A Chinese hacking group simultaneously used six different backdoors against more than a dozen industrial plants, research institutes, government agencies and ministries in Belarus, Russia, Ukraine and Afghanistan, researchers with Kaspersky said Monday.
Through carefully crafted phishing emails — including some that referenced information relevant to the victim organization that was not yet public — the group managed to “penetrate dozens of enterprises and even hijack the IT infrastructure of some, taking control of systems used to manage security solutions,” the researchers said.
The vulnerability exploited in the attack, first discovered in January 2022, allowed the attackers to execute code without any additional user activity, the researchers said. In one case, they said, the attackers gained control over an unnamed cybersecurity solutions control center and ran a “golden ticket” attack, which gave them widespread access and persistence in the network.
A Chinese hacking group tracked as TA428 by multiple threat intelligence research groups is the likely culprit, the Kaspersky researchers said Monday, based on various technical indicators and overlaps with previous operations, including one that targeted a Russian-based defense contractor with ties to the Russian Navy, according to Cybereason.
“Spear phishing remains one of the most relevant threats to industrial enterprises and public institutions,” the researchers said. “The attackers used primarily known backdoor malware, as well as standard techniques for lateral movement and antivirus solution evasion. At the same time, they were able to penetrate dozens of enterprises and even take control of the entire IT infrastructure, and IT security solutions of some of the organizations attacked.”
Chinese-aligned hackers associated with multiple groups and campaigns have been busy targeting Russian entities in the wake of the Feb. 24 Russian invasion of Ukraine, primarily seeking intelligence on Russian government thinking or planning, researchers have said.
Campaigns have also included information operations targeting both domestic and international audiences that have boosted Russian disinformation narratives, a reflection of the complicated and varying tasks of the plethora of Chinese-aligned hacking groups.