China's "Cicada" Hackers Are Behind Widespread Espionage Attacks

China's "Cicada" Hackers Are Behind Widespread Espionage Attacks

 A new long-running espionage campaign targeting new geographies has been attributed to a Chinese state-backed advanced persistent threat (APT) group known for singling out Japanese entities, suggesting a "widening" of the threat actor's targeting.

Cicada, also known as APT10, Stone Panda, Potassium, Bronze Riverside, or MenuPass Team, has been linked to the widespread intrusions, which began around the middle of 2021 and continued until the beginning of February 2022.

Researchers from the Symantec Threat Hunter Team, part of Broadcom Software, stated that "victims in this Cicada (aka APT10) campaign include government, legal, religious, and non-governmental organizations (NGOs) in multiple countries around the world."

One senior information developer at the Symantec Threat Hunter Team, Brigid O. Gorman, told The Hacker News that there is a "strong focus on victims in the government and NGO sectors, with some of these organizations working in the areas of religion and education."

In addition to one victim in Japan, most of the organizations targeted by the adversary are based in the United States, Canada, Hong Kong, Turkey, Israel, India, Montenegro, and Italy.

According to Gorman, "government and non-profit organizations appeared to be the main focus in this campaign," but he added that the telecom, legal and pharmaceutical sectors were also targets.

Researchers from Kaspersky Lab revealed in March 2021 that the company had deployed information-gathering implants from a variety of industry sectors in Japan as part of an intelligence-gathering operation.

A coordinated supply chain attack on Taiwan's financial sector targeted Stone Panda in early February, with the goal of stealing sensitive information from systems that had been compromised.

As part of this new wave of attacks, Symantec has discovered that the perpetrators first gain access to an unpatched vulnerability in Microsoft Exchange Servers, which they then use to install their preferred backdoor, SodaMaster.

As a result, "we are unable to say whether the attackers exploited ProxyShell or ProxyLogon [vulnerabilities]." Gorman said.

There are numerous features built in to the Windows-based remote access trojan SodaMaster, which allow it to gather and send data to a command-and-control (C2) server.

There are several other tools employed during the infiltrations, including Mimikatz, NBTScan for reconnaissance, WMIExec for remote command execution, and VLC Media Player to launch a custom loader.

That this group is now targeting a wider range of victims is apparent from this campaign, which includes victims from so many sectors, Gorman said.

"These organizations, which include religious and educational institutions as well as nonprofits and government agencies, are most likely to be of interest to the espionage group. Aside from recent Cicada activity, the behavior we see on victims' computers suggests that this campaign has espionage as its primary goal."


Your suggestions and comments are welcome

Post a Comment

Your suggestions and comments are welcome

Post a Comment (0)

Previous Post Next Post