A suspected China-based threat actor has been linked to a series of cyber attacks targeting high-profile organizations in Southeast Asia since at least October 2023.
The espionage campaign targeted organizations in various sectors spanning government ministries in two different countries, an air traffic control organization, a telecoms company, and a media outlet, the Symantec Threat Hunter Team said in a new report shared with The Hacker News.
The attacks, which leveraged tools previously identified as linked to China-based advanced persistent threat (APT) groups, are characterized by the use of both open-source and living-off-the-land (LotL) techniques.
This includes the use of reverse proxy programs such as Rakshasa and Stowaway, as well as asset discovery and identification tools, keyloggers, and password stealers. Also deployed during the course of the attacks is PlugX (aka Korplug), a remote access trojan put to use by several Chinese hacking groups.
“The threat actors also install customized DLL files that act as authentication mechanism filters, allowing them to intercept login credentials,” Symantec wrote. The Broadcom-owned company told The Hacker News it could not determine the initial infection vector in any of the attacks.
In one of the attacks targeting an entity that lasted for three months between June and August 2024, the adversary conducted reconnaissance and password dumping activities, while also installing a keylogger and executing DLL payloads capable of capturing user login information.
Symantec noted that the attackers managed to retain covert access to compromised networks for extended periods of time, allowing them to harvest passwords and map networks of interest. The gathered information was compressed into password-protected archives using WinRAR and then uploaded to cloud storage services such as File.io.
“This extended dwell time and calculated approach underscore the sophistication and persistence of the threat actors,” the company said. “The geographical location of targeted organizations, as well as the use of tools linked previously to China-based APT groups, suggests that this activity is the work of China-based actors.”
It’s worth noting that the ambiguity in attributing these attacks to a specific Chinese threat actor underscores the difficulty of tracking cyber espionage groups when they frequently share tools and use similar tradecrafts.
The geopolitical tensions in Southeast Asia over ongoing territorial disputes in the South China Sea have been complemented by a series of cyber attacks targeting the region, as evidenced by threat activity groups tracked as Unfading Sea Haze, Mustang Panda, CeranaKeeper, and Operation Crimson Palace.
The development comes a day after SentinelOne SentinelLabs and Tinexta Cyber disclosed attacks undertaken by a China-nexus cyber espionage group targeting large business-to-business IT service providers in Southern Europe as part of an activity cluster dubbed Operation Digital Eye.
Last week, Symantec also revealed that an unnamed large U.S. organization was breached by likely Chinese threat actors between April and August 2024, during which time they laterally moved across the network, compromising multiple computers and potentially exfiltrating data.