Skip links

China-linked spies used six backdoors to steal info from defense, industrial enterprise orgs

Beijing-backed cyberspies used specially crafted phishing emails and six different backdoors to break into and then steal confidential data from military and industrial groups, government agencies and other public institutions, according to Kaspersky researchers.

We’re told the security shop’s industrial control systems (ICS) response team initially detected a series of targeted attacks back in January that compromised more than a dozen of organizations in several Eastern European countries, including Belarus, Russia, and Ukraine, and Afghanistan. 

“The attackers were able to penetrate dozens of enterprises and even hijack the IT infrastructure of some, taking control of systems used to manage security solutions,” the team wrote in a report published on Monday.

Kaspersky attributed the attacks “with a high degree of confidence” to Chinese cybercrime gang TA428, which has a history of targeting East Asian and Russian military and research institutes. 

The ICS research team identified malware and command-and-control servers based in China, and added that this more recent series of attacks is “highly likely” to be an extension of an ongoing cyberespionage campaign, previously spotted by other research teams.

They also sound very similar to another campaign, dubbed Twisted Panda, carried out by Chinese cyberspies and targeting Russian defense institutes, uncovered by Check Point Research in May.

According to Kaspersky, the miscreants gained access to the enterprise networks via phishing emails, some of which included organization-specific information that wasn’t publicly available.

“This could indicate that the attackers did preparatory work in advance (they may have obtained the information in earlier attacks on the same organization or its employees, or on other organizations or individuals associated with the victim organization),” the researchers explained. 

Presumably, because these specially-crafted attacks included confidential information about the victim org, it was easier for the attackers to trick some employees into opening the email — and a Microsoft Word document attached to it. The Word doc contained malicious code, which exploited the CVE-2017-11882 vulnerability to deploy PortDoor malware on the infected machine without any additional user activity. For example, the user didn’t need to enable macros, as is typical in these types of attacks.

PortDoor malware is a relatively new backdoor believed to be developed by Chinese state-sponsored groups that was also used in a 2021 phishing attack against a Russian-based defense contractor that designs nuclear submarines for the Russian Federation’s Navy. 

Kaspersky says its team IDed a new version of PortDoor that establishes persistence, then collects information on the infected computer, and can be used to control the system remotely while installing additional malware.

In addition to PortDoor, attackers used six other backdoors to control the infected systems and steal confidential data. Some of these (nccTrojan, Logtu, Cotx, and DNSep) have been previously attributed to TA428. However, a sixth backdoor, dubbed CotScam, is new, according to Kaspersky.  

After infecting an initial computer, the miscreants moved laterally, using credentials stolen earlier in the attack to spread malware across other devices on the enterprise network. And they used the Ladon hacking tool, which combines network scanning, vulnerability searching capabilities, exploitation, password attack, and other nefarious functionality for this lateral movement, we’re told.

Kaspersky points to this use of the Ladon utility, which is reportedly popular among Chinese cybercriminals, as another indicator that TA42 is behind these espionage efforts.

After gaining admin privileges to the infected machines, the criminals manually searched for and selected files to steal that contained sensitive data about the victim organization before uploading these files to servers hosted in different countries. These servers then forwarded the private information to a stage-two server in China.

“Given that the attackers have had some success, we believe it is highly likely that similar attacks will occur again in the future,” Kaspersky warned. “Industrial enterprises and public institutions should do a great deal of work to successfully thwart such attacks.” ®