Researchers uncover ‘SlowTempest’ espionage campaign within China

People and organizations in China are being targeted as part of a “highly coordinated” espionage operation, according to new research from Securonix.

Tim Peck, senior threat researcher at Securonix, told Recorded Future News that the goal of the campaign — which they named SlowTempest — appears to be espionage, persistent access and potential sabotage. But the access the hackers gained could have allowed them to launch ransomware attacks or exfiltrate data, Peck explained.  

“The meticulous collection of data and credentials, combined with efforts to maintain long-term control over the environment, indicates that the attackers were not only interested in gaining access but also in sustaining that access to achieve any broader strategic objectives, potentially aligned with state-sponsored activities,” Peck said.

Peck and Securonix were unable to say where the attackers are based or who was behind the effort. But the sophistication of the malware as well as the scanning and exfiltration tools used signaled that “the end goal of the attackers was to infiltrate government or high-profile business sectors.”

Securonix declined to share more information about the targets of the campaign but said it was aimed squarely at people based in China. The researchers made this assessment based on the fact that the phishing lures were written in Chinese and the infrastructure used by the hackers was hosted in China by Shenzhen Tencent Computer Systems. 

In its report on the campaign, Securonix added that telemetry data based on samples of the malware show the files originated from within China, “further reinforcing the likelihood that China is indeed the primary target of this attack.”

Peck added that several other factors led them to “strongly suggest that the individuals involved had a deep understanding of the Chinese language, infrastructure, and potential victims.”

But he noted that it is possible the attackers could be from other Chinese-speaking regions like Taiwan, Singapore or Hong Kong. 

'guoyansong'

The research started with one incident, and based on that  evidence, the researchers  were able to uncover several other attacks — indicating that there are likely more victims in the wild. 

Evidence suggests the campaign is ongoing, Peck said. 

The effort did not appear to resemble any previously reported attacks, and the “unique combination of tools and techniques suggests that this is a distinct operation rather than a continuation of a known campaign,” Peck explained. 

The Securonix report says the hackers managed to move laterally within a network, establish further access and remain undetected within the system for more than two weeks. 

The attacks started with malicious .zip files sent in phishing emails that hid malware in a way that could circumvent antivirus software. 

The files were often named in relation to personnel issues and at least one carried the name “List of people who violated the remote control software regulations.” 

“Given the language used in the lure files, it’s likely that specific Chinese related business or government sectors could be targeted as they would both employ individuals who follow ‘remote control software regulations,’” the researchers said. 

Once that malicious file is opened, the hackers are inside the system, allowing them to create other powerful backdoors that can be overlooked by security systems. 

From there the hackers scanned the system for data and extracted credentials stored in browsers. 

Operational failures on the part of the hackers led the researchers to a specific tool used that contained a username “guoyansong” — which they believe is short for Guoyan Song, a valid first and last name in Chinese. 

“Although there was no solid evidence linking this attack to any known [advanced persistent threat]  groups, it is likely orchestrated by a seasoned threat actor who had experience using advanced exploitation frameworks such as CobaltStrike and a wide range of other post-exploitation tools,” they said. 

“Additionally, the careful steps taken by the threat actor to ensure persistence through the creation of scheduled tasks and elevation of user privileges highlight the attackers intent to maintain long-term control over the targeted systems, which in this case lasted over two weeks.”