According to a Trend Micro report, the Chinese cyber-espionage hack group Earth Lusca not only monitors strategic targets, but also engages in financially motivated attacks for profit.
The researchers write that in recent years, the hack group has been spying on a variety of targets that could be of interest to the Chinese government, for example:
- government agencies in Taiwan, Thailand, Philippines, Vietnam, UAE, Mongolia and Nigeria;
- educational institutions in Taiwan, Hong Kong, Japan and France;
- Media in Taiwan, Hong Kong, Australia, Germany and France;
- pro-democracy and human rights political organizations and movements in Hong Kong;
- research organizations studying COVID-19 in the US;
- telecommunications companies in Nepal;
- religious movements banned in mainland China
Interestingly, at the same time, the group managed to attack gambling companies in China and various cryptocurrency platforms, stealing other people’s funds.
The Record notes that hack groups that practice both financially motivated and spy attacks are not a rarity. For example, Iranian hackers hack into VPN devices around the world, select important targets they need to collect data, and sell the “surplus” on the dark web, on forums frequented by ransomware operators.
North Korean hackers are a category in their own right, as some of them are clearly authorized by the state to rob banks and cryptocurrency exchanges to raise money for their country, which has long been under severe economic sanctions.
As for China, similar behavior has been previously observed in some hack groups from the Middle Kingdom. For example, the FireEye report talks about APT41 (aka Double Dragon), whose tactics are in many ways similar to Earth Lusca.
Trend Micro reports that Earth Lusca participants mainly use three attack methods in their campaigns:
- exploitation of unpatched vulnerabilities on Internet-accessible servers and web applications (eg Oracle GlassFish and Microsoft Exchange);
- targeted phishing emails that contain links to malicious files or websites;
- Watering hole attacks, when victims are lured to pre-compromised sites, and there they try to infect them with malware.
In most cases, the attackers aimed to deploy Cobalt Strike on infected hosts, and the payloads used during the second phase of the attack include the Doraemon, ShadowPad, Winnti and FunnySwitch backdoors, as well as the AntSword and Behinder web shells.
The researchers also noted that the group often deploys mining malware on infected hosts.
Although it remains unclear whether this is done for the sake of mining cryptocurrency or is it a way to divert the attention of the IT specialists of the victim company, who may believe that the hack was related to a regular mining botnet, and not a complex spy operation.
Let me remind you that I talked about the fact that the Chinese hack group Aquatic Panda exploits Log4Shell to hack educational institutions, and also that the Chinese hack group Chimera steals data from air passengers.