Brother
Professional
- Messages
- 2,590
- Reaction score
- 483
- Points
- 83
Chinese hackers and their role in increasing global digital risks.
A new report jointly prepared by SentinelOne, PwC and the Microsoft Threat Intelligence team reveals the tactical and targeted intersections between the mysterious APT group Sandman and cybercriminals from China who use a backdoor called KEYPLUG in their attacks.
The report is based on the fact that LuaDream and KEYPLUG malware were detected on the same infected networks. Microsoft and PwC track this malicious activity under the names Storm-0866 and Red Dev 40, respectively.
The Sandman group, first discovered by SentinelOne in September of this year, attacked telecommunications providers in the Middle East, Western Europe, and South Asia with a new LuaDream implant. Cases of direct compromise date back to August of this year.
One of the group's key tools is the KEYPLUG backdoor, first described by Mandiant specialists as part of attacks conducted by the Chinese APT41 group (also known as Brass Typhoon or Barium) to penetrate the networks of six US government agencies between May 2021 and February 2022.
In a report published in March this year by Recorded Future, the use of KEYPLUG was attributed to a Chinese state-run threat group that experts monitor under the name RedGolf. In addition, the same report says that it closely overlaps with the activities of groups tracked under the pseudonyms APT41/Barium.
One of the most notable matches is a pair of LuaDream C2 domains, which were also used as a C2 KEYPLUG server and were previously associated with Storm-0866.
However, the similarities do not end there. Both implants also support QUIC and WebSocket protocols for communication with C2, which indicates common communication channel requirements.
The report highlights that "there are strong intersections in the operational infrastructure, target focus, and tactics that associate APT Sandman with Chinese adversaries using the KEYPLUG backdoor, underscoring the complexity of the Chinese threat landscape."
A new report jointly prepared by SentinelOne, PwC and the Microsoft Threat Intelligence team reveals the tactical and targeted intersections between the mysterious APT group Sandman and cybercriminals from China who use a backdoor called KEYPLUG in their attacks.
The report is based on the fact that LuaDream and KEYPLUG malware were detected on the same infected networks. Microsoft and PwC track this malicious activity under the names Storm-0866 and Red Dev 40, respectively.
The Sandman group, first discovered by SentinelOne in September of this year, attacked telecommunications providers in the Middle East, Western Europe, and South Asia with a new LuaDream implant. Cases of direct compromise date back to August of this year.
One of the group's key tools is the KEYPLUG backdoor, first described by Mandiant specialists as part of attacks conducted by the Chinese APT41 group (also known as Brass Typhoon or Barium) to penetrate the networks of six US government agencies between May 2021 and February 2022.
In a report published in March this year by Recorded Future, the use of KEYPLUG was attributed to a Chinese state-run threat group that experts monitor under the name RedGolf. In addition, the same report says that it closely overlaps with the activities of groups tracked under the pseudonyms APT41/Barium.
One of the most notable matches is a pair of LuaDream C2 domains, which were also used as a C2 KEYPLUG server and were previously associated with Storm-0866.
However, the similarities do not end there. Both implants also support QUIC and WebSocket protocols for communication with C2, which indicates common communication channel requirements.
The report highlights that "there are strong intersections in the operational infrastructure, target focus, and tactics that associate APT Sandman with Chinese adversaries using the KEYPLUG backdoor, underscoring the complexity of the Chinese threat landscape."
