Suspected China-based hackers target Middle Eastern telecom, Asian government

Hackers targeted a Middle Eastern telecom organization and an Asian government in a recent spying operation, according to a report published Thursday.

The hacking group Budworm, also known as Emissary Panda and APT27, is believed to be based in China. Last year, it attacked a U.S. state legislature using a Log4j vulnerability.

In its most recent campaign in August, Budworm used a previously unseen version of its custom backdoor called SysUpdate to spy on the unnamed telecom company Asian government body, as reported by Symantec researchers.

SysUpdate is “a feature-rich” backdoor that can delete services, take screenshots, rename and download files, and execute commands on targeted devices. Hackers have been using SysUpdate since at least 2020, and have improved its capabilities since then.

Besides SysUpdate, the group also used publicly available tools during the August attacks, including PasswordDumperm for extracting passwords, Curl for data transfers, and SecretsDump for retrieving secrets from remote computers.

The group's activity may have been stopped early, as they only managed to steal credentials, Symantec said.

Budworm has been active since at least 2013, primarily focusing on espionage campaigns, according to Symantec. The group is known for targeting high-value victims in Southeast Asia, the Middle East, and the U.S., with a focus on organizations in government, technology, and defense sectors.

Symantec suggests that Budworm's repeated use of known malware such as SysUpdate indicates that the hackers aren't worried about being discovered.

While researchers didn't directly attribute this campaign to China, Dick O’Brien, Symantec's principal intelligence analyst, previously told Recorded Future News that there's a "general consensus" that APT27 hackers are based in China.