hackers are Chinese. They are using hacking tools that are popular in China, they are leveraging Chinese services, and their work hours match the typical workday in China.

“The attack series that we have discovered is not the first in the campaign and, given that the attackers achieve a certain degree of success, we believe it is highly likely that they will continue to conduct similar attacks in the future. Industrial enterprises and public institutions should take extensive measures to repel such attacks successfully,” Kaspersky said.

Related: ICS Vendors Targeted in Espionage Campaign Focusing on Renewable Energy

Related: Mac Malware Used in Attacks Targeting Industrial Organizations in Middle East