Chinese hacker group LuckyMouse found targeting national data center in Central Asia

One of the most prolific Chinese hacker groups named LuckyMouse (APT27, Emissary Panda) has been involved in a long-term campaign to spy on government targets in Central Asia. The campaign, discovered by Kaspersky Lab security researchers in March 2018, has been active since at least mid-2017.

Researchers believe LuckyMouse has targeted a national data center along with other government organizations, likely giving them the ability to gain access to a wide range of government resources in “one fell swoop”. Kaspersky researchers also believe the hackers launched watering hole attacks by abusing access to sensitive data and inserting malicious code into the unnamed country’s official websites.

The hackers were spotted using a RAT (remote access trojan) called HyperBro that researchers believe has been used between December 2017 and January 2018. The HyperBro trojan has also been used regularly by other Chinese-speaking threat actors in the past as well.

“Due to LuckyMouse’s ongoing waterholing of government websites and the corresponding dates, we suspect that one of the aims of this campaign is to access web pages via the data center and inject JavaScripts into them,” Kaspersky researchers wrote in a blog.

The primary C2 used in the Central Asia campaign was held by a Mikrotik router, which LuckyMouse likely hacked to process the malware’s HTTP requests.

In March 2017, WikiLeaks leaked an exploit called ChimayRed that affected Mikrotik routers. Kaspersky researchers suspect LuckyMouse may have used this leaked exploit as part of their campaign.

Although the researchers believe that the Mikrotik router may have been hacked specifically for this particular campaign, the reason behind this still remains a mystery.

“There were traces of HyperBro in the infected data center from mid-November 2017. Shortly after that different users in the country started being redirected to the malicious domain update.iaacstudio[.]com as a result of the waterholing of government websites,” Kaspersky researchers noted. “These events suggest that the data center infected with HyperBro and the waterholing campaign are connected.”

LuckyMouse has recently become very active, employing various threats, techniques and procedures (TTPs) that have been commonly leveraged by other Chinese hacker groups. Unlike other malicious campaigns launched by Chinese threat actors, this one involved the hackers attempting to disguise themselves - a technique that most Chinese hacker groups usually don’t employ.

However, Kaspersky researchers believe that this campaign may mark the dawn of a new age of stealthier attacks from Chinese hackers.