Зарегистрируйтесь сейчас для лучшей персонализированной цитаты!

Bronze President spies on Russian targets as Ukraine invasion continues

27 апреля 2022 г Hi-network.com

Bronze President has potentially shifted from Asia to focus on Russia as the invasion of Ukraine continues.

Also known as Mustang Panda, TA416, or RedDelta, the Chinese cyberespionage group has been active since at least 2018 and has traditionally focused on gathering intelligence from NGOs, research institutes, and internet service providers (ISPs).

Ukraine Crisis

  • Coding inside a war zone
  • How you can help: Donation sites and resources
  • Ukrainian police take down phishing gang behind payments scam
  • International Refugee Assistance Project partners with Rosetta Stone to aid refugees

Past countries and regions on the hit list include Europe, Mongolia, Russia, Vietnam, and South Africa.

According to Secureworks Counter Threat Unit (CTU), the group is either "sponsored or at the very least tolerated by the Chinese government" and "appears to be changing its targeting in response to the political situation in Europe and the war in Ukraine."

Recent campaigns have primarily focused on Southeast Asia, with targets infiltrated for "political and economic" data theft and ongoing, long-term surveillance. However, CTU says that Bronze President has now pivoted to Russian speakers alongside European organizations.

"This suggests that the threat actors have received updated tasking that reflects the changing intelligence collection requirements of the People's Republic of China (PRC)," the researchers say.

Government-sponsored -- or, perhaps, tolerated -- cyberattackers are tasked with activities that will benefit their government somehow. This often includes intelligence-gathering, spying, and activities that improve situational awareness, especially in times of conflict.

These activities don't only include 'enemies' or 'hostile' states -- it also extends to who a country considers an ally or friend.

CTU suggests that the recent Bronze President shift could indicate "an attempt by China to deploy advanced malware to computer systems of Russian officials."

Recommends

The best security key

While robust passwords help you secure your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read now

Bronze President is suspected of targeting the Russian military. The team analyzed a malicious executable called "Blagoveshchensk - Blagoveshchensk Border Detachment.exe," which was disguised with a .PDF icon and heavily obfuscated to hide a downloader for PlugX malware. (The city of Blagoveshchensk is close to the Chinese border and is home to part of the Russian military.)

If executed, the file will display a decoy document (written in English, oddly), which describes the refugee situation and EU sanctions. In the background, a downloader grabs PlugX from a command-and-control (C2) server previously tied to campaigns in Europe.

PlugX is a Remote Access Trojan (RAT) capable of file exfiltration, executing remote command shells, establishing a backdoor, and deploying additional malicious payloads.

Bronze President has a wide range of tools, including Cobalt Strike, the China Chopper backdoor, RCSession, and ORat, at its disposal.

In March, ESET said the group was taking advantage of the war to spread a new Korplug/PlugX RAT variant, dubbed Hodur, via Ukraine & Russia-themed phishing campaigns.

In other cybersecurity news related to Russia and Ukraine, Aqua Security has been tracking the use of cloud repositories by those on both sides of the conflict.

The researchers found that 40% of public repositories with descriptions or names linked to the invasion, including tools and guides, promoted denial-of-service (DoS) activities "aimed at disrupting the network traffic of online services."

See also

  • Mustang Panda hacking group takes advantage of Ukraine crisis in new attacks
  • How cloud services become weapons in Russia-Ukraine cyber conflict
  • Ukraine warns of InvisiMole attacks tied to state-sponsored Russian hackers

Have a tip?Get in touch securely via WhatsApp Signal at +447713 025 499, or over at Keybase: charlie0


Security

8 habits of highly secure remote workersHow to find and remove spyware from your phoneThe best VPN services: How do the top 5 compare?How to find out if you are involved in a data breach -- and what to do next
  • 8 habits of highly secure remote workers
  • How to find and remove spyware from your phone
  • The best VPN services: How do the top 5 compare?
  • How to find out if you are involved in a data breach -- and what to do next

tag-icon Горячие метки: Технологии и оборудование Безопасность и охрана

Copyright © 2014-2024 Hi-Network.com | HAILIAN TECHNOLOGY CO., LIMITED | All Rights Reserved.