Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Researchers Analyze Chinese Malware Used Against Russian Government

At least two Chinese cyberespionage groups targeted Russian federal executive authorities in 2020, security researchers with threat hunting and intelligence firm Group-IB reveal.

At least two Chinese cyberespionage groups targeted Russian federal executive authorities in 2020, security researchers with threat hunting and intelligence firm Group-IB reveal.

Chinese threat actors have been known to conduct cyberattacks in various countries worldwide, including Russia, targeting military contractors, research institutes, state agencies, and other entities, with a focus on cyberespionage.

An in-depth analysis of the employed malware families suggests that Chinese hacker groups TA428 and TaskMasters were behind a series of attacks that targeted Russian government agencies in 2020, Group-IB says. Both groups are linked to the Chinese government.

Believed to have been active since at least 2020, TaskMasters (which is also referred to as BlueTraveller) is mainly focused on the targeting of organizations in Russia and CIS, with a focus on sectors such as government agencies, industrial and energy firms, and transport companies.

Operating since 2013, TA428 has been targeting government agencies in East Asia, with a focus on those that have connections with domestic and foreign policy, governmental information technology, and economic development.

As part of last year’s attacks against Russian authorities, the Chinese hackers used malware families Webdav-O and Mail-O to gain remote access to targeted systems and exfiltrate data of interest.

During their investigation into the attacks, Group-IB’s security researchers discovered code similarities between Webdav-O and the BlueTraveller Trojan (also referred to as RemShell), which eventually led them to the conclusion that TaskMasters might have used the malware in the 2020 attacks.

Group-IB’s investigation also revealed a connection between BlueTraveller and Albaniiutas, a relatively new malware family in TA428’s portfolio, suggesting that “Albaniiutas is nothing but a logic continuation of the malware belonging to the BlueTraveller family.”

Advertisement. Scroll to continue reading.

The security researchers also note that some of the 2020 attacks against the Russian government might have been conducted by TA428, especially with Mail-O believed to be part of this group’s portfolio and with Webdav-O being linked to BlueTraveller, which is in turn linked to TA428’s Albaniiutas.

“It is noteworthy that Chinese hacker groups actively exchange tools and infrastructure, but perhaps it is just the case here,” Group-IB points out.

The researchers also note that evidence suggests that a large hacking group consisting of intelligence units of the People’s Liberation Army of China might be operating out of the country, with the various Chinese APT groups tracked by threat intelligence organizations being nothing more than subgroups.

“Each unit attacks to the fullest, according to a strict timeline and order. This means that one Trojan can be configured and modified by hackers from different departments with different levels of training and with various objectives,” Group-IB concludes.

Related: Chinese Cyberspy Group APT31 Starts Targeting Russia

Related: DeadRinger: A Three-Pronged Attack by Chinese Military Actors against Major Telcos

Related: New Chinese Threat Group ‘GhostEmperor’ Targets Governments, Telecom Firms

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.