The third quarter of 2017 clearly demonstrated that Chinese-speaking actors have not “disappeared” and are still very much active, conducting cyber-espionage campaigns against a wide range of countries and industry verticals.
In total, 10 of the 24 research projects on advanced targeted attacks conducted by Kaspersky Lab in Q3 centered around activities attributed to multiple actors in the Chinese region.
These and other trends are covered in Kaspersky Lab’s latest quarterly threat intelligence summary.
Research conducted during the period of July-September 2017 revealed a number of developments in the area of targeted attacks by, among others, Chinese-, Russian-, English-, and Korean-speaking threat actors. Chinese criminals in particular were specifically active during this period. Their revitalisation has affected not only various organisations, but also government and political bodies as well as huge regional agreements – bringing international relations into the business of advanced targeted attacks.
Highlights in Q3, 2017 include:
* Rise of cyber-espionage attacks by Chinese-speaking actors – The most interesting of the attacks were Netsarang/ShadowPad and CCleaner – both of which involved embedding specific backdoors inside the installation packages of legitimate software. CCleaner alone managed to infect 2 million computers, making it one of the biggest attacks of 2017.
* Growing Chinese-speaking actors’ interest in attacks on strategic facilities and economy sectors. At least two separate reports provide clear cases in point: The IronHusky attack on Russian and Mongolian aviation companies and research institutes was discovered in July, when the two countries were targeted with a Poison Ivy variant from a Chinese-speaking threat actor; and the H2ODecomposition attack on the energy sectors of India and Russia.
In Q3 2017, Kaspersky Lab experts also issued several reports on Russian-speaking actors. Most of them were dedicated to financial and ATM attacks, however, one report examined Sofacy’s summertime activity, indicating that the group remained active.
Speaking of English-speaking actors, the third quarter also produced yet another member of the Lamberts: Red Lambert. The Lamberts is a family of sophisticated attack tools that has been used by either one or multiple threat actors against high-profile victims since at least 2008. The Red Lambert is a network-driven backdoor, discovered during the previous analysis of Grey Lambert and utilised instead of hard-coded SSL certificates in command and control communications.
“The targeted threat landscape is evolving constantly, not only in terms of cybercriminals’ being increasingly well-prepared and technologically sophisticated, but also in terms of geography. The rise of Chinese-speaking actors once again demonstrates the importance of investing in threat intelligence and arming organisations with insight on the latest trends and developments,” says Brian Bartholomew, principal security researcher: Global Research and Analysis Team at Kaspersky Lab.