Key Intelligence Signals:
Suspected Threat Actors: Budworm (APT27, LuckyMouse, Bronze Union, TG-3390, Emissary Panda, Group 35, ATK 15, Iron Tiger, Earth Smilodon, Zip Toke)
After a long break of six years, the China-linked Budworm APT threat actor group has been recently spotted targeting a US-based entity and other international targets. Over the past six months, the Budworm espionage group launched strategic attacks on targets that include the government of a Middle Eastern country, a multinational electronics manufacturer, and a U.S. state legislature.
The current toolset used in the attacks includes exploiting Log4j vulnerabilities (CVE-2021-44228 and CVE-2021-45105) to install Webshells and leveraged Virtual Private Servers (VPS) providers Vultr and Telstra for command & control activities. They mainly used HyperBro malware, often deployed using the technique of DLL side-loading. The threat actor group also leveraged endpoint privilege management software CyberArk Viewfinity which was renamed to securityhealthservice.exe, secu.exe, vfhost.exe, vxhost.exe, vx.exe, and v.exe to masquerade as a more innocuous file.
Other toolsets used by the attackers in this campaign include;
As per researchers, although US organizations were a frequent target of Budworm six to eight years ago, in recent years, the threat actor group appeared to be largely focused on Asia, the Middle East, and European targets.
The threat actor group is known to target high-value targets and ambitious attacks. This is not the first time a threat actor group has been linked to attacks against US organizations. A Cybersecurity and Infrastructure Security Agency (CISA) advisory detailed multiple APT threat actor group activities that compromised Defense Industrial Base (DIB) sector organization. According to the advisory, in late March 2021, the HyperBro malware was used to compromise the DIB sector organization.
Jeremy Fleming, Director of the Government Communications Headquarters (GCHQ), the main signals intelligence agency in the United Kingdom, gave a rare talk in which he warned about the threat posed by China in its application of information technologies. Mr. Fleming focused on Chinese cyber espionage. and He has also observed that British intelligence agencies have noticed plenty of activities from their Chinese counterparts. The relationship between the two countries has been increasingly rocky, especially in the past two years and the Chinese behavior in cyberspace has contributed to an increasingly hawkish stance in the UK’s government. While Mr. Fleming downplayed the role of Chinese support in Russia’s war in Ukraine despite the proclaimed limitless partnership between Moscow and Beijing, the formal Chinese position has made Beijing few new friends in Europe and relationships between the EU, UK and China are likely to further deteriorate in the coming months, with potential fallout in the cyberspace.
Killnet, a privateering group attacking governments and organizations under the wishes of the Kremlin, has claimed responsibility for a recent wave of cyber-attacks on the government of Bulgaria on its Telegram channel. The group has blamed Bulgaria for betraying Russia by supporting the Ukrainian government in its struggle to defend the country from Russian aggression. The attack paralyzed the websites of the Defense Ministry, the Interior Ministry, the Justice Ministry, the Presidential Office, and the Constitutional Court.
In an ongoing campaigns targeting governments perceived to be hostile to Russia’s interests, Killnet has so far not been able to go into a more sophisticated territory and has mostly focused on distributed denial-of-service (DDoS) operations and website defacements. This criminal enterprise formerly known mainly for its botnet-for-hire operations has only recently adopted a more nationally oriented stance probably as a result of domestic government coercion. However, the group’s criminal background and the newly found support of the Kremlin suggests that it could shortly adapt after receiving funds, personnel, as well as knowledge transfers from government agencies and pose a more serious threat in the coming months.
Despite ongoing efforts by Russian hackers, the Ukrainian government has been able to keep its internet connectivity and electrical grid running. Due to this the Russian military has recently started a campaign of indiscriminate bombing attacks on civilian infrastructure resulting in large-scale blackouts along with internet and mobile communications disruptions. Internet connectivity levels dropped 35% below normal activity and large areas were without power before the Ukrainian government was able to restore the normal function of the grid and telecommunication networks.
The FBI has been alerting state election officials as well as Democratic and Republican Party organizations that they are the subject of increasing malicious activities by the Chinese intelligence services. According to the agency, Chinese APTs have been extensively scanning networks belonging to the political parties and state-level organizations administering the election process. The FBI has not publicly commented in a detailed manner, given the potential international relations impact, however, researchers assume the activity to be part of reconnaissance and potential target development.
From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed Ohmiya Corporation (oomiya.co.jp) – which deals in chemicals materials for surface treatment, sewerage, semiconductor and display use as well as sells industrial machinery and electronic parts – being impacted by the LockBit ransomware group. The ransomware group claimed Ohmiya as one of their victims by disclosing the update on their dedicated leak site. It is suspected that a large amount of business-critical and sensitive data has been exfiltrated. The following screenshot was observed published on the dark web