China-linked group targeted government agencies, defense firms in Eastern Europe

More than a dozen organizations in Eastern Europe and Afghanistan, including industrial plants, research institutes and government agencies, were targeted by a suspected Chinese-speaking hacking group earlier this year, according to new research.

The attacks, which were first observed in January and hit organizations in Russia, Belarus and Ukraine, have characteristics that led researchers at Kaspersky to attribute them to the TA428 advanced persistent threat (APT) group with “a high degree of confidence,” the Moscow-based cybersecurity firm said in a report published Monday. 

“The attackers were able to penetrate dozens of enterprises and even hijack the IT infrastructure of some, taking control of systems used to manage security solutions,” the researchers wrote.

TA428 is a China-linked cyberespionage group that has been tracked by cybersecurity researchers since 2019, but it may have been active years earlier. The group targets organizations that are of high strategic value to Beijing, including research institutes, government agencies and IT firms. Previous attacks from the group have focused on Russia and East Asia, using malicious rich text format (RTF) documents to deliver custom malware.

In the attacks Kaspersky researchers observed, victims were targeted with carefully crafted phishing emails that included non-public information that only someone working at the organization would know of. “This could indicate that the attackers did preparatory work in advance (they may have obtained the information in earlier attacks on the same organization or its employees or on other organizations or individuals associated with the victim organization),” researchers said.

Microsoft Word documents attached to the phishing emails contained malicious code that made use of the CVE-2017-11882 vulnerability, which allowed the hackers to deploy PortDoor malware on the infected devices. PortDoor was observed last year in an attack on a Russian defense contractor involved in designing nuclear submarines, which was believed to be the work of a China-linked APT group — possibly TA428.

The attackers set up six different backdoors to control devices and collect information — likely as a failsafe if security tools detected and removed the other backdoors. The malware and backdoors used in the attack have previously been linked to TA428, except for one new backdoor called CotSam, researchers said.

Once attackers got a foothold into a targeted organization, they moved laterally to spread malware onto other devices connected to the network. The attackers then scanned the organization for sensitive data, collected it, and exfiltrated it to servers based in different countries.

“In most cases, [those] stage one servers perform only one function – redirecting the data received to a stage two server that is located in China,” the researchers said.

Kaspersky warned public institutions and industrial firms to take “extensive measures” to repel attacks from the group, which has had a successful track record with cyberespionage. “The attack series that we have discovered is not the first in the campaign and, given that the attackers achieve a certain degree of success, we believe it is highly likely that they will continue to conduct similar attacks in the future,” researchers said.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles

Adam Janofsky

Adam Janofsky

is the founding editor-in-chief of The Record from Recorded Future News. He previously was the cybersecurity and privacy reporter for Protocol, and prior to that covered cybersecurity, AI, and other emerging technology for The Wall Street Journal.