A cyberespionage campaign that spread through Myanmar last fall at first looked like many others of the genre: a handpicked set of targets affected by highly tailored break-in methods.
After all, scattershot attacks historically are not only less likely to hit valuable victims, but they also equal a greater chance of being caught and halted before the hackers gather the information they want.
Then something changed, according to the security firm Kaspersky. What began as a small campaign — ultimately affecting approximately 100 Myanmar victims that Kaspersky identified — leapfrogged to another country, the Philippines, where the victim count exploded to 1,400 and included some government entities.
Kaspersky researchers on Wednesday detailed the extent of the campaign, and who they believe is behind it. But they remain unsure why it evolved the way it did, even if they have some informed guesses.
The investigators attributed the infections to a group dubbed LuminousMoth, which Kaspersky tied with medium to high confidence to a Chinese state-sponsored hacking group called HoneyMyte, or Mustang Panda. That’s a group that’s allegedly collected intelligence in areas as far-flung as a U.S. think tank and the the Vatican, but seems primarily to be interested in Asia and Africa.
It’s not clear if the extensive spread of the LuminousMoth campaign is incidental, or by design. One of the ways the malware spreads is by USB drives, still a common espionage technique.
“It is likely that the high rate of infections is due to the nature of the LuminousMoth attack and its spreading mechanism, as the malware propagates by copying itself to removable drives connected to the system,” the researchers wrote. “Nevertheless, the noticeable disparity between the extent of this activity in both countries might hint to an additional and unknown infection vector being used solely in the Philippines.”
Possibilities include watering hole or supply chain attacks. The latest campaign could also hint at renewed efforts from Beijing to obscure the source of attacks in a way that would prevent investigators from tying them to past work, Kaspersky said.
“This new cluster of activity might once again point to a trend we’ve been witnessing over the course of this year: Chinese-speaking threat actors re-tooling and producing new and unknown malware implants,” said Mark Lechtik, senior security researcher with Kaspersky’s global research and analysis team.