Posted on November 17, 2022 at 5:59 PM
Security researchers have discovered a hacking incident involving a suspected Chinese state-sponsored actor. According to reports, the state actor breached government and defense agencies in different countries and a digital certificate authority in Asia. The hacking campaign has been ongoing since March 2022, but the group responsible for the campaign has been operating far longer.
A new report from Symantec revealed that the attack is a result of an adversary group it tracks under the name Billbug. The research firm noted that the threat actor’s activity seems to be driven by data theft and cyber espionage, although there is no confirmed report of any data theft since the group started operating. Billbug is also known as Lotus Panda, Lotus Blossom, Thrip, Spring Dragon, and Bronze Elgin.
The Group Has Focused On South East Asia
The group is an advanced persistent threat (APT) group that is said to be linked to the Chinese government. Its main targets are military organizations and government agencies in South East Asia.
Attacks the group carried out in 2019 involved the use of backdoors such as Sagerunex and Hannotog. The attacks have been observed across several countries in South East Asia such as Hong Kong, Vietnam, the Philippines, Malaysia, Macau, and Indonesia.
Both backdoors are meant to give the attackers remote access to the victims’ networks. In other instances, the hackers deployed Catchamas, an information stealer, in some targeted organizations to exfiltrate sensitive information.
In a report shared by Symantec Researchers, they noted that the hackers planned effectively to target a certificate authority. Their goal was to compromise and access the certificates to enable them to sign their malware with a valid certificate. This gives them the ability to stay under the radar while causing havoc in affected systems.
“It could also potentially use compromised certificates to intercept HTTPS traffic,” the researchers said while stating the various possibilities of the hacking campaign.
No Evidence Suggesting A Successful Compromise
While the researchers acknowledged the capacity of the attackers, they also noted that no evidence suggested that an actual compromise on the digital certificate occurred. The concerned authority was also informed of the attempt on their facility.
According to the analysis made by the researchers, the initial access was likely gained via the exploitation of an internet-facing application. After the initial exploitation, a combination of living-off-the-land and bespoke tools were deployed to meet their operational goals.
This includes utilities like Certutil, NBTscan, Traceroute, Ping, and WinRAR. These are in addition to a backdoor that can download arbitrary files, gather arbitrary information, and upload encrypted data
Additionally, the researchers detected an open-source multi-hop proxy tool in the attack they called Stowaway. They also detected the Sagerunex backdoor which was planted on the targeted system through Hannatog.
For its part, the backdoor is designed to run arbitrary commands, steal files, and drop additional payloads. This is to increase the potency of the attack and have the strength to steal more information from the machine in the future.
The Threat Actor Can Compromise Several Victims Simultaneously
The researchers also explained that the threat actors can compromise multiple victims at the same time. It is an indication that the group is well-resourced and highly sophisticated. They can carry out wide-ranging and sustained campaigns over a long period without getting detected.
Also, the researchers believe that Billbug does not operate like other threat actors that usually change tools to avoid linking them to any attack. In the case of Billbug, they appear not to be disturbed that their hacking incident may be easily linked to them. They seem to love reusing tools they have used in the past, which looked strange for such a sophisticated hacking group.
The Symantec Group Now Targets U.S. Organizations
According to the researchers’ discovery, the attackers’ recent activities show that they are also getting interested in more organizations. Those behind the attacks have a direct interest in those countries and organizations. The researchers noted that in one of the attacks on a government system, the attackers compromised a large number of machines on the victim’s network.
Symantec also revealed another new dimension to the group’s attack. In the past, they have always concentrated on military organizations, government, and communications sectors in South East Asia for their attacks. But now they are targeting U.S. organizations.