Researchers Perform An Analysis on Chinese Malware Used Against Russian Government
Security researchers from the threat hunting and intelligence company Group-IB have revealed that in 2020, at least two espionage groups from China targeted the Russian Federal authorities. Chinese espionage groups are notorious for global cyber-attacks that target state agencies, research institutes, military contractors, and other agencies and institutions with espionage in mind.
According to Group-IB, “Chinese APTs are one of the most numerous and aggressive hacker communities.” The attackers attempt to gain access to confidential data and hide their presence as long as they can.
The report from Group-IB builds on disclosure by Solar JSOC and SentinelOne. The disclosure cantered on the Mail-O malware when the attackers attempted to access Russian federal officials’ emails. Then, SentinelOne thought it was related to a malware variant called manager or PhantomNet created by TA428.
The main aim of the hackers was to compromise the IT infrastructure and steal confidential data. This included classified documents and emails of top federal executives. The hackers ensured they remained shrouded by using undetectable malware, legal utilities, and a thorough understanding of how data protection tools in the government bodies worked.
Group-IB performed an in-depth analysis of the malware families used by the attackers. The evidence suggests that the Chinese hacker groups TaskMasters and TA428 linked to the Chinese government were responsible for multiple Russian federal government agencies attacks.
TaskMasters is responsible for the Trojan known as BlueTraveller. It started its activities in 2013 and targets organizations in Russia and CIS. Its primary focus is on government agencies, transport companies, and industrial and energy firms, its focus being to steal and plunder classified documents.
The group was named TaskMasters because it can create tasks in the scheduler. This allows a hacker to execute commands to the OS (operating system) and run software at specific times.
The attacks by Asian hackers remain unnoticed by IT security services or antiviruses. The hackers download gigabytes of data with no trace for years. In late 2018, cybersecurity experts revealed that the Russian financial sector suffered almost 3 million rubles losses due to cyber-attacks.
In operation since 2013, the TA428 group has been focusing on East Asian government agencies. It mainly focuses on agencies connected with foreign and domestic, economic policy, and government information technology.
In 2020’s attacks against the Russian government agencies, these Chinese hackers used Mail-O and WebDAV-O malware families to gain remote access to systems and steal classified data. Group-IB security researchers discovered that WebDAV-O and The BlueTraveller (RamShell) had multiple similarities during the research.
Group-IB also found a connection between BlueTraveller and Albaniiutas, a novel malware family in TA428’s books. This suggests that the malware Albaniiutas is a logical continuation of the BlueTraveller malware family. The Group-IB analysis focused on the WebDAV sample that was uploaded on VirusTotal in 2019 and overlapped with the model by Solar JSOC.
Considering Mail-O is thought to be a part of TA428’s portfolio, Group-IB’s researchers also suggested some of the attacks on the Russian government in 2020 might have been by the same group. WebDAV-O is connected to BlueTraveller from TaskMasters, which in turn is connected to Albaniiutas from TA428. Group-IB pointed out that Chinese hacker groups exchange infrastructure and tools, so it would not be surprising that this was the case in this scenario.
Evidence suggests that there could be a large group of hackers from the intelligence units of PLAC (People’s Liberation Army of China) operating from the country. The different Chinese APT groups being tracked by threat intelligence are just subgroups. Each of the units attack to the full hilt, following strict orders and timelines. This means that one malware can be configured and modified by various departments, all holding different training levels and varying objectives.
The research concluded that both hacker groups TaskMasters and TA428 might have been behind the 2020 Russian authority’s attacks, or there was one sizeable Chinese hacker group comprising of different sub-units.