"Chinese Hackers Targeted Dozens of Industrial Enterprises and Public Institutions"
Since January 2022, over a dozen military-industrial complex enterprises and public institutions in Afghanistan and Europe have been targeted to steal confidential data using six different backdoors. The attacks were attributed "with a high degree of confidence" to a China-linked threat actor known as TA428, citing overlaps in tactics, techniques, and procedures (TTPs). TA428, also known as Bronze Dudley, Temp.Hex, and Vicious Panda, has previously struck entities in Ukraine, Russia, Belarus, and Mongolia. It is thought to be linked to another hacking group, Mustang Panda, also known as Bronze President. The latest cyber espionage campaign targeted industrial plants, design bureaus, and research institutes, as well as government agencies, ministries, and departments in several Eastern European countries and Afghanistan. Penetration of enterprise IT networks is accomplished through the use of carefully crafted phishing emails, including some that reference non-public information about the organizations, to trick recipients into opening rogue Microsoft Word documents. These decoy files contain exploits for a 2017 memory corruption flaw in the Equation Editor component, which could allow arbitrary code to be executed in affected systems, eventually leading to the deployment of a backdoor known as PortDoor. In April 2021, Chinese state-sponsored hackers used PortDoor in spear-phishing attacks to break into the systems of a defense contractor that designs submarines for the Russian Navy. The use of six different implants is most likely an attempt by the threat actors to establish redundant channels for controlling infected hosts in the event that one of them is detected and removed from networks. This article continues to discuss TA428's targeting of military-industrial complex enterprises and public institutions in Afghanistan and Europe.
THN reports "Chinese Hackers Targeted Dozens of Industrial Enterprises and Public Institutions"