Defence enterprises, government agencies in Russia and Ukraine targeted by state-sponsored hackers

China flag is depicted on the screen in program code
(Image credit: Shutterstock)

More than a dozen victims located across Ukraine, Russia, Belarus, and Afghanistan have been successfully targeted by state-sponsored hackers in a January 2022 campaign.

The campaign is believed to be focused on cyber espionage but has targeted military-linked defence companies, government agencies, and research institutes in the regions.

Researchers at Kaspersky have attributed the attacks with ‘high probability’ to TA428, a China-linked state-sponsored hacking group.

There was a “significant overlap” in the tactics, tools, and techniques used in these attacks with those of previous TA428-linked hacks, and the malware infrastructure was also located in China, they said.

Highly sophisticated phishing campaigns were used to gain initial access to a variety of systems, with some attacks resulting in hackers taking control of IT infrastructure.

The phishing campaigns were carefully created and, in some cases, used information that was not publicly available to make the emails appear more legitimate such as the full names of employees that were responsible for handling certain information.

The email contained a maliciously crafted Microsoft Office document that exploited the CVE-2017-11882 vulnerability affecting outdated versions of Microsoft Equation Editor - a Microsoft Office component.

Although discovered as far back as 2017, the exploit allows attackers to execute arbitrary code on a victim’s system without the need to enable VBA macros, unlike exploits of a similar nature.

The code executed by the malicious Office document dropped PortDoor malware which then allowed attackers to control systems via a backdoor capability and drop additional malware strains on the victim’s computer via the command and control (C2) server.

The researchers believe PortDoor has been used in previous attacks by TA428 but the strain analysed in the January attacks featured new capabilities.

Various strains of malware were dropped on victims via PortDoor with the attackers using functions such as reading and modifying files, collecting system information, stealing sensitive information, identifying network-connected devices with security vulnerabilities, searching for passwords, and remotely executing code.

Attackers moved laterally across the network, from system to system, using a combination of stolen credentials, network scanning results, and malware to establish connections with other machines.

“The results of our research demonstrate that spear phishing remains one of the most relevant threats to industrial enterprises and public institutions,” said Kaspersky.

“The attack series that we have discovered is not the first in the campaign and, given that the attackers achieve a certain degree of success, we believe it is highly likely that they will continue to conduct similar attacks in the future,” it added. “Industrial enterprises and public institutions should take extensive measures to repel such attacks successfully.”

China’s trademark cyber espionage efforts

Cyber espionage is also a common motive of China-linked hacking groups. Numerous reports of Chinese state-sponsored hackers specifically targeting entities such as universities and militaries have surfaced in recent years.

A top Australian university confirmed that it was the subject of a 19-year-long data breach in 2019, one that was believed to be at the hands of China.

Experts speaking at the time said other Australian research centres had been targeted by Chinese hackers, as well as those elsewhere in Asia.

Earlier that year, China was also linked with attempts to steal maritime secrets through hacks on 27 different universities around the globe.

Most recently, UK and US national security services expressed their growing concern over China’s long-term ambitions with its uptick in intellectual property theft, and the numerous mergers and acquisitions in the region.

Connor Jones

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.