Connect with us

Hi, what are you looking for?


Cloud Security

Microsoft Says China-Linked Hackers Abused Azure in Attacks

Microsoft Reports Evolution of China-Linked Threat Actor GADOLINIUM

Microsoft this week announced that it recently removed 18 Azure Active Directory applications that were being abused by China-linked state-sponsored threat actor GADOLINIUM.

Microsoft Reports Evolution of China-Linked Threat Actor GADOLINIUM

Microsoft this week announced that it recently removed 18 Azure Active Directory applications that were being abused by China-linked state-sponsored threat actor GADOLINIUM.

Also known as APT40, TEMP.Periscope, TEMP.Jumper, Leviathan, BRONZE MOHAWK, and Kryptonite Panda, the adversary has been active since at least 2013, mainly operating in support of China’s naval modernization efforts, through targeting various engineering and maritime entities, including a U.K.-based company.

The threat actor was recently observed leveraging Azure cloud services and open source tools in attacks employing spear-phishing emails with malicious attachments.

“As these attacks were detected, Microsoft took proactive steps to prevent attackers from using our cloud infrastructure to execute their attacks and suspended 18 Azure Active Directory applications that we determined to be part of their malicious command & control infrastructure,” the tech company says.

According to Microsoft, GADOLINIUM has expanded its target list to include the Asia-Pacific region, as well as other targets in higher education and regional government organizations. Previously employing custom malware, the threat actor has added open-source tools to their toolset over the past year, making tracking more difficult.

The group has been experimenting with the use of cloud services for years, starting with a Microsoft TechNet profile in 2016. In 2018, the hackers abused GitHub to host commands, and 2019 and 2020 attacks employed similar techniques.

Over the past year, similar to other state-sponsored threat groups, GADOLINIUM has included open-source tools in its portfolio, which also results in lower overall costs for the attackers, in addition to making attribution more difficult.

Advertisement. Scroll to continue reading.

In April this year, the adversary adopted COVID-19 lures in their spear-phishing emails. The multi-stage infection process would result in a modified version of the open-source PowershellEmpire toolkit being delivered.

The toolkit enables the threat actor to load additional payloads onto the victim’s machine, including a command and control module that leverages OneDrive to execute commands and retrieve results. As part of the attacks, GADOLINIUM leveraged an Azure Active Directory application for data exfiltration to OneDrive.

“From an endpoint or network monitoring perspective the activity initially appears to be related to trusted applications using trusted cloud service APIs and, in this scenario, no OAuth permissions consent prompts occur,” Microsoft explains.

Related: Chinese Threat Actor Uses New MgBot Variant in Attacks on India, Hong Kong

Related: State-Sponsored Hackers Supporting China’s Naval Modernization Efforts: Report

Related: Researchers Link Disparate Chinese Hacking Groups

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.