Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Researchers Analyze Chinese Malware Used Against Russian Government

At least two Chinese cyberespionage groups targeted Russian federal executive authorities in 2020, security researchers with threat hunting and intelligence firm Group-IB reveal.

At least two Chinese cyberespionage groups targeted Russian federal executive authorities in 2020, security researchers with threat hunting and intelligence firm Group-IB reveal.

Chinese threat actors have been known to conduct cyberattacks in various countries worldwide, including Russia, targeting military contractors, research institutes, state agencies, and other entities, with a focus on cyberespionage.

An in-depth analysis of the employed malware families suggests that Chinese hacker groups TA428 and TaskMasters were behind a series of attacks that targeted Russian government agencies in 2020, Group-IB says. Both groups are linked to the Chinese government.

Believed to have been active since at least 2020, TaskMasters (which is also referred to as BlueTraveller) is mainly focused on the targeting of organizations in Russia and CIS, with a focus on sectors such as government agencies, industrial and energy firms, and transport companies.

Operating since 2013, TA428 has been targeting government agencies in East Asia, with a focus on those that have connections with domestic and foreign policy, governmental information technology, and economic development.

As part of last year’s attacks against Russian authorities, the Chinese hackers used malware families Webdav-O and Mail-O to gain remote access to targeted systems and exfiltrate data of interest.

During their investigation into the attacks, Group-IB’s security researchers discovered code similarities between Webdav-O and the BlueTraveller Trojan (also referred to as RemShell), which eventually led them to the conclusion that TaskMasters might have used the malware in the 2020 attacks.

Group-IB’s investigation also revealed a connection between BlueTraveller and Albaniiutas, a relatively new malware family in TA428’s portfolio, suggesting that “Albaniiutas is nothing but a logic continuation of the malware belonging to the BlueTraveller family.”

Advertisement. Scroll to continue reading.

The security researchers also note that some of the 2020 attacks against the Russian government might have been conducted by TA428, especially with Mail-O believed to be part of this group’s portfolio and with Webdav-O being linked to BlueTraveller, which is in turn linked to TA428’s Albaniiutas.

“It is noteworthy that Chinese hacker groups actively exchange tools and infrastructure, but perhaps it is just the case here,” Group-IB points out.

The researchers also note that evidence suggests that a large hacking group consisting of intelligence units of the People’s Liberation Army of China might be operating out of the country, with the various Chinese APT groups tracked by threat intelligence organizations being nothing more than subgroups.

“Each unit attacks to the fullest, according to a strict timeline and order. This means that one Trojan can be configured and modified by hackers from different departments with different levels of training and with various objectives,” Group-IB concludes.

Related: Chinese Cyberspy Group APT31 Starts Targeting Russia

Related: DeadRinger: A Three-Pronged Attack by Chinese Military Actors against Major Telcos

Related: New Chinese Threat Group ‘GhostEmperor’ Targets Governments, Telecom Firms

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

DARPA veteran Dan Kaufman has joined Badge as SVP, AI and Cybersecurity.

Kelly Shortridge has been promoted to VP of Security Products at Fastly.

After the passing of Amit Yoran, Tenable has appointed Steve Vintz and Mark Thurmond as co-CEOs.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.