Chinese Hackers Target ASEAN Entities in Espionage Campaign

Written by

Two Chinese advanced persistent threat (APT) groups have been conducting cyber espionage campaigns targeting entities in countries affiliated with the Association of Southeast Asian Nations (ASEAN) over the past 90 days.

Unit 42, the cyber threat intelligence team within cybersecurity provider Palo Alto Networks, observed these new campaigns.

They described their findings in a report published on March 26, 2024.

Stately Taurus Leveraged the ASEAN-Australia Special Summit

The first group is an established APT group commonly known as Stately Taurus (aka Mustang Panda, Bronze President, Red Delta, LuminousMoth, Earth Preta and Camaro Dragon).

Stately Taurus has been operating since at least 2012. The group typically conducts cyber espionage campaigns targeting government entities, non-profits, and religious and other nongovernmental organizations across North America, Europe and Asia.

This latter cyber espionage campaign observed by Unit 42 was aimed at entities in Myanmar, the Philippines, Japan and Singapore. It coincided with the ASEAN-Australia Special Summit, held from March 4-6, 2024.

While the Summit was underway, Unit 42 researchers discovered two malware packages that they observed targeting Asian countries.

These two packages were named, a ZIP archive that included two malicious files leading to the malware, and PSO.scr, a screensaver executable file leading to a malicious executable file. PSO is likely a reference to the title of Personal Staff Officer, a rank in the Myanmar military.

Another Chinese APT Group Targeted ASEAN-Affiliated Entities

The second Chinese-affiliated APT group remained unnamed in the Unit 42 report.

Unit 42 researchers recently identified network connections between an ASEAN-affiliated entity and other Asian government entities, and the Chinese hacking group's command-and-control (C2) infrastructure, indicating that the entities’ IT systems had been compromised.

Upon investigation, the security researchers found that the threat actor was active throughout January and February 2024.

The threat actor’s activity seemed to follow weekday business hours (China Standard Time). It slowed down or stopped during the Lunar New Year and the Chinese mandated “Special Working Day” on February 18.

“These types of campaigns continue to demonstrate how organizations are targeted for cyber espionage purposes, where nation-state affiliated threat groups collect intelligence of geopolitical interests within the region,” the Unit 42 researchers wrote.

Read more: UK Blames China for 2021 Hack Targeting Millions of Voters' Data

What’s hot on Infosecurity Magazine?