Chinese-language threat group targeted a dozen South Korean institutions

A Chinese-language threat group targeted a dozen South Korean research and academic institutions with data exfiltration attacks in late January, according to a new report.

Researchers for Recorded Future’s Insikt Group said threat actors affiliated with the group appear to have since launched a round of new cyberattacks against organizations in Japan and Taiwan. The Record is an editorially independent arm of Recorded Future.

Di Wu, senior threat intelligence analyst at Insikt Group, said the group is known as Xiaoqiying, Genesis Day or Teng Snake.

The attacks on South Korean institutions started on January 25 and included the Korean Research Institute for Construction Policy, the Korean Archaeological Society, the Woorimal Academic Society, the Korean Academy of Basic Medicine & Health Science, and more.

“Based on the analysis of the group’s Telegram channels, postings on special-access forums, and its presence on a clearnet website, we conclude that this is a hacktivist group primarily motivated by patriotism toward China, and it will likely conduct similar cyberattacks against Western and NATO targets, as well as any country or region deemed hostile to China,” Wu said.

“Xiaoqiying/Genesis Day is an ideologically driven hacktivist group that is not chiefly concerned with financial gains. The most recent postings by its affiliated threat actors on special-access forums shows it has possibly compromised new targets in Japan and Taiwan and signaled a new round of cyberattacks against these countries.”

The group ran two Telegram channels – one for posting announcements and another with several other hackers and followers but both were shut down in February when news outlets began to cover the cyberattacks in South Korea. Before it was shuttered, the group would recruit new members through Telegram.

At one point on one of the Telegram channels, which had more than 700 subscribers before it was shut down, Xiaoqiying claimed to have stolen a total of 54 gigabytes of data from various organizations.

Insikt researchers said the channel contained dozens of unverified claims of cyberattacks throughout last year affecting organizations in the United States like the FBI, as well as Ukraine, South Korea’s Ministry of Health and Defense Ministry, Taiwan, and Japan.

They also claimed to have hacked into Samsung and accessed the company’s internal intranet system.

Partnerships touted in the group included alleged collaborations with the cybercriminal group Lapsus$, the now-defunct Hive ransomware group, Pakistani hacking groups, Russian government hackers and more.

The group shared some of the data stolen during attacks on BreachForums, the cybercriminal leak site that was shut down last month in a FBI-led operation, while other stolen data was posted to Ramp Forum, which the actors were banned from after they were accused of hiding malware in download links.

Chat logs examined by researchers found that the group typically exploited internet-facing devices by using popular penetration-testing tools and proof-of-concept code (POC) for exploits.

No ties between the group and the Chinese government were ever established through an examination of the Telegram posts but the fact the group never sought to profit from the access it gained or the data it stole suggests it is ideologically motivated.

On top of information stealing attacks, the group also defaced websites by putting up generic error pages, or warning that the “Korean Internet” had been “invaded.”

Insikt Group researchers managed to obtain leaked data, tools, malware source codes and samples, files related to U.S. government entities, credit card data, and more from the Telegram channel.

Even after the Telegram groups were disbanded, actors connected to the group continued to market their activities, operating a clearnet website where it posts announcements.

One hacker, known as “uetus” on Ramp Forum, claimed to have compromised the National Taiwan University on April 5 and leaked 25 GB of data.

The screenshots provided by the hacker did not make it clear how deep into the school’s systems they reached.

Recorded Future researchers traced the domain name — which was created on January 5— back to a Cloudflare IP address associated with APT36, a group suspected of being based in Pakistan.

China-based hacking groups have long targeted organizations in South Korea for both financial and geopolitical reasons. Chinese criminal gangs spent years spreading Android banking trojans inside South Korea.

In September, researchers from Symantec discovered a campaign by hackers connected to the Chinese military targeting several large corporations located in South Korea.