Chinese Hackers Targeting Russian Federal Agencies
Chinese state-sponsored hackers launched a massive hacking
campaign against Russian federal authorities last year using a virus called
Webdav-O, says The Hacker News. Group IB revealed that the virus is very
similar to the BlueTraveller Trojan used in espionage campaigns and is linked
to a Chinese cybercriminal gang called TaskMasters.
The report is a continuation of previous public disclosures
with Solar JSOC and SentinelOne providing additional details about Mail-O and
pointing to the malware PhantomNet employed by the threat actor TA428.
According to Solar JSOC, the hackers' ultimate purpose was to cripple the IT
infrastructure and obtain secret information, including confidential documents
stored in locked sectors and exchanged among government executives.
The hackers' chosen targets are mostly government entities,
military contractors, and academic institutions. In this particular case,
threat actors used undetectable malware, genuine utilities, and a profound
understanding of the workings of information protection tools in government
agencies to maintain a high level of secrecy.
According to Dimitry Kupin and Anastasia Tikhonova from
GROUP-IB, "Chinese APTs are one of the most numerous and aggressive hacker
communities," They go on to say that the primary purpose of Chinese
hackers is to gather information while keeping it undetected for as long as
possible.
The similarities between the two in a nutshell
Group-IB based its findings on a sample of Webdav-O
submitted to VirusTotal in November 2019. The researchers found it overlaps
with a Solar JSOC malware sample from this month, the latter being a newer,
enhanced version with additional features added. Based on the similarities in
the source code and the way the commands are executed, the Webdav-O malware is
related to the BlueTraveller Trojan.
Even more, a look at TA428's toolset reveals several
parallels to another potential malware strain called Albaniiutas that was
associated with the threat actor in December 2020. This suggests that
Albaniiutas can be another updated version of BlueTraveller and that Webdav-O
may be a slightly modified version of BlueTraveller.
It is still unclear whether TaskMasters and TA428 both
attacked Russian federal agencies in 2020 or whether they are members form a
larger state-sponsored hacking group.
Comments
Post a Comment