Security Experts:

Connect with us

Hi, what are you looking for?



Researchers Link Disparate Chinese Hacking Groups

The Chinese government appears to have centralized control over several hacking groups previously believed to be separate threat actors, the BlackBerry Cylance Threat Intelligence security researchers say. 

The Chinese government appears to have centralized control over several hacking groups previously believed to be separate threat actors, the BlackBerry Cylance Threat Intelligence security researchers say. 

The investigation into the activity of these groups was triggered by a recent Area 1 report (PDF) suggesting that Chinese groups were able to compromise diplomatic cables belonging to the European Union and accessed sensitive information belonging to the United Nations. 

Over 100 additional organizations (including foreign and finance ministries, think-tanks and trade unions) were apparently hacked by groups linked to the Chinese government’s Strategic Support Force (SSF), a Chinese military organization, the report revealed. 

One of the indicators of compromise in the report was a domain apparently used as a command and control (C&C) server, which the BlackBerry Cylance security researchers have linked to a host of disparate Chinese APT groups. 

The researchers also found evidence that different Chinese APT groups have been using the same malware – and in some cases, the same exploit builder. 

China’s SSF, the security researchers explain, was created in 2015 after the reorganization of “disparate Chinese military units responsible for space operations, electronic warfare, information operations, psychological operations, espionage, technical reconnaissance, and network warfare.” 

The Third Department of the People’s Liberation Army (PLA), which the U.S. Justice Department refers to as the “APT 1” actor, is one of these units. The actor is focused on targeting external entities.

What BlackBerry Cylance found was a connection with other Chinese government efforts to spy on internal groups, a task normally performed by the National Security Commission or the Ministry of State Security.

The MSS, which is also referred to as APT10 or menuPass, was recently named by the U.S. Justice Department in two indictments and was also named by the U.S.-China Economic and Security Review Commission as the actor likely behind the OPM breach. 

One of the main targets of the MSS is the groups known informally as the Five Poisons; Uyghurs, Tibetans, Falun Gong, the Chinese democracy movement, and the movement for Taiwan’s independence.

Operations targeting these groups often employed a malware family known as “Reaver,” which was also associated with malware such as SunOrcal and SUTR. 

The group behind Reaver, BlackBerry Cylance now says, has used “some of the same infrastructure as the group behind the Area 1 attacks on the European Union and United Nations (ostensibly, the military SSF).” 

The researchers linked an IP used by the C&C domain mentioned in the Area 1 report with Reaver activity, including recent malware samples, which feature a different encoding of the relative address string lookup table and configuration data.

The newer Reaver network infrastructure also led the researchers to the discovery of a new type of backdoor deployed in very limited instances, which they call Sparkle. They also discovered a unique Reaver downloader. 

One of the manners in which the malware was being delivered was an exploit document leveraging CVE-2017-11882 and using a technique that first became popular in 2014. 

After identifying similar documents directly related to the group behind Reaver, they also found documents that had previously been attributed to “Gobelin Panda” and which dropped the “Sisfader RAT.”

Gobelin Panda, a.k.a. Goblin Panda, is known for the targeting of defense, energy, and government organizations in South Asian countries – especially Vietnam

“Though we are not able to determine whether Gob(e)lin Panda is associated with the MSS or the SSF, it is clear to us that the exploit builder used in the set of samples we have discussed above has been shared across multiple Chinese APT groups, including Leviathan, Temp.Periscope and Kryptonite Panda,” BlackBerry Cylance says. 

The observed domains were registered using a generic address for the hosting provider (www.nuo[.]cn), which “has a direct link to the Chinese group or groups using or sharing this infrastructure, going all the way back to 2013.”

“After a close technical analysis of a set of tools and infrastructure used by several suspected Chinese state or state-sponsored actors over nearly a decade, we were able to establish and/or confirm connections between them – connections that provide insight into a dynamic set of actors whose targeting has changed dramatically over the years,” BlackBerry Cylance concludes. 

Related: The United States and China – A Different Kind of Cyberwar

Related: U.S. Senators Introduce Bi-Partisan Bill to Counter China Hacking Threat

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...