9 Aug 2022 4:37 pm
According to cybersecurity service provider Kaspersky Lab, a Chinese-speaking cyber group is said to have attacked defense contractors and government agencies in Afghanistan, Russia and several Eastern European countries. They would probably be targeting cyber espionage.
A Chinese-speaking cyber group has repeatedly attacked state and defense contractors in Russia, as well as in Eastern Europe and Afghanistan in early 2022. This was reported by the Kaspersky Lab press service to the TASS news agency, citing experts from the cybersecurity company. They suspect that the attacks were aimed at cyber espionage. The press service explained:
“Kaspersky Lab experts recorded a wave of targeted attacks against defense contractors and government agencies in Afghanistan, Russia and several Eastern European countries in early 2022. An investigation into the matter revealed attacks on more than a dozen organizations. The attackers were probably targeting cyberespionage. Experts suspect that that the detected attack series could be linked to the activities of the Chinese-speaking cyber group TA428.”
In several cases, the attackers took complete control of the IT infrastructure of the attacked companies. They are said to have mainly used new modifications of already known malware designed to stealthily control an infected system remotely, as well as attack techniques and evasion of information security measures.
Cyber group members used phishing emails that contained inside information that was not publicly available at the time the attackers used it. In particular, they used internal project code names as well as the names of employees working with sensitive information. The press service added:
“The phishing emails had Microsoft Word documents attached with malicious code that exploits the CVE-2017-11882 vulnerability. It allows the malware to take control of the infected system without the user taking any additional action The user doesn’t even need to enable execution of macros (a series of commands and statements grouped as a single command to automatically perform a task in Word files).”
For the attack, the hackers reportedly used the Ladon utility, which allowed them to scan the network, find and exploit vulnerabilities, and steal passwords, experts say. In the final phase, they would have taken over the domain controller and gained full control of the company’s workstations and servers. “Then the hackers searched for files with sensitive data and uploaded them to their servers located in different countries. The same servers were also used to control the malware, it said.
Vyacheslav Kopeitsev, Senior Expert at Kaspersky ICS CERT stated:
“The series of attacks we discovered is not the first part of what appears to be a malicious campaign. Given that the attackers are successful, we suspect that such attacks could be repeated in the future.”
He added that targeted phishing remains one of the top threats facing industrial companies and government agencies. According to Kopeitsev, companies and government organizations need to be on the alert and ready to counter sophisticated targeted threats.
more on the subject – Federal Interior Minister Faeser wants to change the Basic Law for cyber security