C2 server spills details on activities by Chinese APT groups
- The server revealed tools and techniques used by various cyberattack groups based in China.
- Details also show that certain communication networks were compromised by the groups, which exposed diplomatic cables.
A security research report has shed light on the hacking activity of state-sponsored Chinese threat actors, who were reportedly involved in jeopardizing diplomatic cables of the European Union (EU). According to the report by BlackBerry Cylance Threat Intelligence team, a command-and-control (C2) server used by China’s Strategic Support Force (SSF) was linked to a number of Chinese APT groups.
The associated groups mentioned in the report are Leviathan (Temp.Periscope) and Kryptonite Panda.
- The team’s report picked up on what Area 1 had earlier published on the hacked diplomatic cables in December 2018. Area 1 had also mentioned how more than 100 organizations were apparently targeted by Chinese SSF.
- Analyzing the domain associated with SSF’s C2 server, the team highlighted the groups’ extensive use of a malware known as ‘Reaver’. In fact, a new backdoor called ‘Sparkle’ was also identified by the researchers which deployed in small numbers.
- The Chinese attack groups leveraged the ActiveX control in their exploits which delivered Reaver through malicious documents.
- All the domains analyzed by the team were registered with a single email address.
Groups target separatists
BlackBerry Cylance team hinted that the threat actor groups were cornering specific groups facing contention with the Chinese government. “We found a connection via the infrastructure included in the Area 1 report to groups associated in other security research with Chinese government efforts to spy on and conduct operations against internal groups perceived as separatist or threatening to the government,” it indicated.