Chinese Espionage Campaign Targets Eastern European and Afghanistan
Industries: Government, Military, Research | Level: Tactical | Source: Kaspersky
Kaspersky ICS CERT reported of a series of targeted cyberattacks identified in January 2022, against Eastern European countries and Afghanistan, specifically attacking research, government, and military organizations, to facilitate cyber espionage. Spearphishing was utilized for initial access, with attackers crafting messages containing details often not publicly available implicating attackers were coordinated against the target's trusted organizations. Malicious documents distributed were observed to exploit equation editor, CVE-2017-11882, and enable the attack to drop malware onto the victim's host. Malware dropped on the infected system includes tools used by the Chinese APT group, TA428 such as PortDoor backdoor, nccTrojan, and Logtu. Activity following the malware's installation includes reconnaissance to gather system information, actions to achieve persistence, and lateral movement. Credentials were accessed using NTDS.dit and any files identified of interest were collected through 7zip. Based on the available evidence, attribution of the activity points to a Chinese threat group, most likely APT group TA428, as many of their tools were observed to have been deployed in the campaign. In addition to use of C2 infrastructure hosted in China, and the timeframe of their operations matching China's working schedule on their time zone.
- TA428 Espionage Campaign - Infection Chain
Anvilogic Use Cases:
- Wscript/Cscript Execution
- Credentials in Registry
- Native Archive Commands