"Sandman Cyberespionage Group Linked to China"
According to a new study conducted by researchers at SentinelOne, Microsoft, and PwC, the recently outed advanced persistent threat (APT) actor Sandman appears linked to China. Sandman mainly targets telecom providers in the Middle East, Europe, and South Asia, likely for cyberespionage purposes. The researchers were able to draw links between the observed Sandman APT attacks and the activity of STORM-0866/Red Dev 40, a suspected China-based threat actor known to be using the KeyPlug backdoor. KeyPlug was initially detailed in March 2022 after being used by the Chinese state-sponsored group APT41 in attacks against a US government entity. The malware was believed to be exclusive to APT41, but the researchers have subsequently identified at least three other developing clusters involving KeyPlug, including STORM-0866/Red Dev 40, suggesting that it is, in fact, shared among multiple Chinese threat actors. The security researchers were able to link the APTs through the use of digital certificates, IPs, cloud-based reverse proxy infrastructure, hosting providers, and domain naming conventions. A comparison between KeyPlug and LuaDream, a sophisticated modular backdoor used by Sandstorm, has revealed the use of identical encrypting keys, similar high execution flaws, and direct overlaps in implementation, such as the support for the same protocols for command-and-control (C&C) communication. The researchers stated that they believe there are strong overlaps in operational infrastructure, targeting, and TTPs associating the Sandman APT with China-based adversaries using the KeYPlug backdoor, STORM-0866/Red Dev 40 in particular.
SecurityWeek reports: "Sandman Cyberespionage Group Linked to China"