Unit 42 researchers have unveiled a web of complex cyber-espionage attacks targeting a government in Southeast Asia. While initially thought to be the work of a single threat actor, the researchers discovered that the attacks were orchestrated by three separate and distinct clusters of threat actors.
These espionage operations, occurring simultaneously or nearly so, affected critical infrastructure, public healthcare institutions, public financial administrators and government ministries within the same country.
The research, published by Unit 42 researchers Lior Rochberger, Tom Fakterman and Robert Falcone last Friday, suggests that these activities were executed by advanced persistent threats (APTs) due to the sophisticated techniques employed and the continuous surveillance efforts directed at the victims.
The investigation led to the identification of three distinct clusters of activity, each associated with varying confidence levels to known APT groups.
The first, CL-STA-0044, is linked with moderate-high confidence to the Stately Taurus group (aka Mustang Panda), which is believed to have affiliations with Chinese interests. Their primary objectives encompassed cyber-espionage, involving the collection of intelligence and the pilfering of sensitive documents, executed through the deployment of backdoors like ToneShell and ShadowPad, in addition to a suite of well-established hacking tools.
The second, CL-STA-0045, is attributed to the Alloy Taurus APT group with moderate confidence, which also operates on behalf of Chinese state interests. This cluster exhibited a penchant for long-term persistence, reconnaissance and various backdoors. Notably, they leveraged unconventional techniques and introduced innovative backdoors such as Zapoa and ReShell.
Finally, CL-STA-0046 is tentatively associated with the Gelsemium APT group, which is currently unattributed to a specific state. This cluster’s focal point lies in reconnaissance and maintaining access, with particular emphasis on exploiting vulnerable IIS (Internet Information Services) servers. To achieve their goals, the hackers introduced malware like OwlProxy and SessionManager in conjunction with conventional hacking tools.
The research findings have been shared with the Cyber Threat Alliance (CTA) to facilitate the rapid deployment of protections and the disruption of these malicious cyber actors.