Tomcat
Professional
- Messages
- 2,689
- Reaction score
- 929
- Points
- 113
An intricate web of hacks has enveloped hundreds of organizations around the world.
Security researchers at QiAnXin recently uncovered a long-term cyber espionage operation known as "APT Operation Veles" targeting academic and educational institutions around the world. The main suspect is the UTG — Q-008 hacker group, which specializes in attacks on Linux platforms using an extensive botnet network.
During a year of intensive monitoring, it was possible to identify evidence of UTG-Q-008 using botnet resources to steal data from scientific and educational institutions. Approximately 70% of the infrastructure of this group consists of intermediate servers, which are changed with each new attack.
UTG-Q-008 attacks are characterized by high intensity and use of domains that have been active for the last ten years, which makes them more resistant than other known APT groups.
UTG-Q-008 uses many lists of attacked objects, one of which includes more than five thousand network segments inside China.
Most of the controlled nodes are located in China, followed immediately by the United States. Hackers ' servers often store attack components in TAR format, using intermediate servers to download and store data. One of the domains used for attacks is registered in China and has been active for 14 years.
To gain access to servers, UTG-Q-008 uses Nanobot components loaded via wget or Curl from intermediate servers. These components allow hackers to run reverse shell sessions or SSH tunnels to download additional modules.
UTG-Q-008 uses various types of internal scanners to check open ports in networks. After the scan is completed, they transmit the results for further movement over the network.
The migration process involves two steps: scanning SSH ports on servers and using weak passwords for access. Hackers use a special password database that includes more than 4,000 credentials collected over the years of attacks.
If you need to log in to the network, attackers use FRP reverse proxy servers, which allow you to use external computing power of the botnet network to break into important internal servers.
Having reached a significant level of penetration, UTG-Q-008 installs modules for data theft on key servers. These modules analyze various files and system logs, extracting confidential information from them.
On servers with powerful graphics cards, hackers install components for mining cryptocurrencies, which helps hide their main goals and complicate the investigation.
Over the past three years, more than 1,500 affected IP addresses have been recorded, among which China's Educational Networks (CERS) account for a significant share. Foreign universities, research institutes and information technology companies are also among the victims.
Security researchers at QiAnXin recently uncovered a long-term cyber espionage operation known as "APT Operation Veles" targeting academic and educational institutions around the world. The main suspect is the UTG — Q-008 hacker group, which specializes in attacks on Linux platforms using an extensive botnet network.
During a year of intensive monitoring, it was possible to identify evidence of UTG-Q-008 using botnet resources to steal data from scientific and educational institutions. Approximately 70% of the infrastructure of this group consists of intermediate servers, which are changed with each new attack.
UTG-Q-008 attacks are characterized by high intensity and use of domains that have been active for the last ten years, which makes them more resistant than other known APT groups.
UTG-Q-008 uses many lists of attacked objects, one of which includes more than five thousand network segments inside China.
Most of the controlled nodes are located in China, followed immediately by the United States. Hackers ' servers often store attack components in TAR format, using intermediate servers to download and store data. One of the domains used for attacks is registered in China and has been active for 14 years.
To gain access to servers, UTG-Q-008 uses Nanobot components loaded via wget or Curl from intermediate servers. These components allow hackers to run reverse shell sessions or SSH tunnels to download additional modules.
UTG-Q-008 uses various types of internal scanners to check open ports in networks. After the scan is completed, they transmit the results for further movement over the network.
The migration process involves two steps: scanning SSH ports on servers and using weak passwords for access. Hackers use a special password database that includes more than 4,000 credentials collected over the years of attacks.
If you need to log in to the network, attackers use FRP reverse proxy servers, which allow you to use external computing power of the botnet network to break into important internal servers.
Having reached a significant level of penetration, UTG-Q-008 installs modules for data theft on key servers. These modules analyze various files and system logs, extracting confidential information from them.
On servers with powerful graphics cards, hackers install components for mining cryptocurrencies, which helps hide their main goals and complicate the investigation.
Over the past three years, more than 1,500 affected IP addresses have been recorded, among which China's Educational Networks (CERS) account for a significant share. Foreign universities, research institutes and information technology companies are also among the victims.
