Chinese espionage group targets critical infrastructure orgs in Southeast Asia
Image: Matthew Henry, The Record
Catalin Cimpanu August 9, 2021

Chinese espionage group targets critical infrastructure orgs in Southeast Asia

Chinese espionage group targets critical infrastructure orgs in Southeast Asia

A cyber-espionage group believed to be operating out of China has targeted at least four critical infrastructure organizations in a southeast Asian country, security firm Symantec said in a report last week.

The intrusions took place between November 2020 to March 2021 and targeted:

  • a water company
  • a power company
  • a communications company
  • a defense organization

Symantec said it found evidence that the attackers were interested in targeting information about SCADA systems, which is equipment typically used to control and manage production lines and industrial equipment.

“We did not observe the attackers exfiltrating data from the infected machines. However, the machine the attackers were on did have tools on it that indicate it may have been involved in the design of SCADA systems, indicating this is something the attacker may have been interested in,” the security firm said last week.

Group abused LOLbins for attacks

Researchers said they weren’t able to pinpoint the attackers’ entry point into the hacked organizations but said that once inside, the group exhibited advanced tactics that hid malicious operations using legitimate apps—a tactic known as LOLbins or living-off-the-land. Abused tools includes the likes of:

  • Windows Management Instrumentation (WMI)
  • ProcDump
  • PsExec
  • PAExec
  • Mimikatz

In addition, the group used a free multimedia player called PotPlayer Mini to load malicious DLLs on a compromised computer, including backdoors, keyloggers, and traffic proxying tools.

The use of generic and legitimate tools narrowed the amount of information researchers were able to gather about the group.

Symantec said it was only able to pinpoint the attack to an espionage group based in China but did not find any additional clues to link the intrusions to a previously known group.

The security firm didn’t name the country where the hacked targets were located.

Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.