‘GhostEmperor’ returns: Mysterious Chinese hacking group spotted for first time in two years

An elusive and highly covert Chinese hacking group tracked as GhostEmperor — notorious for its sophisticated supply-chain attacks targeting telecommunications and government entities in Southeast Asia — has been spotted for the first time in more than two years. And according to the researchers, the group has gotten even better at evading detection.

Cybersecurity company Sygnia, in a report published Wednesday, said it discovered GhostEmperor was behind an incident it responded to towards the end of last year when an unidentified client’s network was compromised and used as a launchpad to gain access to another victim’s systems.

It is the first report about the hacking group since GhostEmperor was initially identified by Kaspersky Lab in 2021. Amir Sadon, Sygnia’s director of incident response research, told Recorded Future News the company was unsure why there had been no public reporting on GhostEmperor’s activities in the intervening period.

“I would honestly say we don’t know. Part of the reason we have decided to make this public is that we would like to know what has changed, and what was the reason for this gap — whether it’s a result of a lack of activity or a result of a lack of visibility,” said Sadon, hoping that the intelligence the company was sharing would drive further public reporting.

GhostEmperor is known for deploying a sophisticated hacking tool on compromised networks known as a kernel-level rootkit, something typically developed by state-sponsored hacking groups due to the resources needed to create and operate them.

The rootkit not only provides GhostEmperor with access to the most privileged part of the computer's operating system, the kernel, but in doing so also allows them to avoid being caught by endpoint detection and response (EDR) security software and other defenses.

“Once you run a rootkit, it is much easier for you to evade the common EDR tools and anti-viruses because you’re actually working […] beneath the visibility that they have,” explained Sadon, who previously headed the Israel National Cyber Directorate's threat intelligence group.

Sygnia reported that the rootkit tool itself, called Demodex by Kaspersky, was largely an updated variant of what had previously been described. But what was of “additional interest” said Sedon was the very different infection chain — the multiple stages of the cyberattack — which shows GhostEmperor using “a more sophisticated set of tools and more stealthy methods to upload Demodex.”

Supply-chain attacks

In their 2021 report, Kaspersky researchers described GhostEmperor’s hackers as “highly skilled and accomplished in their craft.” Along with “multiple high-profile entities targeted in Malaysia, Thailand, Vietnam and Indonesia” Kaspersky observed “additional victims of a similar nature from countries such as Egypt, Ethiopia and Afghanistan.”

“Even though the latter cluster of victims belongs to a different region from the one in which we saw GhostEmperor to be highly active, we noticed that some of the organizations within it have strong ties with countries in South East Asia. This means that the attackers might have leveraged those infections to spy on the activities in countries that are of geopolitical interest to them,” stated the Kaspersky report.

Sadon said the supply-chain aspects of the attack Sygnia responded to was worth emphasizing: “One of the main activities that the threat actor executed once getting a foothold in [the client’s] network was actually to penetrate to other networks, so the business partners of this specific client.”

Azeem Aleem, Sygnia's managing director, told Recorded Future News that the group had matured since Kaspersky’s initial report in terms of the “pretty sophisticated” way the rootkit evaded EDR protections, and stressed that the supply-chain aspects of the attack on Syngia’s client was a significant matter of concern.

“We are seeing, again and again — especially in this scenario, when we went into the customer’s domain — that people are not aware of their environment,” said Aleem.

“There’s no 100% security, everybody will be breached, but how do you minimize the breach exposure time, the time the adversary is allowed in the environment, the time for you to find out or expedite? We don’t want to create a sense of fear or uncertainty, but a sense of anxiety should be there — but the anxiety should be mitigated by asking what are the preventative strategies [your organization needs to think through]?”