A hacking group that private researchers have linked with Chinese interests has successfully targeted Malaysian government officials in an apparent data-stealing espionage campaign, cybersecurity officials in the Southeast Asian nation said this week.
The Malaysian Computer Emergency Response Team, a government-backed organization, said it had “observed an increase in [the] number of artifacts and victims involving a campaign against Malaysian government officials.”
The hackers have tended to target government-backed projects in an effort to steal reams of data on proposal and shipping information, the Malaysian officials said. To do that, the attackers have exploited a pair of old vulnerabilities, one dating back to 2014, in Microsoft products to compromise their targets.
The advisory did not explicitly name the hacking group responsible. But the data it cited, including private-sector reports, point to a state-sponsored group known as APT40 or Leviathan.
Active since at least 2013, APT40 has conducted hacking operations in countries around the world in support of China’s Belt and Road Initiative, according to cybersecurity company FireEye. Malaysia has made territorial claims in the South China Sea, a region that China has looked to dominate.
The alleged Chinese spying on Malaysian government organizations fits Beijing’s pattern of using cyber-operations to project power in the region. Another China-linked group has repeatedly try to break into Cambodian government networks.
A spokesperson at the Chinese Embassy in Washington, D.C., did not immediately respond to a request for comment.
“While their techniques are not too sophisticated, their persistence makes up for it since all they need is one user to provide the access they are seeking,” Bartholomew told CyberScoop. “They tend to use very short-lived campaigns, which allows them to typically get in, get what they want, and leave before being detected.”
APT40 seems to have leaned on its signature malware for access to targets. Ben Read, senior manager of cyber-espionage analysis at FireEye, said that the malware had shown up in suspected APT40 operations from March 2019 through most of that year.
“While we cannot definitively attribute the activity in the report from Malaysia CERT, it is consistent with what we have seen from APT40,” Read told CyberScoop.
Bartholomew said that APT40 had made changes to that malware, known as DADJOKE, since he published research on the group in October. The group has also changed how it delivers its malicious code in an effort to compromise networks, he said.