Multiple Chinese APTs are attacking European targets, EU cyber agency warns

Several Chinese military hacking groups are targeting European businesses and organizations, the European Union’s cybersecurity agency warned this week.

The EU Agency for Cybersecurity (ENISA) and the Computer Emergency Response Team of the European Union (CERT-EU) said government hacking groups — known as advanced persistent threats (APT) — have been seen “recently conducting malicious cyber activities against business and governments in the Union.”

The groups include APT27, APT30, APT31, Ke3chang, GALLIUM and Mustang Panda — all of which have previously been tied to various arms of China’s People’s Liberation Army or government.

“Recent operations pursued by these actors focused mainly on information theft, primarily via establishing persistent footholds within the network infrastructure of organizations of strategic relevance,” the agencies said.

“These threat actors present important and ongoing threats to the European Union.”

The agencies attributed a range of activities to each group, including reconnaissance, highly targeted spearphishing activity, phishing via legitimate cloud storage platforms, and more. Phishing lures included emails about Russia’s invasion of Ukraine, or subject lines purportedly related to EU business.

The warnings came two days after Microsoft publicly attributed several attacks on diplomatic targets in South America to hacking groups based in China. 

APT27

The report broke down the tactics, attacks and warnings related to each of the groups listed. APT27 has previously been accused of spying on five major telecommunication providers from Southeast Asia, Israeli organizations, the legislature of a U.S. state, a government in the Middle East, a multinational electronics manufacturer and a hospital in Southeast Asia. 

ENISA said the group — which is sometimes known as Emissary Panda, Iron Tiger or Bronze Union — has been observed targeting a broad range of organizations across Europe, North and South America, Africa, the Middle East, and the Asia-Pacific region.

“The group has been primarily observed conducting watering hole and spear-phishing attacks as its key means of gaining initial footholds within target networks,” the researchers said, adding that since 2020, APT27 operators have also been observed engaging in ransomware-based cybercriminal activities.

“APT27 is also known for its high degree of operational sophistication and frequently alters its attack strategies. In order to obfuscate its activities, evade detection and maintain long-term network persistence, APT27 deploys fileless malware and pivots within the target networks.”

In early 2022, German intelligence services published a warning to local organizations about operations conducted by APT27, and Belgian authorities issued a statement about espionage campaigns targeting the country’s Interior and Defence Ministries.

APT27 has been seen exploiting Log4j, Microsoft Exchange vulnerabilities known as “ProxyLogon” and bugs in tools from software provider Zoho. 

APT31

APT31 – also known to researchers by names like Judgment Panda, Zirconium and Bronze Vinewood – has been conducting hacks since at least 2010 but has become harder to track in recent years due to improved tactics, ENISA said. 

France’s national cybersecurity agency warned in 2021 that the group had created an “anonymizing proxy” which allowed them to route attack traffic through a global network of hacked routers. 

The group has been implicated in attacks on Norway’s government, the parliament of Finland and several French organizations. 

GALLIUM

The GALLIUM hacking group has focused much of its activity on hacking telecommunications companies, financial institutions, and government entities, according to ENISA. 

They have been operating since 2012 and can target Windows as well as Linux systems. 

The group was involved in the hack of Belgium’s government alongside APT27 and APT31.

“The group has been expanding its operations, beyond its original telecommunications sector, to government and finance,” ENISA said. 

Ke3chang

Ke3chang is a group ENISA said has been targeting the energy, government and military sectors since at least 2010.

Known by researchers as Vixen Panda, Nickel or APT15, ENISA said their preferred method of initial access was through phishing emails via compromised or spoofed email addresses. In recent years the group has pivoted to exploiting vulnerabilities in public-facing software, they said. 

Both Microsoft and CERT-EU have spotlighted campaigns targeting organizations in Europe and Latin America over the last two years. Microsoft ended up obtaining a court warrant in 2021 that allowed it to seize 42 domains used to target organizations in the U.S. and 28 other countries.

Mustang Panda 

Mustang Panda has become one of the most notorious hacking groups operating out of China due to its widespread attacks on government bodies, nonprofits, religious entities, and other non-governmental organizations in the EU, U.S., Germany, Mongolia, Myanmar, Pakistan and Vietnam. 

Called RedDelta or Bronze President by some researchers, the group has been conducting attacks since 2014. 

They have previously been accused of using the Russian invasion of Ukraine and COVID-19 as phishing lures to spread malware. Their victims include several telecommunications companies, prime ministers across Asia, Myanmar’s president, Indonesia’s intelligence agency and more.

“Mustang Panda uses both proprietary and publicly available hacking tools. Mustang Panda uses several different initial access methods, including (primarily) spear-phishing with malicious attachments or links, watering hole attacks, and infected USB drives,” ENISA said, adding that CERT-EU saw an uptick in attacks from the group last year. 

“In 2022, Mustang Panda was observed using public documents belonging to EU Institutions, bodies or agencies… as lures in spear-phishing campaigns. The targets were mainly ministries of foreign affairs and the diplomatic sector.”

The group has been previously accused of targeting diplomatic entities – including one involved in refugee and migrant services – as well as officials in Russia. 

A report from Reuters found that Mustang Panda was accused of breaching the IT systems of the African Union – going so far as to monitor the security camera feeds.