ZIP archives have caused mass espionage in the country.
Securonix has uncovered a major espionage operation called "SlowTempest" targeting people and organizations in China. Hackers sought to gain long-term access to systems for espionage and possible sabotage, and could also launch ransomware attacks or steal data. Experts argue that the main goal of the campaign was to control the networks in the long term and implement strategic objectives that may be aligned with the interests of the state.
The researchers were unable to pinpoint the location of the attackers or their affiliation with any group, but the high-tech nature of the malware used and the tools used to scan and steal data suggest that the target was government agencies or large businesses.
Although Securonix did not disclose specific victims of the attack, they indicated that the phishing emails used in the campaign were written in Chinese, and the hackers' infrastructure was located on the servers of the Chinese company Shenzhen Tencent Computer Systems. Such factors, as well as telemetry data, indicate that the main target of the attack was in China.
In addition, the researchers noted that the attackers had a deep understanding of the Chinese language, infrastructure, and the characteristics of potential victims. However, there is a possibility that the attack could have been organized from other Chinese-speaking regions - Taiwan, Singapore or Hong Kong.
The study began with one incident, but it identified several other attacks, indicating that there were more victims. The campaign is still ongoing, and it's not like the previous ones. The hackers' unique combination of tools and methods suggests that this is an independent operation and not a continuation of already known campaigns.
The attacks began by sending malicious ZIP files via phishing emails. The files were disguised as documents related to HR issues, allowing cybercriminals to bypass antivirus programs. One of these files, enticingly titled "List of Persons Who Violated the Rules for the Use of Remote Control Software", when opened, injected backdoors that went unnoticed by security systems. The hackers then scanned the systems for data and extracted credentials from browsers.
The attackers made some mistakes that allowed them to detect a tool containing the username "guoyansong". Securonix suggests that it is an abbreviation of the name Guoyan Song, which is a real Chinese name. Despite the lack of clear evidence linking the attack to any known threat group, experts believe that the attack was orchestrated by an experienced threat actor who used advanced exploits such as CobaltStrike and a wide range of other post-exploitation tools.
Source
Securonix has uncovered a major espionage operation called "SlowTempest" targeting people and organizations in China. Hackers sought to gain long-term access to systems for espionage and possible sabotage, and could also launch ransomware attacks or steal data. Experts argue that the main goal of the campaign was to control the networks in the long term and implement strategic objectives that may be aligned with the interests of the state.
The researchers were unable to pinpoint the location of the attackers or their affiliation with any group, but the high-tech nature of the malware used and the tools used to scan and steal data suggest that the target was government agencies or large businesses.
Although Securonix did not disclose specific victims of the attack, they indicated that the phishing emails used in the campaign were written in Chinese, and the hackers' infrastructure was located on the servers of the Chinese company Shenzhen Tencent Computer Systems. Such factors, as well as telemetry data, indicate that the main target of the attack was in China.
In addition, the researchers noted that the attackers had a deep understanding of the Chinese language, infrastructure, and the characteristics of potential victims. However, there is a possibility that the attack could have been organized from other Chinese-speaking regions - Taiwan, Singapore or Hong Kong.
The study began with one incident, but it identified several other attacks, indicating that there were more victims. The campaign is still ongoing, and it's not like the previous ones. The hackers' unique combination of tools and methods suggests that this is an independent operation and not a continuation of already known campaigns.
The attacks began by sending malicious ZIP files via phishing emails. The files were disguised as documents related to HR issues, allowing cybercriminals to bypass antivirus programs. One of these files, enticingly titled "List of Persons Who Violated the Rules for the Use of Remote Control Software", when opened, injected backdoors that went unnoticed by security systems. The hackers then scanned the systems for data and extracted credentials from browsers.
The attackers made some mistakes that allowed them to detect a tool containing the username "guoyansong". Securonix suggests that it is an abbreviation of the name Guoyan Song, which is a real Chinese name. Despite the lack of clear evidence linking the attack to any known threat group, experts believe that the attack was orchestrated by an experienced threat actor who used advanced exploits such as CobaltStrike and a wide range of other post-exploitation tools.
Source
