Analysis of C&C–server that was used for the attacks on diplomatic organization, allowed IS-experts investigate multiply operations that were conducted by Chinese cyberbands.Bands used similar tools though acted in interests of different Chinese governmental institutions.
On Tuesday, May 14, BlackBerry Cylance Threat Intelligence specialists published report about recent attacks of Chinese cybercriminals. Report is based on earlier research by American Area 1 company.
In December 2018 experts from Area 1 Security reported about continuous malware operation that was conducted by Chinese “governmental” hackers. According their words, attackers got access to the networks of diplomatic correspondence in European Union.
Compromised became Ministry of Foreign Affairs of Cyprus and the entire COREU network that is used for diplomatic correspondence between EU countries. Victims of attacks were about 100 organizations, including trade unions and scientific organization.
Responsibility for hacking is on the troops of strategic support of the People’s Liberation Army of China.
BlackBerry Cylance Threat Intelligence specialists discovered in the collegues research fro Area 1 Security interesting detail – all attacks were conducted from single C&C–server.
“We connected this domain to a host of other, disparate Chinese APT groups whose tasking, targeting, and toolsets have been literally all over the map. We also found evidence suggesting that different Chinese APT groups have also been using the same malware – and in some cases, the same exploit builder”, — reported experts from BlackBerry Cylance Threat Intelligence.
Researchers managed to find link between the Strategic Support Forces of China and the cybercriminals that doing espionage in the interests of National Security Commission and People’s Armed Police and the Ministry of Public Security.
While Strategic support troops are interested in military aims, listed above departments supervise activists, representative of different ethnical groups (in particular for the Uighurs and Tibetans) and Taiwan independence supporters.
However, researchers say that this data should worry not only Chinese organizations, but also linked with China Western business.
“Findings of this nature should be of concern to enterprise administrators and network defenders in every vertical, not just those who see themselves within a threat model for the established Chinese state threat groups. That’s because, as our analysis has shown, we assess that the Chinese threat groups are either sharing “Indicators of Compromise” or adopting the targets and tasking of other Chinese groups”, — argue BlackBerry Cylance Threat Intelligence specialists.
Similarly to medicine, defenders should make an effort to vaccinate themselves in hopes of preventing sickness, not just try to bar entry to everyone they know is sick.