Researchers have revealed a major Chinese cyber-espionage campaign which could be linked to shadowy ‘cybersecurity’ firm I-Soon.
Trend Micro claimed the Earth Krahang APT campaign shares multiple connections with a previously discovered Chinese actor dubbed Earth Lusca, which is suspected of being the penetration team behind I-Soon.
That company, which appears to be a Chinese government contractor, first came to light after a GitHub leak last month.
“Using this leaked information, we found that the company organized their penetration team into two different subgroups,” Trend Micro claimed. “This could be the possible reason why we saw two independent clusters of activities active in the wild but with limited association. Earth Krahang could be another penetration team under the same company.”
Read more on Earth Lusca: Chinese Group Exploiting Linux Backdoor to Target Governments
Earth Krahang has been observed targeting 116 organizations in 35 countries, 70 of which were compromised and most of which were located in southeast Asia.
“We found that at least 48 government organizations were compromised, with a further 49 other government entities being targeted. Foreign affairs ministries and departments were a top target, compromising 10 such organizations and targeting five others,” the report claimed.
Trend Micro built up a picture of the campaign after the actor’s mistakes enabled it to retrieve configuration and log files from attack tools.
“One of the threat actor’s favorite tactics involves using its malicious access to government infrastructure to attack other government entities, abusing the infrastructure to host malicious payloads, proxy attack traffic, and send spear-phishing emails to government-related targets using compromised government email accounts,” the report explained.
“Earth Krahang also uses other tactics, such as building VPN servers on compromised public-facing servers to establish access into the private network of victims and performing brute-force attacks to obtain email credentials. These credentials are then used to exfiltrate victim emails, with the group’s ultimate goal being cyber-espionage.”
Overlaps With Earth Lusca
The actor also stole hundreds of email addresses from targets during its reconnaissance phase. In one case, it used a compromised government mailbox to send a malicious attachment to nearly 800 email addresses belonging to the same entity, Trend Micro said.
It used Cobalt Strike or custom backdoors Reshell and XDealer during the initial stages of attack. Although infrastructure and the preference of the initial stage backdoors are different from Earth Lusca, Trend discovered malware being downloaded from IP addresses attributed to Earth Lusca for lateral movement.
“We also found infrastructure overlaps between some C&C [command-and-control] servers that communicated with malware we found during our investigation, and domain names such as googledatas[.]com that we attribute to Earth Lusca,” it added.