{"id":39535,"date":"2023-04-12T10:17:57","date_gmt":"2023-04-12T08:17:57","guid":{"rendered":"https:\/\/www.secuinfra.com\/?p=39535"},"modified":"2023-04-12T10:32:46","modified_gmt":"2023-04-12T08:32:46","slug":"beijing-calling-chinese-apts-are-targeting-european-governments-and-businesses","status":"publish","type":"post","link":"https:\/\/testing.secuinfra.com\/en\/news\/beijing-calling-chinese-apts-are-targeting-european-governments-and-businesses\/","title":{"rendered":"Beijing Calling: Chinese APTs are targeting European Governments and Businesses"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_83 counter-flat ez-toc-counter ez-toc-white ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">[inhalt_uebersetzt]<\/p>\n<span class=\"ez-toc-title-toggle\"><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/testing.secuinfra.com\/en\/news\/beijing-calling-chinese-apts-are-targeting-european-governments-and-businesses\/#APT27\" >APT27<\/a><\/li><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/testing.secuinfra.com\/en\/news\/beijing-calling-chinese-apts-are-targeting-european-governments-and-businesses\/#APT31\" >APT31<\/a><\/li><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/testing.secuinfra.com\/en\/news\/beijing-calling-chinese-apts-are-targeting-european-governments-and-businesses\/#APT15\" >APT15<\/a><\/li><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/testing.secuinfra.com\/en\/news\/beijing-calling-chinese-apts-are-targeting-european-governments-and-businesses\/#Mustang_Panda\" >Mustang Panda<\/a><\/li><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/testing.secuinfra.com\/en\/news\/beijing-calling-chinese-apts-are-targeting-european-governments-and-businesses\/#Detection_and_Response_Measures\" >Detection and Response Measures<\/a><\/li><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/testing.secuinfra.com\/en\/news\/beijing-calling-chinese-apts-are-targeting-european-governments-and-businesses\/#Hashsums_for_the_mentioned_samples\" >Hashsums for the mentioned samples<\/a><\/li><\/ul><\/nav><\/div>\n<p>In a recent <a  href=\"https:\/\/cert.europa.eu\/files\/data\/TLP-CLEAR-JointPublication-23-01.pdf\"  target=\"_blank\" rel=\"noopener\" dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >TLP:CLEAR publication<\/a> the European Union Agency for Cybersecurity (ENISA) and CERT-EU warned about malicious activities against EU governments and businesses attributed to Chinese Advanced Persistent Threat (APT) groups. In contrast to other nation state-backed Threat Groups from e.g. North Korea, who seek to profit financially from cyber attacks, Chinese Threat Actors are motivated to conduct political and industrial espionage and establish long-term persistence. In this news bulletin we would like to inform you about the Chinese APT groups that are currently active and their respective tools and techniques.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"APT27\"><\/span>APT27<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>This Threat Group, sometimes also referred to as \u201cLucky Mouse\u201d, has been targeting foreign embassies and organizations to gather intelligence on political, defense and technology sectors for more than a decade. In addition to free\/open-source and system tooling they employ Malware known from the China-Nexus like HyperBro and PlugX.<\/p>\n<p>Another piece custom piece from their toolkit is a backdoor called \u201cSysUpdate\u201d. <a  href=\"https:\/\/www.trendmicro.com\/en_us\/research\/23\/c\/iron-tiger-sysupdate-adds-linux-targeting.html\"  target=\"_blank\" rel=\"noopener\" dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >TrendMicro<\/a> recently found that this previously Windows-only Malware is now also targeting Linux systems, as can be seen in Figure 1 below. SysUpdate\u2019s features include information retrieval (Screenshots, System information), and different Execution options (Process\/Service, File Manager, Remote Shell). A subset of samples also contains a feature to use Domain Resolution (DNS) traffic for its Command&amp;Control communications.<\/p>\n<figure id=\"attachment_39454\" aria-describedby=\"caption-attachment-39454\" style=\"width: 733px\" class=\"wp-caption aligncenter\"><img fetchpriority=\"high\" decoding=\"async\" class=\"wp-image-39454 size-full\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/apt27-sysupdate.png\" alt=\"\" width=\"733\" height=\"346\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/apt27-sysupdate.png 733w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/apt27-sysupdate-300x142.png 300w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/apt27-sysupdate-24x11.png 24w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/apt27-sysupdate-36x17.png 36w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/apt27-sysupdate-48x23.png 48w\" sizes=\"(max-width: 733px) 100vw, 733px\" \/><figcaption id=\"caption-attachment-39454\" class=\"wp-caption-text\">Figure 1: SysUpdate (Linux version) establishes persistence through systemd<\/figcaption><\/figure>\n<h2><span class=\"ez-toc-section\" id=\"APT31\"><\/span>APT31<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The activities of APT31 are, compared to other Chinese Threat Groups, more stealthy, less frequent and completely separate from other groups. They focus on exploitation of different software to gather political, economic and military intelligence. In 2021 researchers uncovered the so-called \u201cSoWaT\u201d backdoor, targeting Routers (MIPS architecture) in multiple western European countries. Figure 2 shows a screenshot of the analysis of the backdoor and contains a few hints on its functionality: manipulating router settings and receiving remote commands. The complexity of the Command&amp;Control traffic handling and encryption shows that this backdoor was designed for covert deployment. A thorough analysis of the backdoor was conducted by <a  href=\"https:\/\/imp0rtp3.wordpress.com\/2021\/11\/25\/sowat\/\"  target=\"_blank\" rel=\"noopener\" dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >imp0rtp3<\/a>.<\/p>\n<figure id=\"attachment_39456\" aria-describedby=\"caption-attachment-39456\" style=\"width: 1075px\" class=\"wp-caption aligncenter\"><img decoding=\"async\" class=\"wp-image-39456 size-full\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/apt31-sowat.png\" alt=\"\" width=\"1075\" height=\"432\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/apt31-sowat.png 1075w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/apt31-sowat-300x121.png 300w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/apt31-sowat-1024x412.png 1024w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/apt31-sowat-768x309.png 768w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/apt31-sowat-24x10.png 24w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/apt31-sowat-36x14.png 36w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/apt31-sowat-48x19.png 48w\" sizes=\"(max-width: 1075px) 100vw, 1075px\" \/><figcaption id=\"caption-attachment-39456\" class=\"wp-caption-text\">Figure 2: SoWaT backdoor, string view gives hints to functionality<\/figcaption><\/figure>\n<h2><span class=\"ez-toc-section\" id=\"APT15\"><\/span>APT15<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>In <a  href=\"https:\/\/unit42.paloaltonetworks.com\/playful-taurus\/\"  target=\"_blank\" rel=\"noopener\" dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >recent reporting done by Palo Alto Networks Unit42<\/a> the APT15 Advanced Persistent Threat group was specifically targeting Iranian government infrastructure with a custom Windows backdoor called \u201cTurian\u201d, which was first spotted in 2021 by <a  href=\"https:\/\/www.welivesecurity.com\/2021\/06\/10\/backdoordiplomacy-upgrading-quarian-turian\/\"  target=\"_blank\" rel=\"noopener\" dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >ESET<\/a>. APT15\u2019s tooling is comparable in sophistication with the other Threat groups in this article, but currently attributed campaigns show that their current focus is on countries in the Middle East, Africa and North\/South America.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Mustang_Panda\"><\/span>Mustang Panda<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Mustang Panda\u2019s activity dates back to at least 2017\/2018, when they were first targeting Mongolia for intelligence gathering purposes. The Threat group is known for a somewhat more overt approach to compromising political targets, with their preferred tool being malicious office documents or document lures combined with (file-less) Malware, as can be seen in Figure 3. Another tool of choice for them are customized versions of <a  href=\"https:\/\/www.welivesecurity.com\/2022\/03\/23\/mustang-panda-hodur-old-tricks-new-korplug-variant\/\"  target=\"_blank\" rel=\"noopener\" dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >PlugX\/Korplug<\/a>.<\/p>\n<figure id=\"attachment_39458\" aria-describedby=\"caption-attachment-39458\" style=\"width: 1223px\" class=\"wp-caption aligncenter\"><img decoding=\"async\" class=\"wp-image-39458 size-full\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/mustangpanda-lure.png\" alt=\"\" width=\"1223\" height=\"199\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/mustangpanda-lure.png 1223w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/mustangpanda-lure-300x49.png 300w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/mustangpanda-lure-1024x167.png 1024w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/mustangpanda-lure-768x125.png 768w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/mustangpanda-lure-24x4.png 24w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/mustangpanda-lure-36x6.png 36w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/mustangpanda-lure-48x8.png 48w\" sizes=\"(max-width: 1223px) 100vw, 1223px\" \/><figcaption id=\"caption-attachment-39458\" class=\"wp-caption-text\">Figure 3: Contents of a RAR archive distributed by Mustang Panda, contains document lures and Malware<\/figcaption><\/figure>\n<p>ESET recently discovered a new backdoor attributed to Mustang Panda which they named <a  href=\"https:\/\/www.welivesecurity.com\/2023\/03\/02\/mqsttang-mustang-panda-latest-backdoor-treads-new-ground-qt-mqtt\/\"  target=\"_blank\" rel=\"noopener\" dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >\u201cMQsTTang\u201d<\/a> after the utilized MQTT Network protocol used for their Command&amp;Control infrastructure (see Figure 4).<\/p>\n<figure id=\"attachment_39460\" aria-describedby=\"caption-attachment-39460\" style=\"width: 1191px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-39460 size-full\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/mustangpanda-mqtt.png\" alt=\"\" width=\"1191\" height=\"454\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/mustangpanda-mqtt.png 1191w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/mustangpanda-mqtt-300x114.png 300w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/mustangpanda-mqtt-1024x390.png 1024w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/mustangpanda-mqtt-768x293.png 768w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/mustangpanda-mqtt-24x9.png 24w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/mustangpanda-mqtt-36x14.png 36w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/mustangpanda-mqtt-48x18.png 48w\" sizes=\"(max-width: 1191px) 100vw, 1191px\" \/><figcaption id=\"caption-attachment-39460\" class=\"wp-caption-text\">Figure 4: MQsTTang backdoor communicating via the MQTT Protocol<\/figcaption><\/figure>\n<h2><span class=\"ez-toc-section\" id=\"Detection_and_Response_Measures\"><\/span>Detection and Response Measures<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>We second the measures proposed by CERT-EU and would like to highlight a few of them that will have a large impact on security posture of organizations in focused branches:<\/p>\n<ul>\n<li>Establishing Log collection and monitoring for security events on assets and networking equipment.<\/li>\n<li>Protection of assets (clients, servers) should be reinforced through the use of an Endpoint Detection &amp; Response (EDR) solution and continuous monitoring.<\/li>\n<li>Manage vulnerabilities through a centralized system and keep up with patch cycles.<\/li>\n<li>Conduct regular assessments of your environment, either in an offensive (Pentests, Red-Teaming) or a defensive nature (Compromise Assessments).<\/li>\n<li>Prepare a thorough backup strategy and Incident Response plans and test them periodically.<\/li>\n<li>Create user awareness for possible malicious activity with e.g. Phishing simulation and targeted trainings.<\/li>\n<\/ul>\n<div class=\"fazit\"><\/p>\n<h2><span class=\"ez-toc-section\" id=\"Hashsums_for_the_mentioned_samples\"><\/span>Hashsums for the mentioned samples<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><strong>APT27 \u2013 SysUpdate<\/strong><\/p>\n<p>e9c6e9aba10b5e26e578efc6105727d74fbd3a02450fbda2b4ee052b3fbbaecb<\/p>\n<p><strong>APT31 \u2013 SoWaT<\/strong><\/p>\n<p>1d60edb577641ce47dc2a8299f8b7f878e37120b192655aaf80d1cde5ee482d2<\/p>\n<p><strong>MustangPanda<\/strong><\/p>\n<p>RAR &#8211; 447a62c7e29e2da85884b6e4aea80aca2cc5ba86694733ca397a2c8ba0f8e197<\/p>\n<p>MQsTTang backdoor &#8211; 4936b873cfe066ec5efce01ef8fb1605f8bc29a98408a13bc8fe4462b2f09c5a<\/p>\n<p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>ENISA and CERT-EU warned about malicious activities against EU governments and businesses attributed to Chinese APTs.      <\/p>\n","protected":false},"author":6,"featured_media":39462,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[60],"tags":[],"dpc_coauthors":[],"class_list":["post-39535","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news"],"acf":[],"_links":{"self":[{"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/posts\/39535","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/comments?post=39535"}],"version-history":[{"count":0,"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/posts\/39535\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/media\/39462"}],"wp:attachment":[{"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/media?parent=39535"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/categories?post=39535"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/tags?post=39535"},{"taxonomy":"dpc_coauthors","embeddable":true,"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/dpc_coauthors?post=39535"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}