Chinese Threat Actors Compromises 70 Organizations in 23+ Countries
- A China-backed hacker group called Earth Krahang targeted more than 116 organizations and successfully breached at least 48 government organizations
- It is believed to be a part of Earth Lusca - a penetration team in the Chinese company i-Soon which is reportedly a state-backed hacking contractor
- The attack started in early 2022 and has mostly affected organizations from America and Asia
A China-backed threat actor has reportedly targeted more than 116 organizations and breached more than 70 in 23+ countries. Out of this, 48 government organizations have been compromised, 10 of which are of Foreign Affairs Ministries.
Other victims include government entities from the following sectors:
- Finance
- Health
- Military
- Manufacturing
- Education
- Telecommunication sectors
Most of the breached sites belong to Asia and America but a small percentage of organizations from Europe and Africa have also made it to the list.
Researchers from Trend Micro said that the attack started sometime in early 2022 and has been primarily focused on government organizations since then.
The group behind the attack has been identified as Earth Krahang" and is said to be a part of Earth Lusca which is a penetration team in a Chinese company called i-Soon.Trend Micro said they came to this conclusion based on command and control (C2) overlaps. However, more research is needed to accurately establish the connection between these three parties.
How Did the Attack Happen?The attack technique wasn't very sophisticated. Here's a step-wise breakdown of how the attack was carried out.
- Step 1 - The group used open-source tools to scan victims' web-facing servers and look for security issues. They managed to find vulnerabilities like CVE-2023-32315 in OpenFire and CVE-2022-21587 in Oracle Web Apps.
- Step 2 - A brute-force attack was also used to gain access to directories containing sensitive information such as passwords, sensitive files, and abandoned domains.
- Step 3 - Once the hackers managed to enter the network, they sent spear-phishing emails about geopolitical topics that made the victims click on them. Each of these emails contained a link or attachment of a malicious function that compromised the recipient's account.
- Step 4 - The hackers also built VPN servers on breached public-facing servers. This helped them break into the private networks of the organizations and move laterally through them.
- Step 5 - Once they had completely occupied the system, malware software like Cobalt Strike, RESHELL, and XDealer were deployed which helped with data collection and command execution.
Speaking about the attack mechanism, Callie Guenther, senior manager of cyber threat research at Critical Start said The use of open source tools to compromise government entities is notable, but not entirely surprising".
That's because the IT structure of government organizations is often vast and complex and hence more prone to having vulnerabilities. The security features are also quite inconsistent, making them easier to attack even with basic open-source tools.
Read More: OpenAI and Microsoft remove state-backed hacker groups from their apps
i-Soon's Latest Leak ControversyIn February, an unknown person leaked a bunch of documents from i-Soon that revealed that they support government-backed hacking operations.
Multiple security experts have gone through the documents and have confirmed them to be legit. Some of the data in the leak also matches with the public data available about China's government-led data breaches. This further confirms the legitimacy of the leaked documents.
So if Earth Krahang is really a part of i-Soon's operation, then this breach might be a part of a much larger conspiracy.
What Can the Organizations Do to Protect Their Systems Better?The attacks were fairly straightforward in nature so Guenther feels that following the standard security measures should be enough for now.
- Organizations need to amp up their email security, regularly update their systems, and patch vulnerabilities as soon as they appear.
- It's also recommended that these entities segment their network. This way even if a part of it is compromised in an attack, the rest of the system will remain inaccessible.
- Another important step would be to constantly monitor the network for any abnormality.
- Even if it's something as simple as a sudden surge in traffic or an unknown login attempt, it needs to be tracked and investigated.
Since spear-phishing emails were a major tool used in the attack, organizations should work on educating their staff so they don't fall for such tricks.
The post Chinese Threat Actors Compromises 70 Organizations in 23+ Countries appeared first on The Tech Report.