China-Linked Spies Steals Information From Eastern European Countries to Influence Ukraine War

Beijing-backed cyberspies used specially crafted phishing emails and six different backdoors to break into and then steal confidential data from military and industrial groups, government agencies, and other public institutions.

We’re told the security shop’s industrial control systems (ICS) response team initially detected a series of targeted attacks back in January.

Coordinated Attack By Gang TA428

That attack compromised more than a dozen of organizations in several Eastern European countries, including Belarus, Russia, Uke, and Afghanistan.

The team said, the attackers were able to penetrate dozens of enterprises and even hijack the IT infrastructure of some, taking control of systems used to manage security solutions.

Kaspersky attributed the attacks with a high degree of confidence to the Chinese e-cybercrime gang TA428, which has a history of targeting East Asian and Russian military and research institutes.

The ICS research team identified malware and command-and-control servers based in China.

They noted, that this more recent series of attacks is highly likely to be an extension of an ongoing cyber espionage campaign previously spotted by other researchers.

They also sound very similar to another campaign, dubbed Twisted Panda, carried out by Chinese cyber targeting Russian defense institutes.

Kaspersky says the rogues gained entry to the enterprise networks via phishing emails, some of which included organization-specific information that wasn’t publicly available.

This could indicate that the attackers did preparatory work in advance they may have obtained the information in earlier attacks associated with the victim organization.

Presumably, because these specially-crafted attacks included confidential information about the victim organization, it was easier for the attackers to trick some employees into opening the email.

PortDoor Malware Used In Phishing Attacks 

PortDoor malware is a relatively new backdoor believed to be developed by Chinese state-sponsored groups that were used in a 2021 phishing attack against a defense contractor that designs nuclear submarines for the Russian Federation’s Navy.

Kaspersky’s team identifies a new version of PortDoor that establishes persistence, then collects information on the infected computer.

It could further be used to control the system remotely while installing additional malware.

In addition, PortDoor utilized six other backdoors to control the infected systems and steal classified data.

After infecting an initial computer, the rogues moved laterally, using credentials snatched earlier in the attack to circulate malware across other devices on the company network.