Hackers target military and government networks for various reasons, primarily related to espionage and interference in critical infrastructure. These networks hold sensitive data and command systems that, if tampered with, could pose a significant threat to national security by collecting intelligence information or gaining an advantage in times of conflict.
Bitdefender Labs recently conducted an investigation into a series of cyber-attacks on prominent organizations in countries in the South China Sea region, uncovering a previously unknown threat actor believed to be acting on behalf of China. The analysis, which spanned several years and involved at least eight military and government targets from 2018, revealed the use of different methods and tools, such as Gh0st RAT iterations and .NET payloads, creating a cyber espionage repository of sorts.
One of the most alarming findings was that the attackers were able to repeatedly infiltrate systems by exploiting weak passwords or the failure to update them. Despite extensive analysis of the artifacts left behind, researchers were unable to attribute the activities, spanning over five years, to any known state actors. This led to the identification of the threat actor as “Unfading Sea Haze,” a previously undiscovered group with a focus on targets in the South China Sea region, hinting at potential ties to China due to the use of Gh0st RAT variants and techniques associated with Chinese cyber actors.
The attackers, known as Unfading Sea Haze, utilized spear-phishing emails containing malicious ZIP archives with LNK files posing as documents to regain access to compromised systems. They also employed techniques such as the SerialPktdoor backdoor payload and fileless attacks triggered by MSBuild.exe, allowing the execution of code entirely from remote SMB servers without leaving any traces on victims’ computers. By leveraging legitimate tools like MSBuild, the threat actors were able to evade detection and maintain persistence on compromised systems through scheduled tasks that mimicked executable file names.
Over the years, the attackers evolved their tactics from using Gh0st RAT versions like SilentGh0st and InsidiousGh0st to more sophisticated forms like FluffyGh0st, focusing on stealing data from browsers, messaging apps, and monitoring USB and WPD devices. They also modified their exfiltration methods, moving from using DustyExfilTool to curl on TLS to FTP with changing credentials, indicating an evolution in their operational security posture to avoid detection.
The investigation highlighted the advanced nature of the threat actor and the need for further research to uncover their motives and potential ties to China. It also emphasized the importance of implementing strong cybersecurity measures to protect military and government networks from such sophisticated attacks. Recommendations include vulnerability management, strong authentication, network segmentation, multilayered defense, network traffic monitoring, effective logging, detection and response capabilities, collaboration and information sharing, and leveraging advanced threat intelligence to stay ahead of evolving threats.
In conclusion, the targeting of military and government networks by hackers for espionage purposes poses a significant risk to national security. It is essential for organizations to remain vigilant, implement robust cybersecurity measures, and collaborate with industry partners and government agencies to defend against such threats effectively.