A cyberespionage group has been discovered targeting critical infrastructure organizations based in Southeast Asia. The threat group is apparently based in China and interested in exploiting Industrial Control Systems (ICS).
What has been discovered
Symantec discovered that a threat group has been targeting four critical infrastructure organizations located in Southeast Asian countries.
The attackers reportedly targeted power, water, and communications, and defense organizations. The type of information stolen is yet unknown.
- The purpose of the cyberespionage operation is believed to be nation-state intelligence gathering.
- Such operations are suspected to be running since at least November 2020 and have continued until at least March.
- The IP addresses, malware, and modus operandi, along with the location of the victims, imply that all four organizations were attacked by a single group.
- Some shreds of evidence imply that the attackers are based in China. However, their activity is not related to any known threat group at present.
About the targets
- One of the attacks targeted a water company, in which the attackers gained access to a machine involved in the design of SCADA systems. Another target included a power company, which was compromised via an engineering design device.
- The third attack targeted a communications company, in which the attacker exploited Google Chrome Frame. The fourth attack targeted a defense organization, in which the PotPlayer Mini was abused for DLL search order hijacking.
Attack tools and methodologies
- The group used various genuine and dual-purpose tools, such as ProcDump, Windows Management Instrumentation (WMI), PAExec, Mimikatz, and PsExec.
- It compromised a free multimedia player for DLL hijacking and an Internet Explorer plugin named Google Chrome Frame. In addition, the attacks used a backdoor, keylogger, and downloader.
Conclusion
Revelations about China-based cyberespionage attacks have witnessed a steep rise in recent months. There have been several attacks on Southeast Asian countries by various Chinese groups. Furthermore, the growing interest in critical infrastructure such as ICS systems has become a worrisome situation in the cybersecurity landscape.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/cebf_shutterstock_1044761977.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_239105020.jpg)
