Image: David Arrowsmith via Unsplash/Photomosh
Image: David Arrowsmith via Unsplash/Photomosh

Suspected China-based hackers target Middle Eastern telecom, Asian government

Hackers targeted a Middle Eastern telecom organization and an Asian government in a recent spying operation, according to a report published Thursday.

The hacking group Budworm, also known as Emissary Panda and APT27, is believed to be based in China. Last year, it attacked a U.S. state legislature using a Log4j vulnerability.

In its most recent campaign in August, Budworm used a previously unseen version of its custom backdoor called SysUpdate to spy on the unnamed telecom company Asian government body, as reported by Symantec researchers.

SysUpdate is “a feature-rich” backdoor that can delete services, take screenshots, rename and download files, and execute commands on targeted devices. Hackers have been using SysUpdate since at least 2020, and have improved its capabilities since then.

Besides SysUpdate, the group also used publicly available tools during the August attacks, including PasswordDumperm for extracting passwords, Curl for data transfers, and SecretsDump for retrieving secrets from remote computers.

The group's activity may have been stopped early, as they only managed to steal credentials, Symantec said.

Budworm has been active since at least 2013, primarily focusing on espionage campaigns, according to Symantec. The group is known for targeting high-value victims in Southeast Asia, the Middle East, and the U.S., with a focus on organizations in government, technology, and defense sectors.

Symantec suggests that Budworm's repeated use of known malware such as SysUpdate indicates that the hackers aren't worried about being discovered.

While researchers didn't directly attribute this campaign to China, Dick O’Brien, Symantec's principal intelligence analyst, previously told Recorded Future News that there's a "general consensus" that APT27 hackers are based in China.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Daryna Antoniuk

Daryna Antoniuk

is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.