Shipping companies, medical laboratories in Asia targeted in espionage campaign

Several shipping companies and medical laboratories in an unspecified Asian country have been targeted in an ongoing espionage campaign that began in October, according to researchers from from Symantec.

The hackers behind the campaign — which the researchers named Hydrochasma — have no ties to any group Symantec has researched before. 

The company is not publicly identifying the target nation, Brigid O Gorman, senior intelligence analyst with the Symantec Threat Hunter Team, told The Record.

The researchers do not know where Hydrochasma is based, but O Gorman said the group has specifically gone after companies related to COVID-19 treatments and vaccines. 

“The actors did not use any custom malware, relying exclusively and extensively on publicly available and living-off-the-land tools,” she said. Using those tactics "can help make an attack stealthier, while also making attribution more difficult."

In its report, Symantec explained that the most likely motivation behind the campaign is intelligence gathering and potentially data exfiltration. 

The initial infection likely began with a phishing email because researchers found two lure documents in a victim organization’s native language related to shipping information, as well as an engineering resume. 

From those malicious files on one machine, the hackers were able to deploy several tools that allowed them to move around the victim’s network and expose local servers so that they could be taken over. 

Researchers found dozens of tools on the network that allowed for scanning, data exfiltration, remote connections and more.

“The tools deployed by Hydrochasma indicate a desire to achieve persistent and stealthy access to victim machines, as well as an effort to escalate privileges and spread laterally across victim networks,” the researchers said. 

“While Symantec researchers didn’t observe data being exfiltrated from victim machines, some of the tools deployed by Hydrochasma do allow for remote access and could potentially be used to exfiltrate data," the researchers said. "The sectors targeted also point towards the motivation behind this attack being intelligence gathering.” 

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles

Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.