Chinese state actors behind espionage attacks on Southeast Asian government

A series of attacks targeting a Southeast Asian government has been found to be carried out by distinct threat actors affiliated with Chinese interests, according to Unit 42, the Palo Alto research arm closely studying the attacks.

Initially thought to be carried out by a single threat actor, the attacks are now said to have been carried out by three separate threat actors with activities grouped into different clusters, sometimes occurring simultaneously.

The operation was found to be nation-state cyberespionage, in which multiple critical government entities of one country were compromised. Unit 42 did not disclose the name of the Southeast Asian country targeted by the attacks.

"The techniques and tools observed during the attacks, along with the persistent long-term surveillance efforts made by the different attackers, suggest the work of advanced persistent threats (APTs)," Unit 42 said in a blog post. "In our analysis, we were able to attribute the three clusters to known APT groups with different levels of confidence."

The APT groups attributed in the post include Stately Taurus (aka Mustang Panda), Alloy Taurus (aka GALLIUM), and Gelsemium.

Chinese APTs stole credentials

Both Stately Taurus and Alloy Taurus are believed to be APT groups operating on behalf of Chinese State interests. In this case, they are believed to have backdoor-ed victim systems to gain entry and use the infection to carry out reconnaissance, credential stealing, and persistence.

"With moderate-high confidence, we conclude that (one cluster of) activity is linked to the Chinese cyberespionage group Stately Taurus," Unit 42 said. "This attribution is underpinned by the utilization of distinctive, rare tools such as the ToneShell backdoor that have not been publicly documented in association with any other known threat actor."

Additionally, the blog attributed Alloy Taurus "with a moderate level of confidence" for another cluster of multiwave intrusions capitalizing on vulnerabilities in Exchange Servers to deploy a large number of web shells.

The APTs conducted reconnaissance on the breached networks using different tools including the Chinese open source scanning framework LadonGo, IP scanner NBTScan, command-line tool ADFind, and Impacket. For credential stealing, the miscreants used credential harvesting tools such as Hdump, MimiKatz, and DCSync.

After the initial infection, the state actors attempted to install other tools and malware to maintain a foothold in the environment and establish persistence. The tools they used for this included penetration testing beacon Cobalt Strike, and Quasar remote access Trojan (RAT) malware. They also used SSH tunneling through command line action tools PuTTY Link and HTran.

Rare Backdooring by Gelesium APT

With a "moderate level of confidence," Unit 42 attributed a third cluster to the Gelsemium group, not linked to any specific state, installing a rare combination of attacks.

"This assessment is based on the unique combination of malware that attackers used, namely the SessionManager IIS backdoor and OwlProxy," Unit 42 said. "The cluster featured a combination of rare tools and techniques that the threat actor leveraged to gain a clandestine foothold and collect intelligence from sensitive servers belonging to a government entity in Southeast Asia."

Threat actors responsible for the attacks in this cluster gained initial access to the environment by installing several web shells on a compromised web server, Unit 42 said. These web shells include reGeorg, China Chopper, and AspxSpy web shell. Previous research confirms that the Gelsemium threat group has targeted the government sector in Southeast Asia in the past, Unit 42 added.