The recently outed advanced persistent threat (APT) actor Sandman appears linked to China, SentinelOne, Microsoft, and PwC say in a joint report.
The hacking group was brought into the spotlight at the LABScon security conference, standing out because of the sophisticated modular backdoor LuaDream, which has been built using the cross-platform programming language Lua.
Initial reporting drew attention to Sandman’s targeting of telecom providers in the Middle East, Europe, and South Asia, likely for cyberespionage purposes, but did not link the activity to any known APTs.
The joint report, however, draws links between the observed Sandman APT attacks and the activity of STORM-0866/Red Dev 40, a suspected China-based threat actor known to be using the KeyPlug backdoor.
KeyPlug was initially detailed in March 2022 after being used by the Chinese state-sponsored group APT41 (also known as Barium, Brass Typhoon, Wicked Panda, Wicked Spider, Winnti) in attacks against a US government entity.
The malware was believed to be exclusive to APT41, but “Microsoft and PwC have subsequently identified at least three other developing clusters involving KeyPlug, including STORM-0866/Red Dev 40,” suggesting that it is, in fact, shared among multiple Chinese threat actors, SentinelOne notes.
LuaDream and KeyPlug have been observed on the same victim environments, and even on the same endpoints. In one attack, KeyPlug was deployed in May 2023, followed by LuaDream three months later, and both remained active simultaneously for roughly two weeks.
The investigation into these threats revealed overlaps in functionality and design, pointing to shared functional requirements and indicating potential shared development and infrastructure control and management practices.
“Our findings on Sandman indicate that the Lua development paradigm is being adopted by a broader set of cyberespionage threat actors for the modularity, portability, and simplicity that the Lua scripting language offers,” SentinelOne notes.
The security researchers were able to link the APTs through the use of digital certificates, IPs, cloud-based reverse proxy infrastructure, hosting providers, and domain naming conventions.
A comparison between KeyPlug and LuaDream has revealed the use of identical encrypting keys, similar high execution flaws, and direct overlaps in implementation, such as the support for the same protocols for command-and-control (C&C) communication.
“We assess that there are strong overlaps in operational infrastructure, targeting, and TTPs associating the Sandman APT with China-based adversaries using the KEYPLUG backdoor, STORM-0866/Red Dev 40 in particular. This highlights the complex nature of the Chinese threat landscape,” SentinelOne concludes.