Unit 42 researchers have exposed a complex network of cyberespionage attacks targeting a Southeast Asian government. While initially thought to be the work of a single threat actor, researchers discovered that the attacks were orchestrated by three distinct groups of threat actors.
These espionage operations, which took place simultaneously or almost simultaneously, affected critical infrastructure, public health establishments, public finance administrators and ministries within the same country.
The research, published last Friday by Unit 42 researchers Lior Rochberger, Tom Fakterman and Robert Falcone, suggests that these activities were carried out by advanced persistent threats (APTs) due to the sophisticated techniques employed and surveillance efforts. continuous attacks directed towards the victims.
The investigation led to the identification of three distinct activity groups, each associated with varying levels of confidence compared to known APT groups.
The first, CL-STA-0044, is linked with moderate to high confidence to the Stately Taurus group (aka Mustang Panda), which is believed to have affiliations with Chinese interests. Their primary objectives encompassed cyberespionage, involving intelligence gathering and theft of sensitive documents, executed through the deployment of backdoors like ToneShell and ShadowPad, in addition to a suite of well-established hacking tools.
Learn more about this threat actor: New Backdoor MQsTTang Attributed to Mustang Panda Group
The second, CL-STA-0045, is attributed with moderate confidence to the Alloy Taurus APT group, which also operates on behalf of Chinese state interests. This cluster showed a penchant for long-term persistence, reconnaissance, and various backdoors. In particular, they exploited unconventional techniques and introduced innovative backdoors such as Zapoa and ReShell.
Finally, CL-STA-0046 is tentatively associated with the Gelsemium APT group, which is currently not assigned to a specific state. The central point of this cluster lies in the recognition and maintenance of access, with particular emphasis on exploit vulnerable IIS (Internet Information Services). To achieve their goals, hackers introduced malware such as OwlProxy and SessionManager in conjunction with regular hacking tools.
The search results have been shared with the Cyber Threat Alliance (CTA) to facilitate the rapid deployment of protections and disruption of these malicious cyber actors.