New Cyber-Espionage Campaign Detection: Suspected China-Backed Actors Target High-Profile Organizations in Southeast Asia
Table of contents:
Defenders observe increasing numbers of cyber-attacks linked to China-backed APT groups, primarily focused on intelligence gathering. In September 2024, a China-affiliated APT group tracked as Earth Baxia set its sights on a state agency in Taiwan and possibly other nations within the APAC region. A recently uncovered cyber-espionage campaign has been targeting high-profile organizations in Southeast Asia since at least October 2023, with suspected China-linked hackers believed to be responsible for the attacks.
Detecting Attacks Against High-Profile Organizations in Southeast Asia by Chinese Actors
During 2024, APT groups from China were ranked among the top global cyber threats alongside North Korea, russia, and Iran, showcasing heightened offensive capabilities and posing significant challenges to the cybersecurity landscape. To outscale emerging threats and timely spot potential attacks by Chinese actors, SOC Prime Platform for collective cyber defense equips cyber defenders with relevant CTI-enriched detections backed by a complete product suite for advanced threat detection and hunting.Â
Just hit the Explore Detections button below and immediately drill down to a curated Sigma rules pack addressing the latest attacks against Southeast Asia by Chinese APT actors. All the rules are mapped to the MITRE ATT&CK framework, enriched with extensive metadata, and compatible with 30+ SIEM, EDR, and Data Lake solutions to streamline threat investigation.
Security engineers can also leverage Uncoder AI to seamlessly pack IOC and perform retrospective analysis of adversaries’ TTPs. Instantly convert IOCs from the corresponding research by Symantec into tailored queries compatible with various SIEM, EDR, and Data Lake languages.
Cyber-Espionage Attack Analysis Likely Linked to China-Based Adversaries
According to recent research from the Symantec Threat Hunter Team, the newly uncovered cyber-espionage campaign targets organizations across multiple industry sectors, including government ministries in two countries, an air traffic control organization, a telecom company, and a media outlet.
The newly uncovered campaign, which has been active since at least October 2023, mainly aims to collect intelligence. Attackers rely on a mix of open-source and living-off-the-land tools in the ongoing campaign. They have employed a broad range of TTPs, with slight variations across different targeted organizations. However, the geographical location of the victims and the use of tools previously associated with China-based APT groups indicate that these attacks are likely linked to the malicious activity of Chinese actors. Notably, the proxy tool Rakshasa and a legitimate application file used for DLL sideloading were previously linked to the Chinese APT group known as Earth Baku (aka APT41 or Brass Typhoon). Other associated hacking collectives include Fireant (aka Mustang Panda, APT31, Stately Taurus), Budworm (aka APT27, Emissary Panda, Lucky Mouse), and more.
Adversaries use a remote access tool that exploits Impacket to execute commands via WMI. They then deploy keyloggers, password collectors, and reverse proxy tools, like Rakshasa, Stowaway, or ReverseSSH, to maintain persistent access to their infrastructure. Additionally, the attackers install customized DLL files that act as authentication filters, enabling them to capture login credentials. In addition, researchers observed the use of PlugX (also known as Korplug), a tool commonly used by various Chinese hacking collectives, like Earth Preta APT.
In one of the targeted organizations, the attackers remained active for at least three months, from June to August 2024, primarily focusing on intelligence gathering, collecting and likely exfiltrating valuable data. While this case demonstrates a specific method, other attacks relied on additional TTPs, including DLL sideloading, and the deployment of tools like Rakshasa and SharpGPOAbuse, among others, to accomplish offensive goals. Researchers observed that the adversaries maintained stealthy access to the compromised networks for long periods, enabling them to collect passwords and map key networks. The stolen data was then compressed into password-protected archives using WinRAR and uploaded to cloud storage platforms like File.io.
Symantec released the corresponding protection bulletin to help organizations mitigate the risks of the ongoing malicious activity likely linked to Chinese actors. SOC Prime Platform for collective cyber defense enables security teams to outscale cyber threats with cutting-edge solutions to advance threat detection, elevate detection engineering, and automate threat hunting while building a robust cybersecurity posture.
